Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FAR.N#U00b02430-24000993.exe

Overview

General Information

Sample name:FAR.N#U00b02430-24000993.exe
renamed because original name is a hash value
Original sample name:FAR.N2430-24000993.exe
Analysis ID:1428834
MD5:fc6db4b0a1a08504c0374df93b0f517a
SHA1:bcb0b1dd0433b41936f04e3a50f388194b3d1c1c
SHA256:7dea1d028135e07900ed820ac9e0ab9a6207906c667736f39a407fff424ce84a
Tags:agentteslaexeFormbook
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Binary is likely a compiled AutoIt script file
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Found API chain indicative of sandbox detection
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • FAR.N#U00b02430-24000993.exe (PID: 5632 cmdline: "C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exe" MD5: FC6DB4B0A1A08504C0374DF93B0F517A)
    • RegSvcs.exe (PID: 1216 cmdline: "C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • newfile.exe (PID: 6244 cmdline: "C:\Users\user\AppData\Roaming\newfile\newfile.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 4392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • newfile.exe (PID: 1096 cmdline: "C:\Users\user\AppData\Roaming\newfile\newfile.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 5176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.cash4cars.nz", "Username": "logs@cash4cars.nz", "Password": "logs2024!"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.3345887048.000000000320E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.3326274628.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000002.00000002.3326274628.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.3345887048.00000000031E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000002.00000002.3345887048.00000000031E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.2.RegSvcs.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x346be:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x34730:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x347ba:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x3484c:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x348b6:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x34928:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x349be:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x34a4e:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  0.2.FAR.N#U00b02430-24000993.exe.1560000.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 6 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\newfile\newfile.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 1216, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newfile

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.FAR.N#U00b02430-24000993.exe.1560000.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.cash4cars.nz", "Username": "logs@cash4cars.nz", "Password": "logs2024!"}
                    Multi AV Scanner detection for submitted file
                    Source: FAR.N#U00b02430-24000993.exeReversingLabs: Detection: 44%
                    Machine Learning detection for sample
                    Source: FAR.N#U00b02430-24000993.exeJoe Sandbox ML: detected
                    Source: FAR.N#U00b02430-24000993.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: Binary string: RegSvcs.pdb, source: newfile.exe, 00000003.00000000.2236193862.00000000009A2000.00000002.00000001.01000000.00000006.sdmp, newfile.exe.2.dr
                    Source: Binary string: wntdll.pdbUGP source: FAR.N#U00b02430-24000993.exe, 00000000.00000003.2097077075.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, FAR.N#U00b02430-24000993.exe, 00000000.00000003.2095818943.0000000004140000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: FAR.N#U00b02430-24000993.exe, 00000000.00000003.2097077075.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, FAR.N#U00b02430-24000993.exe, 00000000.00000003.2095818943.0000000004140000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: RegSvcs.pdb source: newfile.exe, 00000003.00000000.2236193862.00000000009A2000.00000002.00000001.01000000.00000006.sdmp, newfile.exe.2.dr
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0073DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0073DBBE
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0070C2A2 FindFirstFileExW,0_2_0070C2A2
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_007468EE FindFirstFileW,FindClose,0_2_007468EE
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0074698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0074698F
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0073D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0073D076
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0073D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0073D3A9
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_00749642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00749642
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0074979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0074979D
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_00749B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00749B2B
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_00745C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00745C97

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.FAR.N#U00b02430-24000993.exe.1560000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2100930635.0000000001560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: global trafficTCP traffic: 192.168.2.6:49712 -> 114.142.162.17:26
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 114.142.162.17 114.142.162.17
                    Source: Joe Sandbox ViewASN Name: SERVERMULE-AS-APNimbus2PtyLtdAU SERVERMULE-AS-APNimbus2PtyLtdAU
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0074CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_0074CE44
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: unknownDNS traffic detected: queries for: ip-api.com
                    Source: RegSvcs.exe, 00000002.00000002.3345887048.00000000031B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: FAR.N#U00b02430-24000993.exe, 00000000.00000002.2100930635.0000000001560000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3327036410.0000000001488000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3345887048.00000000031B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3326274628.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: RegSvcs.exe, 00000002.00000002.3327036410.0000000001488000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hostingg
                    Source: RegSvcs.exe, 00000002.00000002.3345887048.0000000003214000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.cash4cars.nz
                    Source: RegSvcs.exe, 00000002.00000002.3345887048.00000000031B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: FAR.N#U00b02430-24000993.exe, 00000000.00000002.2100930635.0000000001560000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3326274628.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.FAR.N#U00b02430-24000993.exe.1560000.1.raw.unpack, cPKWk.cs.Net Code: QEe0sUZ
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0074EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0074EAFF
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0074ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0074ED6A
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0074EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0074EAFF
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0073AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0073AA57
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_00769576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00769576

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.FAR.N#U00b02430-24000993.exe.1560000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.FAR.N#U00b02430-24000993.exe.1560000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 00000000.00000002.2100930635.0000000001560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Binary is likely a compiled AutoIt script file
                    Source: FAR.N#U00b02430-24000993.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: FAR.N#U00b02430-24000993.exe, 00000000.00000000.2086272101.0000000000792000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_da581f3f-5
                    Source: FAR.N#U00b02430-24000993.exe, 00000000.00000000.2086272101.0000000000792000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_8fe306cc-0
                    Source: FAR.N#U00b02430-24000993.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b4392115-c
                    Source: FAR.N#U00b02430-24000993.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_62ae0b6f-3
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0073D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0073D5EB
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_00731201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00731201
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0073E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0073E8F6
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006D80600_2_006D8060
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_007420460_2_00742046
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_007382980_2_00738298
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0070E4FF0_2_0070E4FF
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0070676B0_2_0070676B
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_007648730_2_00764873
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006DCAF00_2_006DCAF0
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006FCAA00_2_006FCAA0
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006ECC390_2_006ECC39
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_00706DD90_2_00706DD9
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006EB1190_2_006EB119
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006D91C00_2_006D91C0
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006F13940_2_006F1394
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006F781B0_2_006F781B
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006E997D0_2_006E997D
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006D79200_2_006D7920
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006F7A4A0_2_006F7A4A
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006F7CA70_2_006F7CA7
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0075BE440_2_0075BE44
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_00709EEE0_2_00709EEE
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006DBF400_2_006DBF40
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_015436800_2_01543680
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01804AD82_2_01804AD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0180D2382_2_0180D238
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01803EC02_2_01803EC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0180DE002_2_0180DE00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_018042082_2_01804208
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06AEB5A82_2_06AEB5A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06AE33182_2_06AE3318
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06AE00402_2_06AE0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06AE5A202_2_06AE5A20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06AEEA582_2_06AEEA58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06AE89A82_2_06AE89A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06AE91102_2_06AE9110
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06AEAEC82_2_06AEAEC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06F735002_2_06F73500
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06AE00232_2_06AE0023
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeCode function: 3_2_01080BC03_2_01080BC0
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: String function: 006F0A30 appears 46 times
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: String function: 006EF9F2 appears 40 times
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: String function: 006D9CB3 appears 31 times
                    Source: FAR.N#U00b02430-24000993.exe, 00000000.00000003.2100215451.000000000426D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs FAR.N#U00b02430-24000993.exe
                    Source: FAR.N#U00b02430-24000993.exe, 00000000.00000003.2095699886.00000000040C3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs FAR.N#U00b02430-24000993.exe
                    Source: FAR.N#U00b02430-24000993.exe, 00000000.00000002.2100930635.0000000001560000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameea16ea75-cecb-40c7-8a5f-1ef4e83dbba6.exe4 vs FAR.N#U00b02430-24000993.exe
                    Source: FAR.N#U00b02430-24000993.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.FAR.N#U00b02430-24000993.exe.1560000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.FAR.N#U00b02430-24000993.exe.1560000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 00000000.00000002.2100930635.0000000001560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.FAR.N#U00b02430-24000993.exe.1560000.1.raw.unpack, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.FAR.N#U00b02430-24000993.exe.1560000.1.raw.unpack, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.FAR.N#U00b02430-24000993.exe.1560000.1.raw.unpack, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.FAR.N#U00b02430-24000993.exe.1560000.1.raw.unpack, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.FAR.N#U00b02430-24000993.exe.1560000.1.raw.unpack, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.FAR.N#U00b02430-24000993.exe.1560000.1.raw.unpack, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.FAR.N#U00b02430-24000993.exe.1560000.1.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.FAR.N#U00b02430-24000993.exe.1560000.1.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/8@2/2
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_007437B5 GetLastError,FormatMessageW,0_2_007437B5
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_007310BF AdjustTokenPrivileges,CloseHandle,0_2_007310BF
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_007316C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_007316C3
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_007451CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_007451CD
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0075A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0075A67C
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0074648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_0074648E
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006D42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_006D42A2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\newfileJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5176:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4392:120:WilError_03
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeFile created: C:\Users\user\AppData\Local\Temp\autE4C3.tmpJump to behavior
                    Source: FAR.N#U00b02430-24000993.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: FAR.N#U00b02430-24000993.exeReversingLabs: Detection: 44%
                    Source: unknownProcess created: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exe "C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exe"
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: FAR.N#U00b02430-24000993.exeStatic file information: File size 1119744 > 1048576
                    Source: FAR.N#U00b02430-24000993.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: FAR.N#U00b02430-24000993.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: FAR.N#U00b02430-24000993.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: FAR.N#U00b02430-24000993.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: FAR.N#U00b02430-24000993.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: FAR.N#U00b02430-24000993.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: FAR.N#U00b02430-24000993.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: RegSvcs.pdb, source: newfile.exe, 00000003.00000000.2236193862.00000000009A2000.00000002.00000001.01000000.00000006.sdmp, newfile.exe.2.dr
                    Source: Binary string: wntdll.pdbUGP source: FAR.N#U00b02430-24000993.exe, 00000000.00000003.2097077075.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, FAR.N#U00b02430-24000993.exe, 00000000.00000003.2095818943.0000000004140000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: FAR.N#U00b02430-24000993.exe, 00000000.00000003.2097077075.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, FAR.N#U00b02430-24000993.exe, 00000000.00000003.2095818943.0000000004140000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: RegSvcs.pdb source: newfile.exe, 00000003.00000000.2236193862.00000000009A2000.00000002.00000001.01000000.00000006.sdmp, newfile.exe.2.dr
                    Source: FAR.N#U00b02430-24000993.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: FAR.N#U00b02430-24000993.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: FAR.N#U00b02430-24000993.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: FAR.N#U00b02430-24000993.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: FAR.N#U00b02430-24000993.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_006D42DE
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006F0A76 push ecx; ret 0_2_006F0A89
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0180E8C9 push B4069A68h; ret 2_2_0180E8D5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06F711BE push es; ret 2_2_06F711C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\newfile\newfile.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfileJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfileJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\newfile\newfile.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006EF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_006EF98E
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_00761C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00761C41
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: FAR.N#U00b02430-24000993.exe PID: 5632, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Found API chain indicative of sandbox detection
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-95636
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: FAR.N#U00b02430-24000993.exe, 00000000.00000002.2100930635.0000000001560000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3326274628.0000000000402000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeMemory allocated: 1080000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeMemory allocated: 2C10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeMemory allocated: 4C10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeMemory allocated: 8C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeMemory allocated: 2370000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeMemory allocated: 4370000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7950Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1881Jump to behavior
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeAPI coverage: 4.0 %
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe TID: 3360Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe TID: 6416Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0073DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0073DBBE
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0070C2A2 FindFirstFileExW,0_2_0070C2A2
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_007468EE FindFirstFileW,FindClose,0_2_007468EE
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0074698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0074698F
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0073D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0073D076
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0073D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0073D3A9
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_00749642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00749642
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0074979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0074979D
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_00749B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00749B2B
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_00745C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00745C97
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_006D42DE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99782Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99657Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99532Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99407Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99282Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99169Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95993Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95516Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94933Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94719Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94110Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: RegSvcs.exe, 00000002.00000002.3326274628.0000000000402000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: vmware
                    Source: RegSvcs.exe, 00000002.00000002.3326274628.0000000000402000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                    Source: RegSvcs.exe, 00000002.00000002.3350073689.00000000064DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_018070C0 CheckRemoteDebuggerPresent,2_2_018070C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0074EAA2 BlockInput,0_2_0074EAA2
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_00702622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00702622
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_006D42DE
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006F4CE8 mov eax, dword ptr fs:[00000030h]0_2_006F4CE8
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_01543570 mov eax, dword ptr fs:[00000030h]0_2_01543570
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_01543510 mov eax, dword ptr fs:[00000030h]0_2_01543510
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_01541ED0 mov eax, dword ptr fs:[00000030h]0_2_01541ED0
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_00730B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00730B62
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_00702622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00702622
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006F083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_006F083F
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006F09D5 SetUnhandledExceptionFilter,0_2_006F09D5
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006F0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_006F0C21
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1001008Jump to behavior
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_00731201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00731201
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_00712BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00712BA5
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0073B226 SendInput,keybd_event,0_2_0073B226
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_007522DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_007522DA
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_00730B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00730B62
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_00731663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00731663
                    Source: FAR.N#U00b02430-24000993.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: FAR.N#U00b02430-24000993.exeBinary or memory string: Shell_TrayWnd
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006F0698 cpuid 0_2_006F0698
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeQueries volume information: C:\Users\user\AppData\Roaming\newfile\newfile.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeQueries volume information: C:\Users\user\AppData\Roaming\newfile\newfile.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\newfile\newfile.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_00748195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00748195
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0072D27A GetUserNameW,0_2_0072D27A
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_0070B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0070B952
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_006D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_006D42DE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.FAR.N#U00b02430-24000993.exe.1560000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.FAR.N#U00b02430-24000993.exe.1560000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.3345887048.000000000320E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3326274628.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3345887048.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2100930635.0000000001560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: FAR.N#U00b02430-24000993.exe PID: 5632, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1216, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: FAR.N#U00b02430-24000993.exeBinary or memory string: WIN_81
                    Source: FAR.N#U00b02430-24000993.exeBinary or memory string: WIN_XP
                    Source: FAR.N#U00b02430-24000993.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                    Source: FAR.N#U00b02430-24000993.exeBinary or memory string: WIN_XPe
                    Source: FAR.N#U00b02430-24000993.exeBinary or memory string: WIN_VISTA
                    Source: FAR.N#U00b02430-24000993.exeBinary or memory string: WIN_7
                    Source: FAR.N#U00b02430-24000993.exeBinary or memory string: WIN_8
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.FAR.N#U00b02430-24000993.exe.1560000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.FAR.N#U00b02430-24000993.exe.1560000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.3326274628.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3345887048.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2100930635.0000000001560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: FAR.N#U00b02430-24000993.exe PID: 5632, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1216, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.FAR.N#U00b02430-24000993.exe.1560000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.FAR.N#U00b02430-24000993.exe.1560000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.3345887048.000000000320E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3326274628.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.3345887048.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2100930635.0000000001560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: FAR.N#U00b02430-24000993.exe PID: 5632, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1216, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_00751204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00751204
                    Source: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exeCode function: 0_2_00751806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00751806

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure2
                    Valid Accounts                    		121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    Exploitation for Privilege Escalation                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Native API                    		2
                    Valid Accounts                    		1
                    DLL Side-Loading                    		11
                    Deobfuscate/Decode Files or Information                    		121
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    Registry Run Keys / Startup Folder                    		2
                    Valid Accounts                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		2
                    File and Directory Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		NTDS38
                    System Information Discovery                    		Distributed Component Object Model121
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                    Process Injection                    		1
                    Masquerading                    		LSA Secrets541
                    Security Software Discovery                    		SSH3
                    Clipboard Data                    		2
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                    Registry Run Keys / Startup Folder                    		2
                    Valid Accounts                    		Cached Domain Credentials251
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items251
                    Virtualization/Sandbox Evasion                    		DCSync2
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                    Access Token Manipulation                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    Hidden Files and Directories                    		Network Sniffing1
                    System Network Configuration Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428834 Sample: FAR.N#U00b02430-24000993.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 25 mail.cash4cars.nz 2->25 27 ip-api.com 2->27 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 7 other signatures 2->47 7 FAR.N#U00b02430-24000993.exe 4 2->7         started        10 newfile.exe 2 2->10         started        12 newfile.exe 1 2->12         started        signatures3 process4 signatures5 49 Binary is likely a compiled AutoIt script file 7->49 51 Found API chain indicative of sandbox detection 7->51 53 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->53 55 2 other signatures 7->55 14 RegSvcs.exe 16 4 7->14         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        process6 dnsIp7 29 mail.cash4cars.nz 114.142.162.17, 26 SERVERMULE-AS-APNimbus2PtyLtdAU Australia 14->29 31 ip-api.com 208.95.112.1, 49711, 80 TUT-ASUS United States 14->31 23 C:\Users\user\AppData\Roaming\...\newfile.exe, PE32 14->23 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->35 37 Tries to steal Mail credentials (via file / registry access) 14->37 39 4 other signatures 14->39 file8 signatures9

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    FAR.N#U00b02430-24000993.exe45%ReversingLabsWin32.Spyware.Negasteal
                    FAR.N#U00b02430-24000993.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\newfile\newfile.exe0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.cash4cars.nz
                    		114.142.162.17
                    		truetrue
                      		unknown
                      ip-api.com
                      		208.95.112.1
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://ip-api.com/line/?fields=hostingfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://ip-api.com/line/?fields=hostinggRegSvcs.exe, 00000002.00000002.3327036410.0000000001488000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://mail.cash4cars.nzRegSvcs.exe, 00000002.00000002.3345887048.0000000003214000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              https://account.dyn.com/FAR.N#U00b02430-24000993.exe, 00000000.00000002.2100930635.0000000001560000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3326274628.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.3345887048.00000000031B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://ip-api.comRegSvcs.exe, 00000002.00000002.3345887048.00000000031B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    208.95.112.1
                                    		ip-api.comUnited States
                                    		53334TUT-ASUSfalse
                                    114.142.162.17
                                    		mail.cash4cars.nzAustralia
                                    		133525SERVERMULE-AS-APNimbus2PtyLtdAUtrue

                                    General Information

                                    Joe Sandbox version:40.0.0 Tourmaline
                                    Analysis ID:1428834
                                    Start date and time:2024-04-19 17:22:08 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 6m 50s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:11
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:FAR.N#U00b02430-24000993.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:FAR.N2430-24000993.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@7/8@2/2
                                    EGA Information:
                                    • Successful, ratio: 50%
                                    HCA Information:
                                    • Successful, ratio: 99%
                                    • Number of executed functions: 50
                                    • Number of non-executed functions: 301
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target newfile.exe, PID 1096 because it is empty
                                    • Execution Graph export aborted for target newfile.exe, PID 6244 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: FAR.N#U00b02430-24000993.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    17:22:59API Interceptor159x Sleep call for process: RegSvcs.exe modified
                                    17:23:02AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run newfile C:\Users\user\AppData\Roaming\newfile\newfile.exe
                                    17:23:11AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run newfile C:\Users\user\AppData\Roaming\newfile\newfile.exe

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    208.95.112.1tems.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    00_datos de la transacci#U00f3n rechazada y n#U00famero de cuenta incorrecto.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    PO-095325.scr.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    UPDATED SSTATEMENT OF ACCOUNT.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • ip-api.com/line/?fields=hosting
                                    REMITTANCE COPY.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    New Voicemail_Daiichi-Sankyo.htmlGet hashmaliciousHTMLPhisherBrowse
                                    • ip-api.com/json/?fields=status,country,regionName,city,query
                                    DHL.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    KjCBSM7Ukv.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                    • ip-api.com/line/?fields=hosting
                                    eO2bqORIJb.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    114.142.162.17http://otahuhumainstreet.co.nzGet hashmaliciousUnknownBrowse
                                    • otahuhumainstreet.co.nz/

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    ip-api.comtems.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    00_datos de la transacci#U00f3n rechazada y n#U00famero de cuenta incorrecto.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    PO-095325.scr.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    UPDATED SSTATEMENT OF ACCOUNT.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 208.95.112.1
                                    REMITTANCE COPY.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    New Voicemail_Daiichi-Sankyo.htmlGet hashmaliciousHTMLPhisherBrowse
                                    • 208.95.112.1
                                    DHL.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    KjCBSM7Ukv.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                    • 208.95.112.1
                                    eO2bqORIJb.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    mail.cash4cars.nztems.exeGet hashmaliciousAgentTeslaBrowse
                                    • 114.142.162.17
                                    20220829_PEDIDO_22073M_PROTECO_LIMPIEZA_Y_KITS.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 114.142.162.17
                                    justificante.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 114.142.162.17
                                    Transferencia 4334300002017359pdf.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 114.142.162.17
                                    20220830_ProtecoPTE.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 114.142.162.17
                                    Klkket.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 114.142.162.17
                                    PEDIDO MILWAUKEE 00652024.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 114.142.162.17
                                    Psychologizing.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 114.142.162.17
                                    RFQ122.494001.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 114.142.162.17
                                    FACTURA2402616 - BP.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 114.142.162.17

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    SERVERMULE-AS-APNimbus2PtyLtdAUtems.exeGet hashmaliciousAgentTeslaBrowse
                                    • 114.142.162.17
                                    20220829_PEDIDO_22073M_PROTECO_LIMPIEZA_Y_KITS.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 114.142.162.17
                                    justificante.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 114.142.162.17
                                    Transferencia 4334300002017359pdf.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 114.142.162.17
                                    20220830_ProtecoPTE.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 114.142.162.17
                                    Klkket.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 114.142.162.17
                                    PEDIDO MILWAUKEE 00652024.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 114.142.162.17
                                    Psychologizing.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 114.142.162.17
                                    RFQ122.494001.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 114.142.162.17
                                    FACTURA2402616 - BP.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 114.142.162.17
                                    TUT-ASUStems.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    00_datos de la transacci#U00f3n rechazada y n#U00famero de cuenta incorrecto.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    PO-095325.scr.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    UPDATED SSTATEMENT OF ACCOUNT.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                    • 208.95.112.1
                                    REMITTANCE COPY.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    New Voicemail_Daiichi-Sankyo.htmlGet hashmaliciousHTMLPhisherBrowse
                                    • 208.95.112.1
                                    DHL.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    KjCBSM7Ukv.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                    • 208.95.112.1
                                    eO2bqORIJb.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    C:\Users\user\AppData\Roaming\newfile\newfile.exetems.exeGet hashmaliciousAgentTeslaBrowse
                                      HBL.exeGet hashmaliciousAgentTeslaBrowse
                                        SecuriteInfo.com.Heur.15333.25205.exeGet hashmaliciousAgentTeslaBrowse
                                          SecuriteInfo.com.FileRepMalware.7644.21541.exeGet hashmaliciousAgentTeslaBrowse
                                            Cintillo 2024.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                              SHIPMENT ADVICE FOR CLEARTEX.exeGet hashmaliciousAgentTeslaBrowse
                                                REQUEST FOR QUOTATION.exeGet hashmaliciousUnknownBrowse
                                                  67002314579XX.exeGet hashmaliciousAgentTeslaBrowse
                                                    Quotation 22001625_REV001.exeGet hashmaliciousAgentTeslaBrowse
                                                      justificante - 2024-04-16T133815.900.exeGet hashmaliciousAgentTeslaBrowse

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newfile.exe.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\newfile\newfile.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:modified
                                                        Size (bytes):142
                                                        Entropy (8bit):5.090621108356562
                                                        Encrypted:false
                                                        SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                        MD5:8C0458BB9EA02D50565175E38D577E35
                                                        SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                        SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                        SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                        C:\Users\user\AppData\Local\Temp\autE4C3.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):157720
                                                        Entropy (8bit):7.884870119185333
                                                        Encrypted:false
                                                        SSDEEP:3072:IkGLdtRNUevIWvLJWKK/lFW0HT2wGXx40RAuulx4cE:sTUetvLJWt/zZHTkhBKE
                                                        MD5:91FE9C86E5DBA5162BC2009796390A4D
                                                        SHA1:D0D2AD77DF220A5B69211855971A995E21301196
                                                        SHA-256:625AECAF209AFBA7B3CEEC972E02D93AD1A4A23FFC12D13E9D0A05B731EB0C45
                                                        SHA-512:7BA0AE92B72F3A72FD89F5284D5429363CE49DAE03DF550A7CAE67D0D5F041DD2F974300C8BAC77A8F297FC11D8C4DA623B965DE1A9DB5C3F5E91B0F5F0CC436
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:EA06......y...J.O.Pf....F.Rfs*.&aH.V...>.O....`..4.Q.......g..8N+....M..~3+.~.d.Ke6i..A?..g..e^_X..".i.RwF.\...D.+..Vd..U..@...3d.L.Q.D.........Pf..|.F.~..*.......n.P..F.......M- ...aH..Ff..Q....4..Tb.Z.r..E>.B..d.$.... .N.0t.}....Q..*`.......b......}....mX...v.z.S.....P$3......L..@..i...*.....0.Z..Y.\...U.?32..?.....!R....:..WW.Q.....D....Z..G.t.......[ ...(.....I..)..%:!x...Sz..D...........Y....2.N.E6../G...m.....h..]...r...[./V.<.p......l.=}..94..(4...G..l.R...2..ct.....D.......+^*N?..^.sJ...f.z..Kv...U.....K=.h.2j.K*.H.6.\.m3...>ed....~....o...H.2.Q.P&...G...I....g....b...B...L@8....+.8+@....:...@-...@.....Y............K&... #..S..v$.._J....s.{..3.U/>=.~....sk.*.X.L.0.O7MV..'0.$.'].Y.Q...7..).J]".H....uJ.I.M(.*.".J...x...._{.............F7ti.$. ..)....iO.S.. .C..q....'g2...2.D..:...R...C9..o....6.I.`8...)..MB....(q.].iN.m...J...+Tje.*..K"....<..[.v.L.mx...Z...I.....-rmA.V....iI..cT..:s?.S..Z56W).`-qJ...?.M)....}0.S....>.Y.T.{....p..(....R.I

                                                        C:\Users\user\AppData\Local\Temp\autE522.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):9994
                                                        Entropy (8bit):7.691552960471397
                                                        Encrypted:false
                                                        SSDEEP:192:C5L1fjxqLFVvqjW1oIfBKCYZ7DkDeRHj8l7yv2Mu8Dh4Q5D6IxEMwaxg44IX2:C5LVEL2JCYRDgeRHwl742Mu894Ypnwq6
                                                        MD5:FE0E8387FCB3C078E7DEC66871CF1279
                                                        SHA1:7A49B895E97E2AB7A22600D8C0038CF0BBCF5C1D
                                                        SHA-256:F0E4C4756BD84CB13B788FBF6A575DAED3BA5472AF5C34916EBA65E3A305B33A
                                                        SHA-512:1F89A3D9F199941E27331DAE3D8D602A3836CCC0904209CE1E152C377235C6996B8C354B312C1973240B89966DB0ECFC7F22149ACB4F0C04E4E510B81E3201A3
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:EA06..t.._....i.M....U8.M.Si|._=.O.....U6.O&S.t.e:.O......S..c8....A>.6-`........,..H...k.O....oL......k..T.q\...../...@........6...o.|........t..V....S.+T.u`... ....fs.t..c ._..w....d....H,.......Ai.H..g...X.F..=j...>.|..C`.....02..O....u.<......zm\.L@]>......N.x>:.....O.j.:.....Z@j.:......j.:......'.n.5.....^..../Z.Lg.#^...h.#..z.c6.H....S...#....O.B=2.L@.......x....g.>_L.....@|........`.R...K.u...a>...np.....{.........x.....I..l...$..6- ._...k...e...g.\..l|2..rt......K.O.4.:.#G.\.h.+...o..6...e........./..<.....%v....Z@4.]..g.).u`...2.....xZfV...Z.)..F.>....ei....?..........,....Z..5*...b]8..4....`....n.*...v.......h.O....F\...FV...X...."U?... ....,vV.....Wj.Z%...F`.Y.T..c.....-R..y...B3......;,.X.n._.X'..........c........l.d.h.?.....,vZ....._j..%`.........c.....'...q/...@......8.a..~.`.W@B)h.'e......j.[..'U...g;..Bv^...x..r...}2...@B...,v`.!..>.[..mS .M..@...X...\.K..@.D.a.Q...s...ZeS...c;..f.!...,vb...U..j........#. ....3*.L,.........;2.X...c

                                                        C:\Users\user\AppData\Local\Temp\iodization

                                                        Download File
                                                        Process:C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exe
                                                        File Type:ASCII text, with very long lines (29698), with no line terminators
                                                        Category:dropped
                                                        Size (bytes):29698
                                                        Entropy (8bit):4.485436146250109
                                                        Encrypted:false
                                                        SSDEEP:384:QmogElNuNba09lcV/ZOfcQIqwDTywGVxgq5MSfZON03MlQ8THJCf9r3w35dImP6Z:QmlIc+RZOfcQcGVxgq5MSfUnCtl+PFk
                                                        MD5:6C8BF35041BFD0C2F3745CC9224AACE2
                                                        SHA1:666F6A4C0AA3D4830B942F190BED3D74E5D0E397
                                                        SHA-256:775B53E000B1901EC451C6D253BD8CF772343D1CA682ABB59F4B583FE65CB2F6
                                                        SHA-512:D24DABC47E8D4987E1554EB8AEFB646B72169A79C840089AAEF591F672D5D56DBC125E3BFA0BA349722E0E3902DE0DDAA861CD16C38D0A7E7A210DBEB64C7D53
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:*~/;2h_i27_i]i*8*6*6/</=\>0h*6*6*60<2?.;2:\?0;*6*6*60<2?.j2<\g18*6*6*60<2?/;2>\>0k*6*6*60<2?.;2g\?0;*6*6*60<2?.j2i\g0i*6*6*60<2?/;2k\>-9*6*6*60<2?.;36\?-8*6*6*60<2?.j38\g,k*6*6*60<2?/;3:\>0:*6*6*60<2?.;3<\?0i*6*6*60<2?.j3>\g0i*6*6*60<2?/;3g-9]60<2?.;3i\?0k*6*6*60<2?2j.:`l`l`l\g1:*6*6*60<2?3;.<`l`l`l\>0:*6*6*60<2?2;.>`l`l`l\?0i*6*6*60<2?2j.g`l`l`l\g0i*6*6*60<2?3;.i`l`l`l\>,k*6*6*60<2?2;.k`l`l`l\?0:*6*6*60<2?2j/6`l`l`l\g0i*6*6*60<2?3;/8`l`l`l\>0i*6*6*60<2?2;/:`l`l`l-9]?0<2?2j/<`l`l`l\g1;*6*6*60<2?/;^6\>19*6*6*60<2?.;^8\?0;*6*6*60<2?.j^:\g18*6*6*60<2?/;^<\>-9*6*6*60<2?.;^>\?-8*6*6*60<2?.j^g\g,k*6*6*60<2?/;^i\>0:*6*6*60<2?.;^k\?0i*6*6*60<2?.j_6\g0i*6*6*60<2?/;_8-9]60<2?.;_:\?07*6*6*60<2?2j0>`l`l`l\g0:*6*6*60<2?3;0g`l`l`l\>1<*6*6*60<2?2;0i`l`l`l\?07*6*6*60<2?2j0k`l`l`l\g16*6*6*60<2?3;16`l`l`l\>0?*6*6*60<2?2;18`l`l`l\?-9*6*6*60<2?2j1:`l`l`l\g-8*6*6*60<2?3;1<`l`l`l\>,k*6*6*60<2?2;1>`l`l`l\?0:*6*6*60<2?2j1g`l`l`l\g0i*6*6*60<2?3;1i`l`l`l\>0i*6*6*60<2?2;1k`l`l`l-9]?0<2?.j26\g19*6*6*60<2?/;[6\>0>

                                                        C:\Users\user\AppData\Local\Temp\jailless

                                                        Download File
                                                        Process:C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):244736
                                                        Entropy (8bit):6.7132066068118945
                                                        Encrypted:false
                                                        SSDEEP:6144:WkfbTP3spVreXJKnjbBugxg2LjL+ogjWDv4:WSbTP3QyAjggpXL+ogjWDv4
                                                        MD5:F7597840E272C39C9F3C2D0DB39AF894
                                                        SHA1:11229837CD9908DE6B71A04D4067F8A5AB8755C3
                                                        SHA-256:617E41B9186A42698D36B3DB941E9DB1CD368364122B3A90F3BC92BE8F2E93E5
                                                        SHA-512:63E17903AC39B1ADC7FE74AF521862DCC2BC992691AD69F0E1C6967D852223BCFE91652472FBE361E65B3D63C33C2C71E2D37CC1E9E799D0FA6E905C533856F1
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:y..OSRMO2A6X..DF.I32RI0H.ZFN4OXOPRMO6A6XD4DF4I32RI0HDZFN4OXO.RMO8^.VD.M...2~.hd -)f>F ?=1?m,W/X70.&#.;F\r ^h...nY <*~_@E.A6XD4DFd.32.H3H.Mg(4OXOPRMO.A4YO5OF4.02RA0HDZFNJ.[OPrMO6.5XD4.F4i32RK0H@ZFN4OXOTRMO6A6XD.@F4K32RI0HFZ..4OHOPBMO6A&XD$DF4I32BI0HDZFN4OXO|.NOyA6XD.GFrL32RI0HDZFN4OXOPRMO6A2XH4DF4I32RI0HDZFN4OXOPRMO6A6XD4DF4I32RI0HDZFN4OXOPRMO6a6XL4DF4I32RI0HLzFN|OXOPRMO6A6Xj@!>@I32..3HDzFN4.[OPPMO6A6XD4DF4I32rI0(j(5<WOXO.WMO6.5XD2DF4.02RI0HDZFN4OXO.RM..3S4+WDF8I32RI4HDXFN4.[OPRMO6A6XD4DFtI3pRI0HDZFN4OXOPRMOV.5XD4DF|I32PI5HL.DN.xYOSRMO7A6^D4DF4I32RI0HDZFN4OXOPRMO6A6XD4DF4I32RI0HDZFN4OXOM....~f.IzLVN.....K..U.6.._.X.MU...rI.....u<6..Z.A...Y...4.PAME.....j);9J2.9.@9.M....|.,...@Z.I...Nz.4@j.f...tn..zW0j...=.1&]f%*6"Qa..63?&.C.YD4DF.......-"...LWQd@5....p&<.....,I0H ZFNFOXO1RMOqA6X+4DFZI32,I0H:ZFNrOXO.RMO.A6Xa4DFYI32vI0H:ZFN.2W@..&E..XD4DF.....$.....y...y!.3.Ty.P....6a.FX.3....V.9..!.]^gz.A5O77PN4KHgH...nRVIJ4F2[H.J.....o..}..E...(.36A6XD4.F4.32R.H.ZFN.O.O..MO6..X.4.F..2

                                                        C:\Users\user\AppData\Roaming\newfile\newfile.exe

                                                        Download File
                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):45984
                                                        Entropy (8bit):6.16795797263964
                                                        Encrypted:false
                                                        SSDEEP:768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
                                                        MD5:9D352BC46709F0CB5EC974633A0C3C94
                                                        SHA1:1969771B2F022F9A86D77AC4D4D239BECDF08D07
                                                        SHA-256:2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
                                                        SHA-512:13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Joe Sandbox View:
                                                        • Filename: tems.exe, Detection: malicious, Browse
                                                        • Filename: HBL.exe, Detection: malicious, Browse
                                                        • Filename: SecuriteInfo.com.Heur.15333.25205.exe, Detection: malicious, Browse
                                                        • Filename: SecuriteInfo.com.FileRepMalware.7644.21541.exe, Detection: malicious, Browse
                                                        • Filename: Cintillo 2024.pdf.exe, Detection: malicious, Browse
                                                        • Filename: SHIPMENT ADVICE FOR CLEARTEX.exe, Detection: malicious, Browse
                                                        • Filename: REQUEST FOR QUOTATION.exe, Detection: malicious, Browse
                                                        • Filename: 67002314579XX.exe, Detection: malicious, Browse
                                                        • Filename: Quotation 22001625_REV001.exe, Detection: malicious, Browse
                                                        • Filename: justificante - 2024-04-16T133815.900.exe, Detection: malicious, Browse
                                                        Reputation:moderate, very likely benign file
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                                        \Device\ConDrv

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\newfile\newfile.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1141
                                                        Entropy (8bit):4.442398121585593
                                                        Encrypted:false
                                                        SSDEEP:24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
                                                        MD5:6FB4D27A716A8851BC0505666E7C7A10
                                                        SHA1:AD2A232C6E709223532C4D1AB892303273D8C814
                                                        SHA-256:1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
                                                        SHA-512:3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
                                                        Malicious:false
                                                        Reputation:moderate, very likely benign file
                                                        Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                        Entropy (8bit):6.970776251416459
                                                        TrID:
                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                        • DOS Executable Generic (2002/1) 0.02%
                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                        File name:FAR.N#U00b02430-24000993.exe
                                                        File size:1'119'744 bytes
                                                        MD5:fc6db4b0a1a08504c0374df93b0f517a
                                                        SHA1:bcb0b1dd0433b41936f04e3a50f388194b3d1c1c
                                                        SHA256:7dea1d028135e07900ed820ac9e0ab9a6207906c667736f39a407fff424ce84a
                                                        SHA512:90cbe574fb288aa2bdfc64b1c95723eb3e4fbf9c6bc7157c127bc7b71241681e629edc0c4a84e941461abe07ae2f1cc9069740bcf66001d91064b84ea0041eb8
                                                        SSDEEP:24576:lqDEvCTbMWu7rQYlBQcBiT6rprG8a2xPXKQNut5/xH:lTvC/MTQYxsWR7a29ut5/
                                                        TLSH:6A35BF0273D1C062FFAB92734B5AF6115BBC6A260123E61F13981D79BE701B1563E7A3
                                                        File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                        File Icon

                                                        Icon Hash:aaf3e3e3938382a0

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x420577
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x6621D708 [Fri Apr 19 02:29:28 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:5
                                                        OS Version Minor:1
                                                        File Version Major:5
                                                        File Version Minor:1
                                                        Subsystem Version Major:5
                                                        Subsystem Version Minor:1
                                                        Import Hash:948cc502fe9226992dce9417f952fce3

                                                        Entrypoint Preview

                                                        Instruction
                                                        call 00007F30ACB4FC63h
                                                        jmp 00007F30ACB4F56Fh
                                                        push ebp
                                                        mov ebp, esp
                                                        push esi
                                                        push dword ptr [ebp+08h]
                                                        mov esi, ecx
                                                        call 00007F30ACB4F74Dh
                                                        mov dword ptr [esi], 0049FDF0h
                                                        mov eax, esi
                                                        pop esi
                                                        pop ebp
                                                        retn 0004h
                                                        and dword ptr [ecx+04h], 00000000h
                                                        mov eax, ecx
                                                        and dword ptr [ecx+08h], 00000000h
                                                        mov dword ptr [ecx+04h], 0049FDF8h
                                                        mov dword ptr [ecx], 0049FDF0h
                                                        ret
                                                        push ebp
                                                        mov ebp, esp
                                                        push esi
                                                        push dword ptr [ebp+08h]
                                                        mov esi, ecx
                                                        call 00007F30ACB4F71Ah
                                                        mov dword ptr [esi], 0049FE0Ch
                                                        mov eax, esi
                                                        pop esi
                                                        pop ebp
                                                        retn 0004h
                                                        and dword ptr [ecx+04h], 00000000h
                                                        mov eax, ecx
                                                        and dword ptr [ecx+08h], 00000000h
                                                        mov dword ptr [ecx+04h], 0049FE14h
                                                        mov dword ptr [ecx], 0049FE0Ch
                                                        ret
                                                        push ebp
                                                        mov ebp, esp
                                                        push esi
                                                        mov esi, ecx
                                                        lea eax, dword ptr [esi+04h]
                                                        mov dword ptr [esi], 0049FDD0h
                                                        and dword ptr [eax], 00000000h
                                                        and dword ptr [eax+04h], 00000000h
                                                        push eax
                                                        mov eax, dword ptr [ebp+08h]
                                                        add eax, 04h
                                                        push eax
                                                        call 00007F30ACB5230Dh
                                                        pop ecx
                                                        pop ecx
                                                        mov eax, esi
                                                        pop esi
                                                        pop ebp
                                                        retn 0004h
                                                        lea eax, dword ptr [ecx+04h]
                                                        mov dword ptr [ecx], 0049FDD0h
                                                        push eax
                                                        call 00007F30ACB52358h
                                                        pop ecx
                                                        ret
                                                        push ebp
                                                        mov ebp, esp
                                                        push esi
                                                        mov esi, ecx
                                                        lea eax, dword ptr [esi+04h]
                                                        mov dword ptr [esi], 0049FDD0h
                                                        push eax
                                                        call 00007F30ACB52341h
                                                        test byte ptr [ebp+08h], 00000001h
                                                        pop ecx

                                                        Rich Headers

                                                        Programming Language:
                                                        • [ C ] VS2008 SP1 build 30729
                                                        • [IMP] VS2008 SP1 build 30729

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x3abec.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x10f0000x7594.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                        .rsrc0xd40000x3abec0x3ac00907f37d6ed79e916d338444440d0cb54False0.8888754986702128data7.798271812071214IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x10f0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                        RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                        RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                        RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                        RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                        RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                        RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                        RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                        RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                        RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                        RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                        RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                                        RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                                        RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                                        RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                                        RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                        RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                        RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                        RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                        RT_RCDATA0xdc7b80x31e84data1.0003473241365815
                                                        RT_GROUP_ICON0x10e63c0x76dataEnglishGreat Britain0.6610169491525424
                                                        RT_GROUP_ICON0x10e6b40x14dataEnglishGreat Britain1.25
                                                        RT_GROUP_ICON0x10e6c80x14dataEnglishGreat Britain1.15
                                                        RT_GROUP_ICON0x10e6dc0x14dataEnglishGreat Britain1.25
                                                        RT_VERSION0x10e6f00x10cdataEnglishGreat Britain0.5895522388059702
                                                        RT_MANIFEST0x10e7fc0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                        Imports

                                                        DLLImport
                                                        WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                        VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                        COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                        MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                        WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                        PSAPI.DLLGetProcessMemoryInfo
                                                        IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                        USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                        UxTheme.dllIsThemeActive
                                                        KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                        USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                        GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                        ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                        SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                        OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                        Possible Origin

                                                        Language of compilation systemCountry where language is spokenMap
                                                        EnglishGreat Britain

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Apr 19, 2024 17:22:59.006534100 CEST4971180192.168.2.6208.95.112.1
                                                        Apr 19, 2024 17:22:59.122282028 CEST8049711208.95.112.1192.168.2.6
                                                        Apr 19, 2024 17:22:59.122481108 CEST4971180192.168.2.6208.95.112.1
                                                        Apr 19, 2024 17:22:59.123483896 CEST4971180192.168.2.6208.95.112.1
                                                        Apr 19, 2024 17:22:59.292146921 CEST8049711208.95.112.1192.168.2.6
                                                        Apr 19, 2024 17:22:59.340434074 CEST4971180192.168.2.6208.95.112.1
                                                        Apr 19, 2024 17:23:00.313030958 CEST4971226192.168.2.6114.142.162.17
                                                        Apr 19, 2024 17:23:01.324706078 CEST4971226192.168.2.6114.142.162.17
                                                        Apr 19, 2024 17:23:03.324712038 CEST4971226192.168.2.6114.142.162.17
                                                        Apr 19, 2024 17:23:07.324785948 CEST4971226192.168.2.6114.142.162.17
                                                        Apr 19, 2024 17:23:15.324701071 CEST4971226192.168.2.6114.142.162.17
                                                        Apr 19, 2024 17:23:50.767529011 CEST4971180192.168.2.6208.95.112.1
                                                        Apr 19, 2024 17:23:50.883809090 CEST8049711208.95.112.1192.168.2.6
                                                        Apr 19, 2024 17:23:50.883929968 CEST4971180192.168.2.6208.95.112.1

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Apr 19, 2024 17:22:58.895828009 CEST6075953192.168.2.61.1.1.1
                                                        Apr 19, 2024 17:22:59.000439882 CEST53607591.1.1.1192.168.2.6
                                                        Apr 19, 2024 17:22:59.910242081 CEST5809453192.168.2.61.1.1.1
                                                        Apr 19, 2024 17:23:00.312007904 CEST53580941.1.1.1192.168.2.6

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Apr 19, 2024 17:22:58.895828009 CEST192.168.2.61.1.1.10x51aeStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                        Apr 19, 2024 17:22:59.910242081 CEST192.168.2.61.1.1.10x16bfStandard query (0)mail.cash4cars.nzA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Apr 19, 2024 17:22:59.000439882 CEST1.1.1.1192.168.2.60x51aeNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                        Apr 19, 2024 17:23:00.312007904 CEST1.1.1.1192.168.2.60x16bfNo error (0)mail.cash4cars.nz114.142.162.17A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • ip-api.com

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.649711208.95.112.1801216C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        TimestampBytes transferredDirectionData
                                                        Apr 19, 2024 17:22:59.123483896 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                        Host: ip-api.com
                                                        Connection: Keep-Alive
                                                        Apr 19, 2024 17:22:59.292146921 CEST174INHTTP/1.1 200 OK
                                                        Date: Fri, 19 Apr 2024 15:22:58 GMT
                                                        Content-Type: text/plain; charset=utf-8
                                                        Content-Length: 5
                                                        Access-Control-Allow-Origin: *
                                                        X-Ttl: 60
                                                        X-Rl: 44
                                                        Data Raw: 74 72 75 65 0a
                                                        Data Ascii: true


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:17:22:56
                                                        Start date:19/04/2024
                                                        Path:C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exe"
                                                        Imagebase:0x6d0000
                                                        File size:1'119'744 bytes
                                                        MD5 hash:FC6DB4B0A1A08504C0374DF93B0F517A
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2100930635.0000000001560000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2100930635.0000000001560000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2100930635.0000000001560000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.2100930635.0000000001560000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:17:22:57
                                                        Start date:19/04/2024
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exe"
                                                        Imagebase:0xf10000
                                                        File size:45'984 bytes
                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3345887048.000000000320E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3326274628.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3326274628.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3345887048.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3345887048.00000000031E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:3
                                                        Start time:17:23:11
                                                        Start date:19/04/2024
                                                        Path:C:\Users\user\AppData\Roaming\newfile\newfile.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Roaming\newfile\newfile.exe"
                                                        Imagebase:0x9a0000
                                                        File size:45'984 bytes
                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 0%, ReversingLabs
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:17:23:11
                                                        Start date:19/04/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:8
                                                        Start time:17:23:19
                                                        Start date:19/04/2024
                                                        Path:C:\Users\user\AppData\Roaming\newfile\newfile.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Roaming\newfile\newfile.exe"
                                                        Imagebase:0x1d0000
                                                        File size:45'984 bytes
                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:9
                                                        Start time:17:23:19
                                                        Start date:19/04/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff66e660000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:3.2%
                                                          Dynamic/Decrypted Code Coverage:0.4%
                                                          Signature Coverage:3%
                                                          Total number of Nodes:2000
                                                          Total number of Limit Nodes:45
                                                          execution_graph 94543 6d1cad SystemParametersInfoW 94544 1542410 94558 1540000 94544->94558 94546 15424ec 94561 1542300 94546->94561 94564 1543510 GetPEB 94558->94564 94560 154068b 94560->94546 94562 1542309 Sleep 94561->94562 94563 1542317 94562->94563 94565 154353a 94564->94565 94565->94560 94566 6d1044 94571 6d10f3 94566->94571 94568 6d104a 94607 6f00a3 29 API calls __onexit 94568->94607 94570 6d1054 94608 6d1398 94571->94608 94575 6d116a 94618 6da961 94575->94618 94578 6da961 22 API calls 94579 6d117e 94578->94579 94580 6da961 22 API calls 94579->94580 94581 6d1188 94580->94581 94582 6da961 22 API calls 94581->94582 94583 6d11c6 94582->94583 94584 6da961 22 API calls 94583->94584 94585 6d1292 94584->94585 94623 6d171c 94585->94623 94589 6d12c4 94590 6da961 22 API calls 94589->94590 94591 6d12ce 94590->94591 94644 6e1940 94591->94644 94593 6d12f9 94654 6d1aab 94593->94654 94595 6d1315 94596 6d1325 GetStdHandle 94595->94596 94597 712485 94596->94597 94599 6d137a 94596->94599 94598 71248e 94597->94598 94597->94599 94661 6efddb 94598->94661 94601 6d1387 OleInitialize 94599->94601 94601->94568 94602 712495 94671 74011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 94602->94671 94604 71249e 94672 740944 CreateThread 94604->94672 94606 7124aa CloseHandle 94606->94599 94607->94570 94673 6d13f1 94608->94673 94611 6d13f1 22 API calls 94612 6d13d0 94611->94612 94613 6da961 22 API calls 94612->94613 94614 6d13dc 94613->94614 94680 6d6b57 94614->94680 94616 6d1129 94617 6d1bc3 6 API calls 94616->94617 94617->94575 94619 6efe0b 22 API calls 94618->94619 94620 6da976 94619->94620 94621 6efddb 22 API calls 94620->94621 94622 6d1174 94621->94622 94622->94578 94624 6da961 22 API calls 94623->94624 94625 6d172c 94624->94625 94626 6da961 22 API calls 94625->94626 94627 6d1734 94626->94627 94628 6da961 22 API calls 94627->94628 94629 6d174f 94628->94629 94630 6efddb 22 API calls 94629->94630 94631 6d129c 94630->94631 94632 6d1b4a 94631->94632 94633 6d1b58 94632->94633 94634 6da961 22 API calls 94633->94634 94635 6d1b63 94634->94635 94636 6da961 22 API calls 94635->94636 94637 6d1b6e 94636->94637 94638 6da961 22 API calls 94637->94638 94639 6d1b79 94638->94639 94640 6da961 22 API calls 94639->94640 94641 6d1b84 94640->94641 94642 6efddb 22 API calls 94641->94642 94643 6d1b96 RegisterWindowMessageW 94642->94643 94643->94589 94645 6e1981 94644->94645 94651 6e195d 94644->94651 94725 6f0242 5 API calls __Init_thread_wait 94645->94725 94647 6e198b 94647->94651 94726 6f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94647->94726 94649 6e8727 94653 6e196e 94649->94653 94728 6f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 94649->94728 94651->94653 94727 6f0242 5 API calls __Init_thread_wait 94651->94727 94653->94593 94655 6d1abb 94654->94655 94656 71272d 94654->94656 94657 6efddb 22 API calls 94655->94657 94729 743209 23 API calls 94656->94729 94659 6d1ac3 94657->94659 94659->94595 94660 712738 94664 6efde0 94661->94664 94662 6fea0c ___std_exception_copy 21 API calls 94662->94664 94663 6efdfa 94663->94602 94664->94662 94664->94663 94667 6efdfc 94664->94667 94730 6f4ead 7 API calls 2 library calls 94664->94730 94666 6f066d 94732 6f32a4 RaiseException 94666->94732 94667->94666 94731 6f32a4 RaiseException 94667->94731 94669 6f068a 94669->94602 94671->94604 94672->94606 94733 74092a 28 API calls 94672->94733 94674 6da961 22 API calls 94673->94674 94675 6d13fc 94674->94675 94676 6da961 22 API calls 94675->94676 94677 6d1404 94676->94677 94678 6da961 22 API calls 94677->94678 94679 6d13c6 94678->94679 94679->94611 94681 714ba1 94680->94681 94682 6d6b67 _wcslen 94680->94682 94703 6d93b2 94681->94703 94685 6d6b7d 94682->94685 94686 6d6ba2 94682->94686 94684 714baa 94684->94684 94692 6d6f34 22 API calls 94685->94692 94687 6efddb 22 API calls 94686->94687 94689 6d6bae 94687->94689 94693 6efe0b 94689->94693 94690 6d6b85 __fread_nolock 94690->94616 94692->94690 94694 6efddb 94693->94694 94696 6efdfa 94694->94696 94699 6efdfc 94694->94699 94707 6fea0c 94694->94707 94714 6f4ead 7 API calls 2 library calls 94694->94714 94696->94690 94698 6f066d 94716 6f32a4 RaiseException 94698->94716 94699->94698 94715 6f32a4 RaiseException 94699->94715 94701 6f068a 94701->94690 94704 6d93c0 94703->94704 94706 6d93c9 __fread_nolock 94703->94706 94704->94706 94719 6daec9 94704->94719 94706->94684 94712 703820 _abort 94707->94712 94708 70385e 94718 6ff2d9 20 API calls _abort 94708->94718 94709 703849 RtlAllocateHeap 94711 70385c 94709->94711 94709->94712 94711->94694 94712->94708 94712->94709 94717 6f4ead 7 API calls 2 library calls 94712->94717 94714->94694 94715->94698 94716->94701 94717->94712 94718->94711 94720 6daedc 94719->94720 94721 6daed9 __fread_nolock 94719->94721 94722 6efddb 22 API calls 94720->94722 94721->94706 94723 6daee7 94722->94723 94724 6efe0b 22 API calls 94723->94724 94724->94721 94725->94647 94726->94651 94727->94649 94728->94653 94729->94660 94730->94664 94731->94666 94732->94669 94734 7090fa 94735 709107 94734->94735 94739 70911f 94734->94739 94791 6ff2d9 20 API calls _abort 94735->94791 94737 70910c 94792 7027ec 26 API calls _abort 94737->94792 94740 709117 94739->94740 94741 70917a 94739->94741 94793 70fdc4 21 API calls 2 library calls 94739->94793 94754 6fd955 94741->94754 94744 709192 94761 708c32 94744->94761 94746 709199 94746->94740 94747 6fd955 __fread_nolock 26 API calls 94746->94747 94748 7091c5 94747->94748 94748->94740 94749 6fd955 __fread_nolock 26 API calls 94748->94749 94750 7091d3 94749->94750 94750->94740 94751 6fd955 __fread_nolock 26 API calls 94750->94751 94752 7091e3 94751->94752 94753 6fd955 __fread_nolock 26 API calls 94752->94753 94753->94740 94755 6fd976 94754->94755 94756 6fd961 94754->94756 94755->94744 94794 6ff2d9 20 API calls _abort 94756->94794 94758 6fd966 94795 7027ec 26 API calls _abort 94758->94795 94760 6fd971 94760->94744 94762 708c3e BuildCatchObjectHelperInternal 94761->94762 94763 708c46 94762->94763 94764 708c5e 94762->94764 94862 6ff2c6 20 API calls _abort 94763->94862 94766 708d24 94764->94766 94771 708c97 94764->94771 94869 6ff2c6 20 API calls _abort 94766->94869 94768 708c4b 94863 6ff2d9 20 API calls _abort 94768->94863 94769 708d29 94870 6ff2d9 20 API calls _abort 94769->94870 94773 708ca6 94771->94773 94774 708cbb 94771->94774 94864 6ff2c6 20 API calls _abort 94773->94864 94796 705147 EnterCriticalSection 94774->94796 94776 708cb3 94871 7027ec 26 API calls _abort 94776->94871 94778 708cc1 94780 708cf2 94778->94780 94781 708cdd 94778->94781 94779 708cab 94865 6ff2d9 20 API calls _abort 94779->94865 94797 708d45 94780->94797 94866 6ff2d9 20 API calls _abort 94781->94866 94783 708c53 __wsopen_s 94783->94746 94787 708ce2 94867 6ff2c6 20 API calls _abort 94787->94867 94788 708ced 94868 708d1c LeaveCriticalSection __wsopen_s 94788->94868 94791->94737 94792->94740 94793->94741 94794->94758 94795->94760 94796->94778 94798 708d57 94797->94798 94799 708d6f 94797->94799 94881 6ff2c6 20 API calls _abort 94798->94881 94801 7090d9 94799->94801 94806 708db4 94799->94806 94903 6ff2c6 20 API calls _abort 94801->94903 94802 708d5c 94882 6ff2d9 20 API calls _abort 94802->94882 94805 7090de 94904 6ff2d9 20 API calls _abort 94805->94904 94807 708d64 94806->94807 94809 708dbf 94806->94809 94813 708def 94806->94813 94807->94788 94883 6ff2c6 20 API calls _abort 94809->94883 94810 708dcc 94905 7027ec 26 API calls _abort 94810->94905 94812 708dc4 94884 6ff2d9 20 API calls _abort 94812->94884 94816 708e08 94813->94816 94817 708e4a 94813->94817 94818 708e2e 94813->94818 94816->94818 94849 708e15 94816->94849 94888 703820 21 API calls 2 library calls 94817->94888 94885 6ff2c6 20 API calls _abort 94818->94885 94821 708e33 94886 6ff2d9 20 API calls _abort 94821->94886 94822 708e61 94889 7029c8 94822->94889 94826 708e3a 94887 7027ec 26 API calls _abort 94826->94887 94827 708e6a 94831 7029c8 _free 20 API calls 94827->94831 94828 708fb3 94829 709029 94828->94829 94833 708fcc GetConsoleMode 94828->94833 94832 70902d ReadFile 94829->94832 94835 708e71 94831->94835 94836 7090a1 GetLastError 94832->94836 94837 709047 94832->94837 94833->94829 94834 708fdd 94833->94834 94834->94832 94838 708fe3 ReadConsoleW 94834->94838 94839 708e96 94835->94839 94840 708e7b 94835->94840 94841 709005 94836->94841 94842 7090ae 94836->94842 94837->94836 94843 70901e 94837->94843 94838->94843 94844 708fff GetLastError 94838->94844 94897 709424 28 API calls __wsopen_s 94839->94897 94895 6ff2d9 20 API calls _abort 94840->94895 94859 708e45 __fread_nolock 94841->94859 94898 6ff2a3 20 API calls __dosmaperr 94841->94898 94901 6ff2d9 20 API calls _abort 94842->94901 94854 709083 94843->94854 94855 70906c 94843->94855 94843->94859 94844->94841 94845 7029c8 _free 20 API calls 94845->94807 94872 70f89b 94849->94872 94851 708e80 94896 6ff2c6 20 API calls _abort 94851->94896 94852 7090b3 94902 6ff2c6 20 API calls _abort 94852->94902 94858 70909a 94854->94858 94854->94859 94899 708a61 31 API calls 3 library calls 94855->94899 94900 7088a1 29 API calls __wsopen_s 94858->94900 94859->94845 94861 70909f 94861->94859 94862->94768 94863->94783 94864->94779 94865->94776 94866->94787 94867->94788 94868->94783 94869->94769 94870->94776 94871->94783 94873 70f8b5 94872->94873 94874 70f8a8 94872->94874 94876 70f8c1 94873->94876 94907 6ff2d9 20 API calls _abort 94873->94907 94906 6ff2d9 20 API calls _abort 94874->94906 94876->94828 94878 70f8ad 94878->94828 94879 70f8e2 94908 7027ec 26 API calls _abort 94879->94908 94881->94802 94882->94807 94883->94812 94884->94810 94885->94821 94886->94826 94887->94859 94888->94822 94890 7029fc __dosmaperr 94889->94890 94891 7029d3 RtlFreeHeap 94889->94891 94890->94827 94891->94890 94892 7029e8 94891->94892 94909 6ff2d9 20 API calls _abort 94892->94909 94894 7029ee GetLastError 94894->94890 94895->94851 94896->94859 94897->94849 94898->94859 94899->94859 94900->94861 94901->94852 94902->94859 94903->94805 94904->94810 94905->94807 94906->94878 94907->94879 94908->94878 94909->94894 94910 6d2de3 94911 6d2df0 __wsopen_s 94910->94911 94912 6d2e09 94911->94912 94913 712c2b ___scrt_fastfail 94911->94913 94926 6d3aa2 94912->94926 94916 712c47 GetOpenFileNameW 94913->94916 94918 712c96 94916->94918 94919 6d6b57 22 API calls 94918->94919 94921 712cab 94919->94921 94921->94921 94923 6d2e27 94954 6d44a8 94923->94954 94984 711f50 94926->94984 94929 6d3ace 94931 6d6b57 22 API calls 94929->94931 94930 6d3ae9 94990 6da6c3 94930->94990 94933 6d3ada 94931->94933 94986 6d37a0 94933->94986 94936 6d2da5 94937 711f50 __wsopen_s 94936->94937 94938 6d2db2 GetLongPathNameW 94937->94938 94939 6d6b57 22 API calls 94938->94939 94940 6d2dda 94939->94940 94941 6d3598 94940->94941 94942 6da961 22 API calls 94941->94942 94943 6d35aa 94942->94943 94944 6d3aa2 23 API calls 94943->94944 94945 6d35b5 94944->94945 94946 7132eb 94945->94946 94947 6d35c0 94945->94947 94952 71330d 94946->94952 95008 6ece60 41 API calls 94946->95008 94996 6d515f 94947->94996 94953 6d35df 94953->94923 95009 6d4ecb 94954->95009 94957 713833 95031 742cf9 94957->95031 94958 6d4ecb 94 API calls 94960 6d44e1 94958->94960 94960->94957 94962 6d44e9 94960->94962 94961 713848 94963 713869 94961->94963 94964 71384c 94961->94964 94966 713854 94962->94966 94967 6d44f5 94962->94967 94965 6efe0b 22 API calls 94963->94965 95081 6d4f39 94964->95081 94974 7138ae 94965->94974 95087 73da5a 82 API calls 94966->95087 95080 6d940c 136 API calls 2 library calls 94967->95080 94971 6d2e31 94972 713862 94972->94963 94973 713a5f 94976 713a67 94973->94976 94974->94973 94974->94976 94981 6d9cb3 22 API calls 94974->94981 95057 73967e 94974->95057 95060 740b5a 94974->95060 95066 6da4a1 94974->95066 95074 6d3ff7 94974->95074 95088 7395ad 42 API calls _wcslen 94974->95088 94975 6d4f39 68 API calls 94975->94976 94976->94975 95089 73989b 82 API calls __wsopen_s 94976->95089 94981->94974 94985 6d3aaf GetFullPathNameW 94984->94985 94985->94929 94985->94930 94987 6d37ae 94986->94987 94988 6d93b2 22 API calls 94987->94988 94989 6d2e12 94988->94989 94989->94936 94991 6da6dd 94990->94991 94992 6da6d0 94990->94992 94993 6efddb 22 API calls 94991->94993 94992->94933 94994 6da6e7 94993->94994 94995 6efe0b 22 API calls 94994->94995 94995->94992 94997 6d516e 94996->94997 95001 6d518f __fread_nolock 94996->95001 95000 6efe0b 22 API calls 94997->95000 94998 6efddb 22 API calls 94999 6d35cc 94998->94999 95002 6d35f3 94999->95002 95000->95001 95001->94998 95003 6d3605 95002->95003 95007 6d3624 __fread_nolock 95002->95007 95006 6efe0b 22 API calls 95003->95006 95004 6efddb 22 API calls 95005 6d363b 95004->95005 95005->94953 95006->95007 95007->95004 95008->94946 95090 6d4e90 LoadLibraryA 95009->95090 95014 6d4ef6 LoadLibraryExW 95098 6d4e59 LoadLibraryA 95014->95098 95015 713ccf 95016 6d4f39 68 API calls 95015->95016 95018 713cd6 95016->95018 95020 6d4e59 3 API calls 95018->95020 95022 713cde 95020->95022 95120 6d50f5 95022->95120 95023 6d4f20 95023->95022 95024 6d4f2c 95023->95024 95025 6d4f39 68 API calls 95024->95025 95027 6d44cd 95025->95027 95027->94957 95027->94958 95030 713d05 95032 742d15 95031->95032 95033 6d511f 64 API calls 95032->95033 95034 742d29 95033->95034 95279 742e66 95034->95279 95037 6d50f5 40 API calls 95038 742d56 95037->95038 95039 6d50f5 40 API calls 95038->95039 95040 742d66 95039->95040 95041 6d50f5 40 API calls 95040->95041 95042 742d81 95041->95042 95043 6d50f5 40 API calls 95042->95043 95044 742d9c 95043->95044 95045 6d511f 64 API calls 95044->95045 95046 742db3 95045->95046 95047 6fea0c ___std_exception_copy 21 API calls 95046->95047 95048 742dba 95047->95048 95049 6fea0c ___std_exception_copy 21 API calls 95048->95049 95050 742dc4 95049->95050 95051 6d50f5 40 API calls 95050->95051 95052 742dd8 95051->95052 95053 7428fe 27 API calls 95052->95053 95055 742dee 95053->95055 95054 742d3f 95054->94961 95055->95054 95285 7422ce 95055->95285 95058 6efe0b 22 API calls 95057->95058 95059 7396ae __fread_nolock 95058->95059 95059->94974 95061 740b65 95060->95061 95062 6efddb 22 API calls 95061->95062 95063 740b7c 95062->95063 95609 6d9cb3 95063->95609 95067 6da52b 95066->95067 95073 6da4b1 __fread_nolock 95066->95073 95069 6efe0b 22 API calls 95067->95069 95068 6efddb 22 API calls 95070 6da4b8 95068->95070 95069->95073 95071 6efddb 22 API calls 95070->95071 95072 6da4d6 95070->95072 95071->95072 95072->94974 95073->95068 95075 6d400a 95074->95075 95077 6d40ae 95074->95077 95076 6efe0b 22 API calls 95075->95076 95078 6d403c 95075->95078 95076->95078 95077->94974 95078->95077 95079 6efddb 22 API calls 95078->95079 95079->95078 95080->94971 95082 6d4f43 95081->95082 95084 6d4f4a 95081->95084 95083 6fe678 67 API calls 95082->95083 95083->95084 95085 6d4f59 95084->95085 95086 6d4f6a FreeLibrary 95084->95086 95085->94966 95086->95085 95087->94972 95088->94974 95089->94976 95091 6d4ea8 GetProcAddress 95090->95091 95092 6d4ec6 95090->95092 95093 6d4eb8 95091->95093 95095 6fe5eb 95092->95095 95093->95092 95094 6d4ebf FreeLibrary 95093->95094 95094->95092 95128 6fe52a 95095->95128 95097 6d4eea 95097->95014 95097->95015 95099 6d4e8d 95098->95099 95100 6d4e6e GetProcAddress 95098->95100 95103 6d4f80 95099->95103 95101 6d4e7e 95100->95101 95101->95099 95102 6d4e86 FreeLibrary 95101->95102 95102->95099 95104 6efe0b 22 API calls 95103->95104 95105 6d4f95 95104->95105 95189 6d5722 95105->95189 95107 6d4fa1 __fread_nolock 95108 6d50a5 95107->95108 95109 713d1d 95107->95109 95119 6d4fdc 95107->95119 95192 6d42a2 CreateStreamOnHGlobal 95108->95192 95203 74304d 74 API calls 95109->95203 95112 713d22 95114 6d511f 64 API calls 95112->95114 95113 6d50f5 40 API calls 95113->95119 95115 713d45 95114->95115 95116 6d50f5 40 API calls 95115->95116 95118 6d506e messages 95116->95118 95118->95023 95119->95112 95119->95113 95119->95118 95198 6d511f 95119->95198 95121 713d70 95120->95121 95122 6d5107 95120->95122 95225 6fe8c4 95122->95225 95125 7428fe 95262 74274e 95125->95262 95127 742919 95127->95030 95130 6fe536 BuildCatchObjectHelperInternal 95128->95130 95129 6fe544 95153 6ff2d9 20 API calls _abort 95129->95153 95130->95129 95132 6fe574 95130->95132 95134 6fe579 95132->95134 95135 6fe586 95132->95135 95133 6fe549 95154 7027ec 26 API calls _abort 95133->95154 95155 6ff2d9 20 API calls _abort 95134->95155 95145 708061 95135->95145 95139 6fe58f 95140 6fe595 95139->95140 95141 6fe5a2 95139->95141 95156 6ff2d9 20 API calls _abort 95140->95156 95157 6fe5d4 LeaveCriticalSection __fread_nolock 95141->95157 95142 6fe554 __wsopen_s 95142->95097 95146 70806d BuildCatchObjectHelperInternal 95145->95146 95158 702f5e EnterCriticalSection 95146->95158 95148 70807b 95159 7080fb 95148->95159 95152 7080ac __wsopen_s 95152->95139 95153->95133 95154->95142 95155->95142 95156->95142 95157->95142 95158->95148 95168 70811e 95159->95168 95160 708177 95177 704c7d 95160->95177 95161 708088 95172 7080b7 95161->95172 95165 7029c8 _free 20 API calls 95166 708189 95165->95166 95166->95161 95184 703405 11 API calls 2 library calls 95166->95184 95168->95160 95168->95161 95175 6f918d EnterCriticalSection 95168->95175 95176 6f91a1 LeaveCriticalSection 95168->95176 95169 7081a8 95185 6f918d EnterCriticalSection 95169->95185 95188 702fa6 LeaveCriticalSection 95172->95188 95174 7080be 95174->95152 95175->95168 95176->95168 95178 704c8a _abort 95177->95178 95179 704cca 95178->95179 95180 704cb5 RtlAllocateHeap 95178->95180 95186 6f4ead 7 API calls 2 library calls 95178->95186 95187 6ff2d9 20 API calls _abort 95179->95187 95180->95178 95182 704cc8 95180->95182 95182->95165 95184->95169 95185->95161 95186->95178 95187->95182 95188->95174 95190 6efddb 22 API calls 95189->95190 95191 6d5734 95190->95191 95191->95107 95193 6d42bc FindResourceExW 95192->95193 95197 6d42d9 95192->95197 95194 7135ba LoadResource 95193->95194 95193->95197 95195 7135cf SizeofResource 95194->95195 95194->95197 95196 7135e3 LockResource 95195->95196 95195->95197 95196->95197 95197->95119 95199 713d90 95198->95199 95200 6d512e 95198->95200 95204 6fece3 95200->95204 95203->95112 95207 6feaaa 95204->95207 95206 6d513c 95206->95119 95209 6feab6 BuildCatchObjectHelperInternal 95207->95209 95208 6feac2 95220 6ff2d9 20 API calls _abort 95208->95220 95209->95208 95210 6feae8 95209->95210 95222 6f918d EnterCriticalSection 95210->95222 95213 6feac7 95221 7027ec 26 API calls _abort 95213->95221 95214 6feaf4 95223 6fec0a 62 API calls 2 library calls 95214->95223 95217 6feb08 95224 6feb27 LeaveCriticalSection __fread_nolock 95217->95224 95218 6fead2 __wsopen_s 95218->95206 95220->95213 95221->95218 95222->95214 95223->95217 95224->95218 95228 6fe8e1 95225->95228 95227 6d5118 95227->95125 95229 6fe8ed BuildCatchObjectHelperInternal 95228->95229 95230 6fe92d 95229->95230 95231 6fe925 __wsopen_s 95229->95231 95236 6fe900 ___scrt_fastfail 95229->95236 95241 6f918d EnterCriticalSection 95230->95241 95231->95227 95233 6fe937 95242 6fe6f8 95233->95242 95255 6ff2d9 20 API calls _abort 95236->95255 95237 6fe91a 95256 7027ec 26 API calls _abort 95237->95256 95241->95233 95246 6fe70a ___scrt_fastfail 95242->95246 95248 6fe727 95242->95248 95243 6fe717 95258 6ff2d9 20 API calls _abort 95243->95258 95245 6fe71c 95259 7027ec 26 API calls _abort 95245->95259 95246->95243 95246->95248 95251 6fe76a __fread_nolock 95246->95251 95257 6fe96c LeaveCriticalSection __fread_nolock 95248->95257 95249 6fe886 ___scrt_fastfail 95261 6ff2d9 20 API calls _abort 95249->95261 95251->95248 95251->95249 95253 6fd955 __fread_nolock 26 API calls 95251->95253 95254 708d45 __fread_nolock 38 API calls 95251->95254 95260 6fcf78 26 API calls 4 library calls 95251->95260 95253->95251 95254->95251 95255->95237 95256->95231 95257->95231 95258->95245 95259->95248 95260->95251 95261->95245 95265 6fe4e8 95262->95265 95264 74275d 95264->95127 95268 6fe469 95265->95268 95267 6fe505 95267->95264 95269 6fe48c 95268->95269 95270 6fe478 95268->95270 95275 6fe488 __alldvrm 95269->95275 95278 70333f 11 API calls 2 library calls 95269->95278 95276 6ff2d9 20 API calls _abort 95270->95276 95272 6fe47d 95277 7027ec 26 API calls _abort 95272->95277 95275->95267 95276->95272 95277->95275 95278->95275 95282 742e7a 95279->95282 95280 6d50f5 40 API calls 95280->95282 95281 7428fe 27 API calls 95281->95282 95282->95280 95282->95281 95283 742d3b 95282->95283 95284 6d511f 64 API calls 95282->95284 95283->95037 95283->95054 95284->95282 95286 7422e7 95285->95286 95287 7422d9 95285->95287 95289 74232c 95286->95289 95290 6fe5eb 29 API calls 95286->95290 95300 7422f0 95286->95300 95288 6fe5eb 29 API calls 95287->95288 95288->95286 95314 742557 95289->95314 95292 742311 95290->95292 95292->95289 95294 74231a 95292->95294 95293 742370 95295 742374 95293->95295 95296 742395 95293->95296 95297 6fe678 67 API calls 95294->95297 95294->95300 95299 742381 95295->95299 95302 6fe678 67 API calls 95295->95302 95318 742171 95296->95318 95297->95300 95299->95300 95305 6fe678 67 API calls 95299->95305 95300->95054 95301 74239d 95303 7423c3 95301->95303 95304 7423a3 95301->95304 95302->95299 95325 7423f3 95303->95325 95307 6fe678 67 API calls 95304->95307 95308 7423b0 95304->95308 95305->95300 95307->95308 95308->95300 95309 6fe678 67 API calls 95308->95309 95309->95300 95310 7423ca 95311 7423de 95310->95311 95333 6fe678 95310->95333 95311->95300 95313 6fe678 67 API calls 95311->95313 95313->95300 95315 74257c 95314->95315 95317 742565 __fread_nolock 95314->95317 95316 6fe8c4 __fread_nolock 40 API calls 95315->95316 95316->95317 95317->95293 95319 6fea0c ___std_exception_copy 21 API calls 95318->95319 95320 74217f 95319->95320 95321 6fea0c ___std_exception_copy 21 API calls 95320->95321 95322 742190 95321->95322 95323 6fea0c ___std_exception_copy 21 API calls 95322->95323 95324 74219c 95323->95324 95324->95301 95332 742408 95325->95332 95326 7424c0 95350 742724 95326->95350 95328 7421cc 40 API calls 95328->95332 95329 7424c7 95329->95310 95332->95326 95332->95328 95332->95329 95346 742606 95332->95346 95354 742269 40 API calls 95332->95354 95334 6fe684 BuildCatchObjectHelperInternal 95333->95334 95335 6fe6aa 95334->95335 95336 6fe695 95334->95336 95345 6fe6a5 __wsopen_s 95335->95345 95390 6f918d EnterCriticalSection 95335->95390 95407 6ff2d9 20 API calls _abort 95336->95407 95339 6fe69a 95408 7027ec 26 API calls _abort 95339->95408 95340 6fe6c6 95391 6fe602 95340->95391 95343 6fe6d1 95409 6fe6ee LeaveCriticalSection __fread_nolock 95343->95409 95345->95311 95347 742617 95346->95347 95348 74261d 95346->95348 95347->95348 95355 7426d7 95347->95355 95348->95332 95351 742731 95350->95351 95352 742742 95350->95352 95353 6fdbb3 65 API calls 95351->95353 95352->95329 95353->95352 95354->95332 95356 742703 95355->95356 95357 742714 95355->95357 95359 6fdbb3 95356->95359 95357->95347 95360 6fdbc1 95359->95360 95366 6fdbdd 95359->95366 95361 6fdbcd 95360->95361 95362 6fdbe3 95360->95362 95360->95366 95371 6ff2d9 20 API calls _abort 95361->95371 95368 6fd9cc 95362->95368 95365 6fdbd2 95372 7027ec 26 API calls _abort 95365->95372 95366->95357 95373 6fd97b 95368->95373 95370 6fd9f0 95370->95366 95371->95365 95372->95366 95374 6fd987 BuildCatchObjectHelperInternal 95373->95374 95381 6f918d EnterCriticalSection 95374->95381 95376 6fd995 95382 6fd9f4 95376->95382 95380 6fd9b3 __wsopen_s 95380->95370 95381->95376 95383 7049a1 27 API calls 95382->95383 95384 6fda09 95383->95384 95385 6fda3a 62 API calls 95384->95385 95386 6fda24 95385->95386 95387 704a56 62 API calls 95386->95387 95388 6fd9a2 95387->95388 95389 6fd9c0 LeaveCriticalSection __fread_nolock 95388->95389 95389->95380 95390->95340 95392 6fe60f 95391->95392 95393 6fe624 95391->95393 95435 6ff2d9 20 API calls _abort 95392->95435 95400 6fe61f 95393->95400 95410 6fdc0b 95393->95410 95396 6fe614 95436 7027ec 26 API calls _abort 95396->95436 95400->95343 95402 6fd955 __fread_nolock 26 API calls 95403 6fe646 95402->95403 95420 70862f 95403->95420 95406 7029c8 _free 20 API calls 95406->95400 95407->95339 95408->95345 95409->95345 95411 6fdc23 95410->95411 95415 6fdc1f 95410->95415 95412 6fd955 __fread_nolock 26 API calls 95411->95412 95411->95415 95413 6fdc43 95412->95413 95437 7059be 95413->95437 95416 704d7a 95415->95416 95417 704d90 95416->95417 95419 6fe640 95416->95419 95418 7029c8 _free 20 API calls 95417->95418 95417->95419 95418->95419 95419->95402 95421 708653 95420->95421 95422 70863e 95420->95422 95424 70868e 95421->95424 95427 70867a 95421->95427 95560 6ff2c6 20 API calls _abort 95422->95560 95562 6ff2c6 20 API calls _abort 95424->95562 95426 708643 95561 6ff2d9 20 API calls _abort 95426->95561 95557 708607 95427->95557 95428 708693 95563 6ff2d9 20 API calls _abort 95428->95563 95432 6fe64c 95432->95400 95432->95406 95433 70869b 95564 7027ec 26 API calls _abort 95433->95564 95435->95396 95436->95400 95438 7059ca BuildCatchObjectHelperInternal 95437->95438 95439 7059d2 95438->95439 95440 7059ea 95438->95440 95516 6ff2c6 20 API calls _abort 95439->95516 95442 705a88 95440->95442 95446 705a1f 95440->95446 95521 6ff2c6 20 API calls _abort 95442->95521 95443 7059d7 95517 6ff2d9 20 API calls _abort 95443->95517 95462 705147 EnterCriticalSection 95446->95462 95447 705a8d 95522 6ff2d9 20 API calls _abort 95447->95522 95448 7059df __wsopen_s 95448->95415 95451 705a25 95453 705a41 95451->95453 95454 705a56 95451->95454 95452 705a95 95523 7027ec 26 API calls _abort 95452->95523 95518 6ff2d9 20 API calls _abort 95453->95518 95463 705aa9 95454->95463 95458 705a46 95519 6ff2c6 20 API calls _abort 95458->95519 95459 705a51 95520 705a80 LeaveCriticalSection __wsopen_s 95459->95520 95462->95451 95464 705ad7 95463->95464 95511 705ad0 95463->95511 95465 705afa 95464->95465 95466 705adb 95464->95466 95469 705b4b 95465->95469 95470 705b2e 95465->95470 95531 6ff2c6 20 API calls _abort 95466->95531 95474 705b61 95469->95474 95537 709424 28 API calls __wsopen_s 95469->95537 95534 6ff2c6 20 API calls _abort 95470->95534 95471 705cb1 95471->95459 95472 705ae0 95532 6ff2d9 20 API calls _abort 95472->95532 95524 70564e 95474->95524 95477 705b33 95535 6ff2d9 20 API calls _abort 95477->95535 95479 705ae7 95533 7027ec 26 API calls _abort 95479->95533 95483 705ba8 95489 705c02 WriteFile 95483->95489 95490 705bbc 95483->95490 95484 705b6f 95486 705b73 95484->95486 95487 705b95 95484->95487 95485 705b3b 95536 7027ec 26 API calls _abort 95485->95536 95492 705c25 GetLastError 95489->95492 95502 705b8b 95489->95502 95493 705bf2 95490->95493 95492->95502 95502->95511 95548 6f0a8c 95511->95548 95516->95443 95517->95448 95518->95458 95519->95459 95520->95448 95521->95447 95522->95452 95523->95448 95525 70f89b __fread_nolock 26 API calls 95524->95525 95526 70565e 95525->95526 95527 705663 95526->95527 95555 702d74 38 API calls 2 library calls 95526->95555 95527->95483 95527->95484 95529 705686 95529->95527 95530 7056a4 GetConsoleMode 95529->95530 95530->95527 95531->95472 95532->95479 95533->95511 95534->95477 95535->95485 95536->95511 95537->95474 95549 6f0a97 IsProcessorFeaturePresent 95548->95549 95550 6f0a95 95548->95550 95552 6f0c5d 95549->95552 95550->95471 95556 6f0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 95552->95556 95554 6f0d40 95554->95471 95555->95529 95556->95554 95565 708585 95557->95565 95559 70862b 95559->95432 95560->95426 95561->95432 95562->95428 95563->95433 95564->95432 95566 708591 BuildCatchObjectHelperInternal 95565->95566 95576 705147 EnterCriticalSection 95566->95576 95568 70859f 95569 7085d1 95568->95569 95570 7085c6 95568->95570 95592 6ff2d9 20 API calls _abort 95569->95592 95577 7086ae 95570->95577 95573 7085cc 95593 7085fb LeaveCriticalSection __wsopen_s 95573->95593 95575 7085ee __wsopen_s 95575->95559 95576->95568 95594 7053c4 95577->95594 95579 7086c4 95607 705333 21 API calls 2 library calls 95579->95607 95580 7086be 95580->95579 95582 7086f6 95580->95582 95585 7053c4 __wsopen_s 26 API calls 95580->95585 95582->95579 95583 7053c4 __wsopen_s 26 API calls 95582->95583 95586 7086ed 95585->95586 95589 7053c4 __wsopen_s 26 API calls 95586->95589 95589->95582 95592->95573 95593->95575 95595 7053d1 95594->95595 95597 7053e6 95594->95597 95596 6ff2c6 __dosmaperr 20 API calls 95595->95596 95599 7053d6 95596->95599 95598 6ff2c6 __dosmaperr 20 API calls 95597->95598 95600 70540b 95597->95600 95601 705416 95598->95601 95602 6ff2d9 __dosmaperr 20 API calls 95599->95602 95600->95580 95603 6ff2d9 __dosmaperr 20 API calls 95601->95603 95604 7053de 95602->95604 95605 70541e 95603->95605 95604->95580 95610 6d9cc2 _wcslen 95609->95610 95611 6efe0b 22 API calls 95610->95611 95612 6d9cea __fread_nolock 95611->95612 95613 6efddb 22 API calls 95612->95613 95614 6d9d00 95613->95614 95614->94974 95615 722a00 95629 6dd7b0 messages 95615->95629 95616 6ddb11 PeekMessageW 95616->95629 95617 6dd807 GetInputState 95617->95616 95617->95629 95619 721cbe TranslateAcceleratorW 95619->95629 95620 6dda04 timeGetTime 95620->95629 95621 6ddb8f PeekMessageW 95621->95629 95622 6ddb73 TranslateMessage DispatchMessageW 95622->95621 95623 6ddbaf Sleep 95637 6ddbc0 95623->95637 95624 722b74 Sleep 95624->95637 95625 6ee551 timeGetTime 95625->95637 95626 721dda timeGetTime 95730 6ee300 23 API calls 95626->95730 95629->95616 95629->95617 95629->95619 95629->95620 95629->95621 95629->95622 95629->95623 95629->95624 95629->95626 95634 6dd9d5 95629->95634 95647 6ddfd0 95629->95647 95670 6e1310 95629->95670 95727 6ddd50 256 API calls 95629->95727 95728 6dbf40 256 API calls 2 library calls 95629->95728 95729 6eedf6 IsDialogMessageW GetClassLongW 95629->95729 95731 743a2a 23 API calls 95629->95731 95732 6dec40 95629->95732 95756 74359c 82 API calls __wsopen_s 95629->95756 95630 722c0b GetExitCodeProcess 95632 722c21 WaitForSingleObject 95630->95632 95633 722c37 CloseHandle 95630->95633 95632->95629 95632->95633 95633->95637 95635 722a31 95635->95634 95636 7629bf GetForegroundWindow 95636->95637 95637->95625 95637->95629 95637->95630 95637->95634 95637->95635 95637->95636 95638 722ca9 Sleep 95637->95638 95757 755658 23 API calls 95637->95757 95758 73e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 95637->95758 95759 73d4dc 47 API calls 95637->95759 95638->95629 95648 6de010 95647->95648 95667 6de0dc messages 95648->95667 95766 6f0242 5 API calls __Init_thread_wait 95648->95766 95650 74359c 82 API calls 95650->95667 95652 722fca 95654 6da961 22 API calls 95652->95654 95652->95667 95653 6da961 22 API calls 95653->95667 95655 722fe4 95654->95655 95767 6f00a3 29 API calls __onexit 95655->95767 95659 722fee 95768 6f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95659->95768 95662 6dec40 256 API calls 95662->95667 95665 6de3e1 95665->95629 95666 6e04f0 22 API calls 95666->95667 95667->95650 95667->95653 95667->95662 95667->95665 95667->95666 95760 6da8c7 95667->95760 95764 6da81b 41 API calls 95667->95764 95765 6ea308 256 API calls 95667->95765 95769 6f0242 5 API calls __Init_thread_wait 95667->95769 95770 6f00a3 29 API calls __onexit 95667->95770 95771 6f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95667->95771 95772 7547d4 256 API calls 95667->95772 95773 7568c1 256 API calls 95667->95773 95671 6e1376 95670->95671 95672 6e17b0 95670->95672 95673 726331 95671->95673 95674 6e1390 95671->95674 95975 6f0242 5 API calls __Init_thread_wait 95672->95975 95980 75709c 256 API calls 95673->95980 95676 6e1940 9 API calls 95674->95676 95680 6e13a0 95676->95680 95678 6e17ba 95679 6e17fb 95678->95679 95682 6d9cb3 22 API calls 95678->95682 95685 726346 95679->95685 95687 6e182c 95679->95687 95683 6e1940 9 API calls 95680->95683 95681 72633d 95681->95629 95690 6e17d4 95682->95690 95684 6e13b6 95683->95684 95684->95679 95686 6e13ec 95684->95686 95981 74359c 82 API calls __wsopen_s 95685->95981 95686->95685 95710 6e1408 __fread_nolock 95686->95710 95977 6daceb 23 API calls messages 95687->95977 95976 6f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95690->95976 95691 6e1839 95978 6ed217 256 API calls 95691->95978 95694 72636e 95982 74359c 82 API calls __wsopen_s 95694->95982 95695 6e152f 95697 6e153c 95695->95697 95698 7263d1 95695->95698 95700 6e1940 9 API calls 95697->95700 95984 755745 54 API calls _wcslen 95698->95984 95701 6e1549 95700->95701 95705 7264fa 95701->95705 95707 6e1940 9 API calls 95701->95707 95702 6efddb 22 API calls 95702->95710 95703 6e1872 95979 6efaeb 23 API calls 95703->95979 95704 6efe0b 22 API calls 95704->95710 95715 726369 95705->95715 95985 74359c 82 API calls __wsopen_s 95705->95985 95711 6e1563 95707->95711 95709 6dec40 256 API calls 95709->95710 95710->95691 95710->95694 95710->95695 95710->95702 95710->95704 95710->95709 95712 7263b2 95710->95712 95710->95715 95711->95705 95714 6da8c7 22 API calls 95711->95714 95717 6e15c7 messages 95711->95717 95983 74359c 82 API calls __wsopen_s 95712->95983 95714->95717 95715->95629 95716 6e1940 9 API calls 95716->95717 95717->95703 95717->95705 95717->95715 95717->95716 95720 6e167b messages 95717->95720 95722 6d4f39 68 API calls 95717->95722 95774 6eeffa 95717->95774 95831 746ef1 95717->95831 95911 74744a 95717->95911 95968 73d4ce 95717->95968 95971 75958b 95717->95971 95718 6e171d 95718->95629 95720->95718 95974 6ece17 22 API calls messages 95720->95974 95722->95717 95727->95629 95728->95629 95729->95629 95730->95629 95731->95629 95752 6dec76 messages 95732->95752 95733 6f0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95733->95752 95734 6efddb 22 API calls 95734->95752 95736 6dfef7 95742 6da8c7 22 API calls 95736->95742 95748 6ded9d messages 95736->95748 95738 724b0b 96468 74359c 82 API calls __wsopen_s 95738->96468 95739 6da8c7 22 API calls 95739->95752 95740 724600 95744 6da8c7 22 API calls 95740->95744 95740->95748 95742->95748 95744->95748 95746 6dfbe3 95746->95748 95750 724bdc 95746->95750 95755 6df3ae messages 95746->95755 95747 6da961 22 API calls 95747->95752 95748->95629 95749 6f00a3 29 API calls pre_c_initialization 95749->95752 96469 74359c 82 API calls __wsopen_s 95750->96469 95752->95733 95752->95734 95752->95736 95752->95738 95752->95739 95752->95740 95752->95746 95752->95747 95752->95748 95752->95749 95753 6f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95752->95753 95754 724beb 95752->95754 95752->95755 96465 6e01e0 256 API calls 2 library calls 95752->96465 96466 6e06a0 41 API calls messages 95752->96466 95753->95752 96470 74359c 82 API calls __wsopen_s 95754->96470 95755->95748 96467 74359c 82 API calls __wsopen_s 95755->96467 95756->95629 95757->95637 95758->95637 95759->95637 95761 6da8db 95760->95761 95763 6da8ea __fread_nolock 95760->95763 95762 6efe0b 22 API calls 95761->95762 95761->95763 95762->95763 95763->95667 95764->95667 95765->95667 95766->95652 95767->95659 95768->95667 95769->95667 95770->95667 95771->95667 95772->95667 95773->95667 95986 6d9c6e 95774->95986 95777 6efddb 22 API calls 95779 6ef02b 95777->95779 95781 6efe0b 22 API calls 95779->95781 95780 72f0a8 95821 6ef0a4 95780->95821 96089 749caa 39 API calls 95780->96089 95782 6ef03c 95781->95782 96035 6d6246 95782->96035 95786 72f10a 95789 72f112 95786->95789 95790 6ef0b1 95786->95790 95787 6da961 22 API calls 95788 6ef04f 95787->95788 95791 6d6246 CloseHandle 95788->95791 95793 6db567 39 API calls 95789->95793 96000 6efa5b 95790->96000 95794 6ef056 95791->95794 95798 6ef0b8 95793->95798 96039 6d7510 95794->96039 95797 6d6246 CloseHandle 95799 6ef06c 95797->95799 95800 72f127 95798->95800 95801 6ef0d3 95798->95801 96062 6d5745 95799->96062 95804 6efe0b 22 API calls 95800->95804 96005 6d6270 95801->96005 95807 72f12c 95804->95807 95811 72f140 95807->95811 96090 6ef866 ReadFile SetFilePointerEx 95807->96090 95808 72f0a0 96088 6d6216 CloseHandle messages 95808->96088 95809 6ef085 96070 6d53de 95809->96070 95819 72f144 __fread_nolock 95811->95819 96091 740e85 22 API calls ___scrt_fastfail 95811->96091 95814 6ef0ea 95814->95819 96024 6d62b5 95814->96024 95818 6ef093 96085 6d53c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 95818->96085 95821->95790 96030 6db567 95821->96030 95822 6ef0fe 95823 6ef138 95822->95823 95826 6d6246 CloseHandle 95822->95826 95823->95717 95824 6ef09a 95824->95821 95825 72f069 95824->95825 96087 73ccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 95825->96087 95827 6ef12c 95826->95827 95827->95823 96086 6d6216 CloseHandle messages 95827->96086 95829 72f080 95829->95821 95832 6da961 22 API calls 95831->95832 95833 746f1d 95832->95833 95834 6da961 22 API calls 95833->95834 95835 746f26 95834->95835 95836 746f3a 95835->95836 95837 6db567 39 API calls 95835->95837 95838 6d7510 53 API calls 95836->95838 95837->95836 95839 746f57 _wcslen 95838->95839 95840 746fbc 95839->95840 95841 7470bf 95839->95841 95851 7470e9 95839->95851 95842 6d7510 53 API calls 95840->95842 95843 6d4ecb 94 API calls 95841->95843 95844 746fc8 95842->95844 95845 7470d0 95843->95845 95848 6da8c7 22 API calls 95844->95848 95854 746fdb 95844->95854 95846 7470e5 95845->95846 95849 6d4ecb 94 API calls 95845->95849 95847 6da961 22 API calls 95846->95847 95846->95851 95850 74711a 95847->95850 95848->95854 95849->95846 95852 6da961 22 API calls 95850->95852 95851->95717 95856 747126 95852->95856 95853 747027 95855 6d7510 53 API calls 95853->95855 95854->95853 95857 747005 95854->95857 95860 6da8c7 22 API calls 95854->95860 95858 747034 95855->95858 95859 6da961 22 API calls 95856->95859 96303 6d33c6 95857->96303 95862 747047 95858->95862 95863 74703d 95858->95863 95864 74712f 95859->95864 95860->95857 96312 73e199 GetFileAttributesW 95862->96312 95866 6da8c7 22 API calls 95863->95866 95868 6da961 22 API calls 95864->95868 95865 74700f 95869 6d7510 53 API calls 95865->95869 95866->95862 95871 747138 95868->95871 95872 74701b 95869->95872 95870 747050 95873 747063 95870->95873 95877 6d4c6d 22 API calls 95870->95877 95874 6d7510 53 API calls 95871->95874 95875 6d6350 22 API calls 95872->95875 95876 6d7510 53 API calls 95873->95876 95883 747069 95873->95883 95878 747145 95874->95878 95875->95853 95879 7470a0 95876->95879 95877->95873 96140 6d525f 95878->96140 96313 73d076 57 API calls 95879->96313 95882 747166 96182 6d4c6d 95882->96182 95883->95851 95886 7471a9 95888 6da8c7 22 API calls 95886->95888 95887 6d4c6d 22 API calls 95889 747186 95887->95889 95890 7471ba 95888->95890 95889->95886 95892 6d6b57 22 API calls 95889->95892 96185 6d6350 95890->96185 95894 74719b 95892->95894 95896 6d6b57 22 API calls 95894->95896 95895 6d6350 22 API calls 95897 7471d6 95895->95897 95896->95886 95898 6d6350 22 API calls 95897->95898 95899 7471e4 95898->95899 95900 6d7510 53 API calls 95899->95900 95901 7471f0 95900->95901 96194 73d7bc 95901->96194 95903 747201 95904 73d4ce 4 API calls 95903->95904 95905 74720b 95904->95905 95906 6d7510 53 API calls 95905->95906 95910 747239 95905->95910 95907 747229 95906->95907 96248 742947 95907->96248 95909 6d4f39 68 API calls 95909->95851 95910->95909 95912 747469 95911->95912 95913 747474 95911->95913 95914 6db567 39 API calls 95912->95914 95915 747554 95913->95915 95917 6da961 22 API calls 95913->95917 95914->95913 95916 6efddb 22 API calls 95915->95916 95967 7476a4 95915->95967 95918 747587 95916->95918 95919 747495 95917->95919 95920 6efe0b 22 API calls 95918->95920 95921 6da961 22 API calls 95919->95921 95922 747598 95920->95922 95923 74749e 95921->95923 95924 6d6246 CloseHandle 95922->95924 95925 6d7510 53 API calls 95923->95925 95926 7475a3 95924->95926 95927 7474aa 95925->95927 95928 6da961 22 API calls 95926->95928 95930 6d525f 22 API calls 95927->95930 95929 7475ab 95928->95929 95931 6d6246 CloseHandle 95929->95931 95932 7474bf 95930->95932 95933 7475b2 95931->95933 95934 6d6350 22 API calls 95932->95934 95935 6d7510 53 API calls 95933->95935 95936 7474f2 95934->95936 95937 7475be 95935->95937 95938 74754a 95936->95938 95939 73d4ce 4 API calls 95936->95939 95940 6d6246 CloseHandle 95937->95940 95943 6db567 39 API calls 95938->95943 95941 747502 95939->95941 95942 7475c8 95940->95942 95941->95938 95944 747506 95941->95944 95946 6d5745 5 API calls 95942->95946 95943->95915 95945 6d9cb3 22 API calls 95944->95945 95947 747513 95945->95947 95948 7475e2 95946->95948 96363 73d2c1 26 API calls 95947->96363 95950 7476de GetLastError 95948->95950 95951 7475ea 95948->95951 95953 7476f7 95950->95953 95954 6d53de 27 API calls 95951->95954 95952 74751c 95952->95938 96367 6d6216 CloseHandle messages 95953->96367 95956 7475f8 95954->95956 96364 6d53c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 95956->96364 95958 747645 95959 6efddb 22 API calls 95958->95959 95962 747679 95959->95962 95960 7475ff 95960->95958 95961 747619 95960->95961 96365 73ccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 95961->96365 95963 6da961 22 API calls 95962->95963 95965 747686 95963->95965 95965->95967 96366 73417d 22 API calls __fread_nolock 95965->96366 95967->95717 96368 73dbbe lstrlenW 95968->96368 96373 757f59 95971->96373 95973 75959b 95973->95717 95974->95720 95975->95678 95976->95679 95977->95691 95978->95703 95979->95703 95980->95681 95981->95715 95982->95715 95983->95715 95984->95711 95985->95715 95987 6d9c7e 95986->95987 95988 71f545 95986->95988 95993 6efddb 22 API calls 95987->95993 95989 71f556 95988->95989 95991 6d6b57 22 API calls 95988->95991 95990 6da6c3 22 API calls 95989->95990 95992 71f560 95990->95992 95991->95989 95992->95992 95994 6d9c91 95993->95994 95995 6d9cac 95994->95995 95996 6d9c9a 95994->95996 95998 6da961 22 API calls 95995->95998 95997 6d9cb3 22 API calls 95996->95997 95999 6d9ca2 95997->95999 95998->95999 95999->95777 95999->95780 96092 6d54c6 96000->96092 96003 6d54c6 3 API calls 96004 6efa9a 96003->96004 96004->95798 96006 6efe0b 22 API calls 96005->96006 96007 6d6295 96006->96007 96008 6efddb 22 API calls 96007->96008 96009 6d62a3 96008->96009 96010 6ef141 96009->96010 96011 6ef14c 96010->96011 96012 6ef188 96010->96012 96011->96012 96017 6ef15b 96011->96017 96013 6da6c3 22 API calls 96012->96013 96020 73caeb 96013->96020 96014 6ef170 96098 6ef18e 96014->96098 96016 6ef17d 96105 73cbf2 26 API calls 96016->96105 96017->96014 96017->96016 96018 73cb1a 96018->95814 96020->96018 96106 73ca89 ReadFile SetFilePointerEx 96020->96106 96107 6d49bd 22 API calls __fread_nolock 96020->96107 96021 6ef179 96021->95814 96025 6d62fa 96024->96025 96027 6d62c1 96024->96027 96026 6da8c7 22 API calls 96025->96026 96028 6d62d4 96025->96028 96026->96028 96029 6efddb 22 API calls 96027->96029 96028->95822 96029->96028 96031 6db57f 96030->96031 96032 6db578 96030->96032 96031->95786 96032->96031 96135 6f62d1 39 API calls _strftime 96032->96135 96034 6db5c2 96034->95786 96036 6d625f 96035->96036 96037 6d6250 96035->96037 96036->96037 96038 6d6264 CloseHandle 96036->96038 96037->95787 96038->96037 96040 6d7525 96039->96040 96041 6d7522 96039->96041 96042 6d752d 96040->96042 96043 6d755b 96040->96043 96041->95797 96136 6f51c6 26 API calls 96042->96136 96044 7150f6 96043->96044 96046 6d756d 96043->96046 96053 71500f 96043->96053 96139 6f5183 26 API calls 96044->96139 96137 6efb21 51 API calls 96046->96137 96047 6d753d 96052 6efddb 22 API calls 96047->96052 96050 71510e 96050->96050 96054 6d7547 96052->96054 96056 6efe0b 22 API calls 96053->96056 96057 715088 96053->96057 96055 6d9cb3 22 API calls 96054->96055 96055->96041 96058 715058 96056->96058 96138 6efb21 51 API calls 96057->96138 96059 6efddb 22 API calls 96058->96059 96060 71507f 96059->96060 96061 6d9cb3 22 API calls 96060->96061 96061->96057 96063 6d575c CreateFileW 96062->96063 96064 714035 96062->96064 96066 6d577b 96063->96066 96065 71403b CreateFileW 96064->96065 96064->96066 96065->96066 96067 714063 96065->96067 96066->95808 96066->95809 96068 6d54c6 3 API calls 96067->96068 96069 71406e 96068->96069 96069->96066 96071 6d53f3 96070->96071 96084 6d53f0 messages 96070->96084 96072 6d54c6 3 API calls 96071->96072 96071->96084 96073 6d5410 96072->96073 96074 6d541d 96073->96074 96075 713f4b 96073->96075 96077 6efe0b 22 API calls 96074->96077 96076 6efa5b 3 API calls 96075->96076 96076->96084 96078 6d5429 96077->96078 96079 6d5722 22 API calls 96078->96079 96080 6d5433 96079->96080 96081 6d9a40 2 API calls 96080->96081 96082 6d543f 96081->96082 96083 6d54c6 3 API calls 96082->96083 96083->96084 96084->95818 96085->95824 96086->95823 96087->95829 96088->95780 96089->95780 96090->95811 96091->95819 96093 6d54dd 96092->96093 96094 6d5564 SetFilePointerEx SetFilePointerEx 96093->96094 96095 713f9c SetFilePointerEx 96093->96095 96096 713f8b 96093->96096 96097 6d5530 96093->96097 96094->96097 96096->96095 96097->96003 96108 6ef1d8 96098->96108 96104 6ef1c1 96104->96021 96105->96021 96106->96020 96107->96020 96109 6efe0b 22 API calls 96108->96109 96110 6ef1ef 96109->96110 96111 6efddb 22 API calls 96110->96111 96112 6ef1a6 96111->96112 96113 6d97b6 96112->96113 96120 6d9a1e 96113->96120 96115 6d97fc 96115->96104 96119 6d6e14 24 API calls 96115->96119 96117 6d97c7 96117->96115 96127 6d9a40 96117->96127 96133 6d9b01 22 API calls __fread_nolock 96117->96133 96119->96104 96121 6d9a2f 96120->96121 96122 71f378 96120->96122 96121->96117 96123 6efddb 22 API calls 96122->96123 96124 71f382 96123->96124 96125 6efe0b 22 API calls 96124->96125 96126 71f397 96125->96126 96128 6d9abb 96127->96128 96131 6d9a4e 96127->96131 96134 6ee40f SetFilePointerEx 96128->96134 96129 6d9a7c 96129->96117 96131->96129 96132 6d9a8c ReadFile 96131->96132 96132->96129 96132->96131 96133->96117 96134->96131 96135->96034 96136->96047 96137->96047 96138->96044 96139->96050 96141 6da961 22 API calls 96140->96141 96142 6d5275 96141->96142 96143 6da961 22 API calls 96142->96143 96144 6d527d 96143->96144 96145 6da961 22 API calls 96144->96145 96146 6d5285 96145->96146 96147 6da961 22 API calls 96146->96147 96148 6d528d 96147->96148 96149 713df5 96148->96149 96150 6d52c1 96148->96150 96151 6da8c7 22 API calls 96149->96151 96152 6d6d25 22 API calls 96150->96152 96153 713dfe 96151->96153 96154 6d52cf 96152->96154 96155 6da6c3 22 API calls 96153->96155 96156 6d93b2 22 API calls 96154->96156 96158 6d5304 96155->96158 96157 6d52d9 96156->96157 96157->96158 96159 6d6d25 22 API calls 96157->96159 96160 6d5349 96158->96160 96161 6d5325 96158->96161 96177 713e20 96158->96177 96163 6d52fa 96159->96163 96314 6d6d25 96160->96314 96161->96160 96166 6d4c6d 22 API calls 96161->96166 96165 6d93b2 22 API calls 96163->96165 96164 6d535a 96167 6d5370 96164->96167 96172 6da8c7 22 API calls 96164->96172 96165->96158 96169 6d5332 96166->96169 96168 6d5384 96167->96168 96173 6da8c7 22 API calls 96167->96173 96171 6d538f 96168->96171 96175 6da8c7 22 API calls 96168->96175 96169->96160 96174 6d6d25 22 API calls 96169->96174 96170 6d6b57 22 API calls 96179 713ee0 96170->96179 96176 6da8c7 22 API calls 96171->96176 96181 6d539a 96171->96181 96172->96167 96173->96168 96174->96160 96175->96171 96176->96181 96177->96170 96178 6d4c6d 22 API calls 96178->96179 96179->96160 96179->96178 96327 6d49bd 22 API calls __fread_nolock 96179->96327 96181->95882 96183 6daec9 22 API calls 96182->96183 96184 6d4c78 96183->96184 96184->95886 96184->95887 96186 714a51 96185->96186 96187 6d6362 96185->96187 96339 6d4a88 22 API calls __fread_nolock 96186->96339 96329 6d6373 96187->96329 96190 6d636e 96190->95895 96191 714a5b 96192 714a67 96191->96192 96193 6da8c7 22 API calls 96191->96193 96193->96192 96195 73d7d8 96194->96195 96196 73d7f3 96195->96196 96197 73d7dd 96195->96197 96198 6da961 22 API calls 96196->96198 96199 6da8c7 22 API calls 96197->96199 96247 73d7ee 96197->96247 96200 73d7fb 96198->96200 96199->96247 96201 6da961 22 API calls 96200->96201 96202 73d803 96201->96202 96203 6da961 22 API calls 96202->96203 96204 73d80e 96203->96204 96205 6da961 22 API calls 96204->96205 96206 73d816 96205->96206 96207 6da961 22 API calls 96206->96207 96208 73d81e 96207->96208 96209 6da961 22 API calls 96208->96209 96210 73d826 96209->96210 96211 6da961 22 API calls 96210->96211 96212 73d82e 96211->96212 96213 6da961 22 API calls 96212->96213 96214 73d836 96213->96214 96215 6d525f 22 API calls 96214->96215 96216 73d84d 96215->96216 96217 6d525f 22 API calls 96216->96217 96218 73d866 96217->96218 96219 6d4c6d 22 API calls 96218->96219 96220 73d872 96219->96220 96221 73d885 96220->96221 96222 6d93b2 22 API calls 96220->96222 96223 6d4c6d 22 API calls 96221->96223 96222->96221 96224 73d88e 96223->96224 96225 73d89e 96224->96225 96226 6d93b2 22 API calls 96224->96226 96227 73d8b0 96225->96227 96228 6da8c7 22 API calls 96225->96228 96226->96225 96229 6d6350 22 API calls 96227->96229 96228->96227 96230 73d8bb 96229->96230 96345 73d978 22 API calls 96230->96345 96232 73d8ca 96346 73d978 22 API calls 96232->96346 96234 73d8dd 96235 6d4c6d 22 API calls 96234->96235 96236 73d8e7 96235->96236 96237 73d8fe 96236->96237 96238 73d8ec 96236->96238 96240 6d4c6d 22 API calls 96237->96240 96239 6d33c6 22 API calls 96238->96239 96241 73d8f9 96239->96241 96242 73d907 96240->96242 96245 6d6350 22 API calls 96241->96245 96243 73d925 96242->96243 96244 6d33c6 22 API calls 96242->96244 96246 6d6350 22 API calls 96243->96246 96244->96241 96245->96243 96246->96247 96247->95903 96249 742954 __wsopen_s 96248->96249 96250 6efe0b 22 API calls 96249->96250 96251 742971 96250->96251 96252 6d5722 22 API calls 96251->96252 96253 74297b 96252->96253 96254 74274e 27 API calls 96253->96254 96255 742986 96254->96255 96256 6d511f 64 API calls 96255->96256 96257 74299b 96256->96257 96258 742a6c 96257->96258 96259 7429bf 96257->96259 96260 742e66 75 API calls 96258->96260 96261 742e66 75 API calls 96259->96261 96276 742a38 96260->96276 96262 7429c4 96261->96262 96266 742a75 messages 96262->96266 96351 6fd583 26 API calls 96262->96351 96264 6d50f5 40 API calls 96265 742a91 96264->96265 96267 6d50f5 40 API calls 96265->96267 96266->95910 96269 742aa1 96267->96269 96268 7429ed 96352 6fd583 26 API calls 96268->96352 96270 6d50f5 40 API calls 96269->96270 96272 742abc 96270->96272 96273 6d50f5 40 API calls 96272->96273 96274 742acc 96273->96274 96275 6d50f5 40 API calls 96274->96275 96277 742ae7 96275->96277 96276->96264 96276->96266 96278 6d50f5 40 API calls 96277->96278 96279 742af7 96278->96279 96280 6d50f5 40 API calls 96279->96280 96281 742b07 96280->96281 96282 6d50f5 40 API calls 96281->96282 96283 742b17 96282->96283 96347 743017 GetTempPathW GetTempFileNameW 96283->96347 96285 742b22 96286 6fe5eb 29 API calls 96285->96286 96297 742b33 96286->96297 96287 742bed 96288 6fe678 67 API calls 96287->96288 96289 742bf8 96288->96289 96291 742c12 96289->96291 96292 742bfe DeleteFileW 96289->96292 96290 6d50f5 40 API calls 96290->96297 96293 742c91 CopyFileW 96291->96293 96299 742c18 96291->96299 96292->96266 96294 742ca7 DeleteFileW 96293->96294 96295 742cb9 DeleteFileW 96293->96295 96294->96266 96348 742fd8 CreateFileW 96295->96348 96297->96266 96297->96287 96297->96290 96298 6fdbb3 65 API calls 96297->96298 96298->96297 96300 7422ce 79 API calls 96299->96300 96301 742c7c 96300->96301 96301->96295 96302 742c80 DeleteFileW 96301->96302 96302->96266 96304 6d33dd 96303->96304 96305 7130bb 96303->96305 96353 6d33ee 96304->96353 96307 6efddb 22 API calls 96305->96307 96309 7130c5 _wcslen 96307->96309 96308 6d33e8 96308->95865 96310 6efe0b 22 API calls 96309->96310 96311 7130fe __fread_nolock 96310->96311 96312->95870 96313->95883 96315 6d6d34 96314->96315 96316 6d6d91 96314->96316 96315->96316 96318 6d6d3f 96315->96318 96317 6d93b2 22 API calls 96316->96317 96319 6d6d62 __fread_nolock 96317->96319 96320 6d6d5a 96318->96320 96321 714c9d 96318->96321 96319->96164 96328 6d6f34 22 API calls 96320->96328 96322 6efddb 22 API calls 96321->96322 96324 714ca7 96322->96324 96325 6efe0b 22 API calls 96324->96325 96326 714cda 96325->96326 96327->96179 96328->96319 96331 6d6382 96329->96331 96336 6d63b6 __fread_nolock 96329->96336 96330 714a82 96333 6efddb 22 API calls 96330->96333 96331->96330 96332 6d63a9 96331->96332 96331->96336 96340 6da587 96332->96340 96335 714a91 96333->96335 96337 6efe0b 22 API calls 96335->96337 96336->96190 96338 714ac5 __fread_nolock 96337->96338 96339->96191 96341 6da59d 96340->96341 96344 6da598 __fread_nolock 96340->96344 96342 71f80f 96341->96342 96343 6efe0b 22 API calls 96341->96343 96343->96344 96344->96336 96345->96232 96346->96234 96347->96285 96349 743013 96348->96349 96350 742fff SetFileTime CloseHandle 96348->96350 96349->96266 96350->96349 96351->96268 96352->96276 96354 6d33fe _wcslen 96353->96354 96355 71311d 96354->96355 96356 6d3411 96354->96356 96358 6efddb 22 API calls 96355->96358 96357 6da587 22 API calls 96356->96357 96359 6d341e __fread_nolock 96357->96359 96360 713127 96358->96360 96359->96308 96361 6efe0b 22 API calls 96360->96361 96362 713157 __fread_nolock 96361->96362 96363->95952 96364->95960 96365->95958 96366->95967 96367->95967 96369 73dbdc GetFileAttributesW 96368->96369 96370 73d4d5 96368->96370 96369->96370 96371 73dbe8 FindFirstFileW 96369->96371 96370->95717 96371->96370 96372 73dbf9 FindClose 96371->96372 96372->96370 96374 6d7510 53 API calls 96373->96374 96375 757f90 96374->96375 96399 757fd5 messages 96375->96399 96411 758cd3 96375->96411 96377 758281 96378 75844f 96377->96378 96382 75828f 96377->96382 96452 758ee4 60 API calls 96378->96452 96381 75845e 96381->96382 96383 75846a 96381->96383 96424 757e86 96382->96424 96383->96399 96384 6d7510 53 API calls 96402 758049 96384->96402 96389 7582c8 96439 6efc70 96389->96439 96392 758302 96446 6d63eb 22 API calls 96392->96446 96393 7582e8 96445 74359c 82 API calls __wsopen_s 96393->96445 96396 7582f3 GetCurrentProcess TerminateProcess 96396->96392 96397 758311 96447 6d6a50 22 API calls 96397->96447 96399->95973 96400 75832a 96409 758352 96400->96409 96448 6e04f0 22 API calls 96400->96448 96402->96377 96402->96384 96402->96399 96443 73417d 22 API calls __fread_nolock 96402->96443 96444 75851d 42 API calls _strftime 96402->96444 96403 7584c5 96403->96399 96405 7584d9 FreeLibrary 96403->96405 96404 758341 96449 758b7b 75 API calls 96404->96449 96405->96399 96409->96403 96450 6e04f0 22 API calls 96409->96450 96451 6daceb 23 API calls messages 96409->96451 96453 758b7b 75 API calls 96409->96453 96412 6daec9 22 API calls 96411->96412 96413 758cee CharLowerBuffW 96412->96413 96454 738e54 96413->96454 96417 6da961 22 API calls 96418 758d2a 96417->96418 96419 6d6d25 22 API calls 96418->96419 96420 758d3e 96419->96420 96421 6d93b2 22 API calls 96420->96421 96423 758d48 _wcslen 96421->96423 96422 758e5e _wcslen 96422->96402 96423->96422 96461 75851d 42 API calls _strftime 96423->96461 96425 757ea1 96424->96425 96426 757eec 96424->96426 96427 6efe0b 22 API calls 96425->96427 96430 759096 96426->96430 96428 757ec3 96427->96428 96428->96426 96429 6efddb 22 API calls 96428->96429 96429->96428 96431 7592ab messages 96430->96431 96435 7590ba _strcat _wcslen 96430->96435 96431->96389 96432 6db567 39 API calls 96432->96435 96433 6db38f 39 API calls 96433->96435 96434 6db6b5 39 API calls 96434->96435 96435->96431 96435->96432 96435->96433 96435->96434 96436 6d7510 53 API calls 96435->96436 96437 6fea0c 21 API calls ___std_exception_copy 96435->96437 96464 73efae 24 API calls _wcslen 96435->96464 96436->96435 96437->96435 96441 6efc85 96439->96441 96440 6efd1d VirtualAlloc 96442 6efceb 96440->96442 96441->96440 96441->96442 96442->96392 96442->96393 96443->96402 96444->96402 96445->96396 96446->96397 96447->96400 96448->96404 96449->96409 96450->96409 96451->96409 96452->96381 96453->96409 96455 738e74 _wcslen 96454->96455 96456 738f63 96455->96456 96459 738ea9 96455->96459 96460 738f68 96455->96460 96456->96417 96456->96423 96459->96456 96462 6ece60 41 API calls 96459->96462 96460->96456 96463 6ece60 41 API calls 96460->96463 96461->96422 96462->96459 96463->96460 96464->96435 96465->95752 96466->95752 96467->95748 96468->95748 96469->95754 96470->95748 96471 708402 96476 7081be 96471->96476 96474 70842a 96481 7081ef try_get_first_available_module 96476->96481 96478 7083ee 96495 7027ec 26 API calls _abort 96478->96495 96480 708343 96480->96474 96488 710984 96480->96488 96484 708338 96481->96484 96491 6f8e0b 40 API calls 2 library calls 96481->96491 96483 70838c 96483->96484 96492 6f8e0b 40 API calls 2 library calls 96483->96492 96484->96480 96494 6ff2d9 20 API calls _abort 96484->96494 96486 7083ab 96486->96484 96493 6f8e0b 40 API calls 2 library calls 96486->96493 96496 710081 96488->96496 96490 71099f 96490->96474 96491->96483 96492->96486 96493->96484 96494->96478 96495->96480 96499 71008d BuildCatchObjectHelperInternal 96496->96499 96497 71009b 96554 6ff2d9 20 API calls _abort 96497->96554 96499->96497 96501 7100d4 96499->96501 96500 7100a0 96555 7027ec 26 API calls _abort 96500->96555 96507 71065b 96501->96507 96506 7100aa __wsopen_s 96506->96490 96557 71042f 96507->96557 96510 7106a6 96575 705221 96510->96575 96511 71068d 96589 6ff2c6 20 API calls _abort 96511->96589 96514 7106ab 96515 7106b4 96514->96515 96516 7106cb 96514->96516 96591 6ff2c6 20 API calls _abort 96515->96591 96588 71039a CreateFileW 96516->96588 96520 7106b9 96592 6ff2d9 20 API calls _abort 96520->96592 96522 710781 GetFileType 96524 71078c GetLastError 96522->96524 96528 7107d3 96522->96528 96523 710756 GetLastError 96594 6ff2a3 20 API calls __dosmaperr 96523->96594 96595 6ff2a3 20 API calls __dosmaperr 96524->96595 96525 710704 96525->96522 96525->96523 96593 71039a CreateFileW 96525->96593 96597 70516a 21 API calls 2 library calls 96528->96597 96530 710692 96590 6ff2d9 20 API calls _abort 96530->96590 96531 71079a CloseHandle 96531->96530 96534 7107c3 96531->96534 96533 710749 96533->96522 96533->96523 96596 6ff2d9 20 API calls _abort 96534->96596 96535 7107f4 96537 710840 96535->96537 96598 7105ab 72 API calls 3 library calls 96535->96598 96542 71086d 96537->96542 96599 71014d 72 API calls 4 library calls 96537->96599 96538 7107c8 96538->96530 96541 710866 96541->96542 96543 71087e 96541->96543 96544 7086ae __wsopen_s 29 API calls 96542->96544 96545 7100f8 96543->96545 96546 7108fc CloseHandle 96543->96546 96544->96545 96556 710121 LeaveCriticalSection __wsopen_s 96545->96556 96600 71039a CreateFileW 96546->96600 96548 710927 96549 710931 GetLastError 96548->96549 96550 71095d 96548->96550 96601 6ff2a3 20 API calls __dosmaperr 96549->96601 96550->96545 96552 71093d 96602 705333 21 API calls 2 library calls 96552->96602 96554->96500 96555->96506 96556->96506 96558 710450 96557->96558 96559 71046a 96557->96559 96558->96559 96610 6ff2d9 20 API calls _abort 96558->96610 96603 7103bf 96559->96603 96562 7104a2 96565 7104d1 96562->96565 96612 6ff2d9 20 API calls _abort 96562->96612 96563 71045f 96611 7027ec 26 API calls _abort 96563->96611 96573 710524 96565->96573 96614 6fd70d 26 API calls 2 library calls 96565->96614 96568 71051f 96570 71059e 96568->96570 96568->96573 96569 7104c6 96613 7027ec 26 API calls _abort 96569->96613 96615 7027fc 11 API calls _abort 96570->96615 96573->96510 96573->96511 96574 7105aa 96576 70522d BuildCatchObjectHelperInternal 96575->96576 96618 702f5e EnterCriticalSection 96576->96618 96578 705234 96579 705259 96578->96579 96584 7052c7 EnterCriticalSection 96578->96584 96586 70527b 96578->96586 96622 705000 96579->96622 96582 7052a4 __wsopen_s 96582->96514 96585 7052d4 LeaveCriticalSection 96584->96585 96584->96586 96585->96578 96619 70532a 96586->96619 96588->96525 96589->96530 96590->96545 96591->96520 96592->96530 96593->96533 96594->96530 96595->96531 96596->96538 96597->96535 96598->96537 96599->96541 96600->96548 96601->96552 96602->96550 96605 7103d7 96603->96605 96604 7103f2 96604->96562 96605->96604 96616 6ff2d9 20 API calls _abort 96605->96616 96607 710416 96617 7027ec 26 API calls _abort 96607->96617 96609 710421 96609->96562 96610->96563 96611->96559 96612->96569 96613->96565 96614->96568 96615->96574 96616->96607 96617->96609 96618->96578 96630 702fa6 LeaveCriticalSection 96619->96630 96621 705331 96621->96582 96623 704c7d _abort 20 API calls 96622->96623 96624 705012 96623->96624 96628 70501f 96624->96628 96631 703405 11 API calls 2 library calls 96624->96631 96625 7029c8 _free 20 API calls 96626 705071 96625->96626 96626->96586 96629 705147 EnterCriticalSection 96626->96629 96628->96625 96629->96586 96630->96621 96631->96624 96632 6df7bf 96633 6dfcb6 96632->96633 96634 6df7d3 96632->96634 96669 6daceb 23 API calls messages 96633->96669 96635 6dfcc2 96634->96635 96637 6efddb 22 API calls 96634->96637 96670 6daceb 23 API calls messages 96635->96670 96639 6df7e5 96637->96639 96639->96635 96640 6df83e 96639->96640 96641 6dfd3d 96639->96641 96643 6e1310 256 API calls 96640->96643 96665 6ded9d messages 96640->96665 96671 741155 22 API calls 96641->96671 96664 6dec76 messages 96643->96664 96644 6efddb 22 API calls 96644->96664 96646 6dfef7 96652 6da8c7 22 API calls 96646->96652 96646->96665 96648 724b0b 96673 74359c 82 API calls __wsopen_s 96648->96673 96649 6da8c7 22 API calls 96649->96664 96650 724600 96655 6da8c7 22 API calls 96650->96655 96650->96665 96652->96665 96655->96665 96656 6f0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96656->96664 96657 6dfbe3 96660 724bdc 96657->96660 96657->96665 96666 6df3ae messages 96657->96666 96658 6da961 22 API calls 96658->96664 96659 6f00a3 29 API calls pre_c_initialization 96659->96664 96674 74359c 82 API calls __wsopen_s 96660->96674 96662 6f01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96662->96664 96663 724beb 96675 74359c 82 API calls __wsopen_s 96663->96675 96664->96644 96664->96646 96664->96648 96664->96649 96664->96650 96664->96656 96664->96657 96664->96658 96664->96659 96664->96662 96664->96663 96664->96665 96664->96666 96667 6e01e0 256 API calls 2 library calls 96664->96667 96668 6e06a0 41 API calls messages 96664->96668 96666->96665 96672 74359c 82 API calls __wsopen_s 96666->96672 96667->96664 96668->96664 96669->96635 96670->96641 96671->96665 96672->96665 96673->96665 96674->96663 96675->96665 96676 6f03fb 96677 6f0407 BuildCatchObjectHelperInternal 96676->96677 96705 6efeb1 96677->96705 96679 6f040e 96680 6f0561 96679->96680 96683 6f0438 96679->96683 96732 6f083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 96680->96732 96682 6f0568 96733 6f4e52 28 API calls _abort 96682->96733 96694 6f0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 96683->96694 96716 70247d 96683->96716 96685 6f056e 96734 6f4e04 28 API calls _abort 96685->96734 96689 6f0576 96690 6f0457 96692 6f04d8 96724 6f0959 96692->96724 96694->96692 96728 6f4e1a 38 API calls 2 library calls 96694->96728 96696 6f04de 96697 6f04f3 96696->96697 96729 6f0992 GetModuleHandleW 96697->96729 96699 6f04fa 96699->96682 96700 6f04fe 96699->96700 96701 6f0507 96700->96701 96730 6f4df5 28 API calls _abort 96700->96730 96731 6f0040 13 API calls 2 library calls 96701->96731 96704 6f050f 96704->96690 96706 6efeba 96705->96706 96735 6f0698 IsProcessorFeaturePresent 96706->96735 96708 6efec6 96736 6f2c94 10 API calls 3 library calls 96708->96736 96710 6efecb 96711 6efecf 96710->96711 96737 702317 96710->96737 96711->96679 96714 6efee6 96714->96679 96719 702494 96716->96719 96717 6f0a8c CatchGuardHandler 5 API calls 96718 6f0451 96717->96718 96718->96690 96720 702421 96718->96720 96719->96717 96721 702450 96720->96721 96722 6f0a8c CatchGuardHandler 5 API calls 96721->96722 96723 702479 96722->96723 96723->96694 96780 6f2340 96724->96780 96727 6f097f 96727->96696 96728->96692 96729->96699 96730->96701 96731->96704 96732->96682 96733->96685 96734->96689 96735->96708 96736->96710 96741 70d1f6 96737->96741 96740 6f2cbd 8 API calls 3 library calls 96740->96711 96742 70d213 96741->96742 96743 70d20f 96741->96743 96742->96743 96747 704bfb 96742->96747 96744 6f0a8c CatchGuardHandler 5 API calls 96743->96744 96745 6efed8 96744->96745 96745->96714 96745->96740 96748 704c07 BuildCatchObjectHelperInternal 96747->96748 96759 702f5e EnterCriticalSection 96748->96759 96750 704c0e 96760 7050af 96750->96760 96752 704c1d 96758 704c2c 96752->96758 96773 704a8f 29 API calls 96752->96773 96755 704c27 96774 704b45 GetStdHandle GetFileType 96755->96774 96756 704c3d __wsopen_s 96756->96742 96775 704c48 LeaveCriticalSection _abort 96758->96775 96759->96750 96761 7050bb BuildCatchObjectHelperInternal 96760->96761 96762 7050c8 96761->96762 96763 7050df 96761->96763 96777 6ff2d9 20 API calls _abort 96762->96777 96776 702f5e EnterCriticalSection 96763->96776 96766 7050eb 96771 705000 __wsopen_s 21 API calls 96766->96771 96772 705117 96766->96772 96767 7050cd 96778 7027ec 26 API calls _abort 96767->96778 96770 7050d7 __wsopen_s 96770->96752 96771->96766 96779 70513e LeaveCriticalSection _abort 96772->96779 96773->96755 96774->96758 96775->96756 96776->96766 96777->96767 96778->96770 96779->96770 96781 6f096c GetStartupInfoW 96780->96781 96781->96727 96782 712ba5 96783 6d2b25 96782->96783 96784 712baf 96782->96784 96810 6d2b83 7 API calls 96783->96810 96825 6d3a5a 96784->96825 96788 712bb8 96790 6d9cb3 22 API calls 96788->96790 96792 712bc6 96790->96792 96791 6d2b2f 96799 6d2b44 96791->96799 96814 6d3837 96791->96814 96793 712bf5 96792->96793 96794 712bce 96792->96794 96796 6d33c6 22 API calls 96793->96796 96795 6d33c6 22 API calls 96794->96795 96798 712bd9 96795->96798 96800 712bf1 GetForegroundWindow ShellExecuteW 96796->96800 96801 6d6350 22 API calls 96798->96801 96802 6d2b5f 96799->96802 96824 6d30f2 Shell_NotifyIconW ___scrt_fastfail 96799->96824 96806 712c26 96800->96806 96804 712be7 96801->96804 96808 6d2b66 SetCurrentDirectoryW 96802->96808 96807 6d33c6 22 API calls 96804->96807 96806->96802 96807->96800 96809 6d2b7a 96808->96809 96832 6d2cd4 7 API calls 96810->96832 96812 6d2b2a 96813 6d2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 96812->96813 96813->96791 96815 6d3862 ___scrt_fastfail 96814->96815 96833 6d4212 96815->96833 96819 713386 Shell_NotifyIconW 96820 6d3906 Shell_NotifyIconW 96837 6d3923 96820->96837 96821 6d38e8 96821->96819 96821->96820 96823 6d391c 96823->96799 96824->96802 96826 711f50 __wsopen_s 96825->96826 96827 6d3a67 GetModuleFileNameW 96826->96827 96828 6d9cb3 22 API calls 96827->96828 96829 6d3a8d 96828->96829 96830 6d3aa2 23 API calls 96829->96830 96831 6d3a97 96830->96831 96831->96788 96832->96812 96834 7135a4 96833->96834 96835 6d38b7 96833->96835 96834->96835 96836 7135ad DestroyIcon 96834->96836 96835->96821 96859 73c874 42 API calls _strftime 96835->96859 96836->96835 96838 6d393f 96837->96838 96857 6d3a13 96837->96857 96839 6d6270 22 API calls 96838->96839 96840 6d394d 96839->96840 96841 713393 LoadStringW 96840->96841 96842 6d395a 96840->96842 96844 7133ad 96841->96844 96843 6d6b57 22 API calls 96842->96843 96845 6d396f 96843->96845 96848 6da8c7 22 API calls 96844->96848 96852 6d3994 ___scrt_fastfail 96844->96852 96846 6d397c 96845->96846 96847 7133c9 96845->96847 96846->96844 96849 6d3986 96846->96849 96850 6d6350 22 API calls 96847->96850 96848->96852 96851 6d6350 22 API calls 96849->96851 96853 7133d7 96850->96853 96851->96852 96855 6d39f9 Shell_NotifyIconW 96852->96855 96853->96852 96854 6d33c6 22 API calls 96853->96854 96856 7133f9 96854->96856 96855->96857 96858 6d33c6 22 API calls 96856->96858 96857->96823 96858->96852 96859->96821 96860 6d1098 96865 6d42de 96860->96865 96864 6d10a7 96866 6da961 22 API calls 96865->96866 96867 6d42f5 GetVersionExW 96866->96867 96868 6d6b57 22 API calls 96867->96868 96869 6d4342 96868->96869 96870 6d93b2 22 API calls 96869->96870 96874 6d4378 96869->96874 96871 6d436c 96870->96871 96873 6d37a0 22 API calls 96871->96873 96872 6d441b GetCurrentProcess IsWow64Process 96875 6d4437 96872->96875 96873->96874 96874->96872 96882 7137df 96874->96882 96876 6d444f LoadLibraryA 96875->96876 96877 713824 GetSystemInfo 96875->96877 96878 6d449c GetSystemInfo 96876->96878 96879 6d4460 GetProcAddress 96876->96879 96881 6d4476 96878->96881 96879->96878 96880 6d4470 GetNativeSystemInfo 96879->96880 96880->96881 96883 6d447a FreeLibrary 96881->96883 96884 6d109d 96881->96884 96883->96884 96885 6f00a3 29 API calls __onexit 96884->96885 96885->96864 96886 6d105b 96891 6d344d 96886->96891 96888 6d106a 96922 6f00a3 29 API calls __onexit 96888->96922 96890 6d1074 96892 6d345d __wsopen_s 96891->96892 96893 6da961 22 API calls 96892->96893 96894 6d3513 96893->96894 96895 6d3a5a 24 API calls 96894->96895 96896 6d351c 96895->96896 96923 6d3357 96896->96923 96899 6d33c6 22 API calls 96900 6d3535 96899->96900 96901 6d515f 22 API calls 96900->96901 96902 6d3544 96901->96902 96903 6da961 22 API calls 96902->96903 96904 6d354d 96903->96904 96905 6da6c3 22 API calls 96904->96905 96906 6d3556 RegOpenKeyExW 96905->96906 96907 713176 RegQueryValueExW 96906->96907 96911 6d3578 96906->96911 96908 713193 96907->96908 96909 71320c RegCloseKey 96907->96909 96910 6efe0b 22 API calls 96908->96910 96909->96911 96921 71321e _wcslen 96909->96921 96912 7131ac 96910->96912 96911->96888 96913 6d5722 22 API calls 96912->96913 96914 7131b7 RegQueryValueExW 96913->96914 96915 7131d4 96914->96915 96917 7131ee messages 96914->96917 96916 6d6b57 22 API calls 96915->96916 96916->96917 96917->96909 96918 6d4c6d 22 API calls 96918->96921 96919 6d9cb3 22 API calls 96919->96921 96920 6d515f 22 API calls 96920->96921 96921->96911 96921->96918 96921->96919 96921->96920 96922->96890 96924 711f50 __wsopen_s 96923->96924 96925 6d3364 GetFullPathNameW 96924->96925 96926 6d3386 96925->96926 96927 6d6b57 22 API calls 96926->96927 96928 6d33a4 96927->96928 96928->96899 96929 6d2e37 96930 6da961 22 API calls 96929->96930 96931 6d2e4d 96930->96931 97008 6d4ae3 96931->97008 96933 6d2e6b 96934 6d3a5a 24 API calls 96933->96934 96935 6d2e7f 96934->96935 96936 6d9cb3 22 API calls 96935->96936 96937 6d2e8c 96936->96937 96938 6d4ecb 94 API calls 96937->96938 96939 6d2ea5 96938->96939 96940 6d2ead 96939->96940 96941 712cb0 96939->96941 96944 6da8c7 22 API calls 96940->96944 96942 742cf9 80 API calls 96941->96942 96943 712cc3 96942->96943 96945 712ccf 96943->96945 96947 6d4f39 68 API calls 96943->96947 96946 6d2ec3 96944->96946 96950 6d4f39 68 API calls 96945->96950 97022 6d6f88 22 API calls 96946->97022 96947->96945 96949 6d2ecf 96952 6d9cb3 22 API calls 96949->96952 96951 712ce5 96950->96951 97038 6d3084 22 API calls 96951->97038 96953 6d2edc 96952->96953 97023 6da81b 41 API calls 96953->97023 96956 6d2eec 96958 6d9cb3 22 API calls 96956->96958 96957 712d02 97039 6d3084 22 API calls 96957->97039 96960 6d2f12 96958->96960 97024 6da81b 41 API calls 96960->97024 96961 712d1e 96963 6d3a5a 24 API calls 96961->96963 96965 712d44 96963->96965 96964 6d2f21 96967 6da961 22 API calls 96964->96967 97040 6d3084 22 API calls 96965->97040 96969 6d2f3f 96967->96969 96968 712d50 96970 6da8c7 22 API calls 96968->96970 97025 6d3084 22 API calls 96969->97025 96971 712d5e 96970->96971 97041 6d3084 22 API calls 96971->97041 96974 6d2f4b 97026 6f4a28 40 API calls 3 library calls 96974->97026 96975 712d6d 96979 6da8c7 22 API calls 96975->96979 96977 6d2f59 96977->96951 96978 6d2f63 96977->96978 97027 6f4a28 40 API calls 3 library calls 96978->97027 96981 712d83 96979->96981 97042 6d3084 22 API calls 96981->97042 96982 6d2f6e 96982->96957 96984 6d2f78 96982->96984 97028 6f4a28 40 API calls 3 library calls 96984->97028 96985 712d90 96987 6d2f83 96987->96961 96988 6d2f8d 96987->96988 97029 6f4a28 40 API calls 3 library calls 96988->97029 96990 6d2f98 96991 6d2fdc 96990->96991 97030 6d3084 22 API calls 96990->97030 96991->96975 96992 6d2fe8 96991->96992 96992->96985 97032 6d63eb 22 API calls 96992->97032 96994 6d2fbf 96996 6da8c7 22 API calls 96994->96996 96998 6d2fcd 96996->96998 96997 6d2ff8 97033 6d6a50 22 API calls 96997->97033 97031 6d3084 22 API calls 96998->97031 97000 6d3006 97034 6d70b0 23 API calls 97000->97034 97005 6d3021 97006 6d3065 97005->97006 97035 6d6f88 22 API calls 97005->97035 97036 6d70b0 23 API calls 97005->97036 97037 6d3084 22 API calls 97005->97037 97009 6d4af0 __wsopen_s 97008->97009 97010 6d6b57 22 API calls 97009->97010 97011 6d4b22 97009->97011 97010->97011 97012 6d4c6d 22 API calls 97011->97012 97013 6d4b58 97011->97013 97012->97011 97014 6d4c29 97013->97014 97016 6d9cb3 22 API calls 97013->97016 97019 6d4c6d 22 API calls 97013->97019 97021 6d515f 22 API calls 97013->97021 97015 6d9cb3 22 API calls 97014->97015 97018 6d4c5e 97014->97018 97017 6d4c52 97015->97017 97016->97013 97020 6d515f 22 API calls 97017->97020 97018->96933 97019->97013 97020->97018 97021->97013 97022->96949 97023->96956 97024->96964 97025->96974 97026->96977 97027->96982 97028->96987 97029->96990 97030->96994 97031->96991 97032->96997 97033->97000 97034->97005 97035->97005 97036->97005 97037->97005 97038->96957 97039->96961 97040->96968 97041->96975 97042->96985 97043 6d3156 97046 6d3170 97043->97046 97047 6d3187 97046->97047 97048 6d318c 97047->97048 97049 6d31eb 97047->97049 97090 6d31e9 97047->97090 97053 6d3199 97048->97053 97054 6d3265 PostQuitMessage 97048->97054 97051 712dfb 97049->97051 97052 6d31f1 97049->97052 97050 6d31d0 DefWindowProcW 97060 6d316a 97050->97060 97095 6d18e2 10 API calls 97051->97095 97055 6d321d SetTimer RegisterWindowMessageW 97052->97055 97056 6d31f8 97052->97056 97058 6d31a4 97053->97058 97059 712e7c 97053->97059 97054->97060 97055->97060 97064 6d3246 CreatePopupMenu 97055->97064 97061 6d3201 KillTimer 97056->97061 97062 712d9c 97056->97062 97065 6d31ae 97058->97065 97066 712e68 97058->97066 97100 73bf30 34 API calls ___scrt_fastfail 97059->97100 97091 6d30f2 Shell_NotifyIconW ___scrt_fastfail 97061->97091 97068 712da1 97062->97068 97069 712dd7 MoveWindow 97062->97069 97063 712e1c 97096 6ee499 42 API calls 97063->97096 97064->97060 97073 6d31b9 97065->97073 97074 712e4d 97065->97074 97099 73c161 27 API calls ___scrt_fastfail 97066->97099 97076 712da7 97068->97076 97077 712dc6 SetFocus 97068->97077 97069->97060 97080 6d31c4 97073->97080 97081 6d3253 97073->97081 97074->97050 97098 730ad7 22 API calls 97074->97098 97075 712e8e 97075->97050 97075->97060 97076->97080 97082 712db0 97076->97082 97077->97060 97078 6d3214 97092 6d3c50 DeleteObject DestroyWindow 97078->97092 97079 6d3263 97079->97060 97080->97050 97097 6d30f2 Shell_NotifyIconW ___scrt_fastfail 97080->97097 97093 6d326f 44 API calls ___scrt_fastfail 97081->97093 97094 6d18e2 10 API calls 97082->97094 97088 712e41 97089 6d3837 49 API calls 97088->97089 97089->97090 97090->97050 97091->97078 97092->97060 97093->97079 97094->97060 97095->97063 97096->97080 97097->97088 97098->97090 97099->97079 97100->97075 97101 6d1033 97106 6d4c91 97101->97106 97105 6d1042 97107 6da961 22 API calls 97106->97107 97108 6d4cff 97107->97108 97114 6d3af0 97108->97114 97111 6d4d9c 97112 6d1038 97111->97112 97117 6d51f7 22 API calls __fread_nolock 97111->97117 97113 6f00a3 29 API calls __onexit 97112->97113 97113->97105 97118 6d3b1c 97114->97118 97117->97111 97119 6d3b0f 97118->97119 97120 6d3b29 97118->97120 97119->97111 97120->97119 97121 6d3b30 RegOpenKeyExW 97120->97121 97121->97119 97122 6d3b4a RegQueryValueExW 97121->97122 97123 6d3b80 RegCloseKey 97122->97123 97124 6d3b6b 97122->97124 97123->97119 97124->97123

                                                          Executed Functions

                                                          Function 006D42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 237 6d42de-6d434d call 6da961 GetVersionExW call 6d6b57 242 713617-71362a 237->242 243 6d4353 237->243 245 71362b-71362f 242->245 244 6d4355-6d4357 243->244 246 6d435d-6d43bc call 6d93b2 call 6d37a0 244->246 247 713656 244->247 248 713631 245->248 249 713632-71363e 245->249 265 7137df-7137e6 246->265 266 6d43c2-6d43c4 246->266 252 71365d-713660 247->252 248->249 249->245 251 713640-713642 249->251 251->244 254 713648-71364f 251->254 255 6d441b-6d4435 GetCurrentProcess IsWow64Process 252->255 256 713666-7136a8 252->256 254->242 258 713651 254->258 261 6d4494-6d449a 255->261 262 6d4437 255->262 256->255 259 7136ae-7136b1 256->259 258->247 263 7136b3-7136bd 259->263 264 7136db-7136e5 259->264 267 6d443d-6d4449 261->267 262->267 268 7136ca-7136d6 263->268 269 7136bf-7136c5 263->269 271 7136e7-7136f3 264->271 272 7136f8-713702 264->272 273 713806-713809 265->273 274 7137e8 265->274 266->252 270 6d43ca-6d43dd 266->270 275 6d444f-6d445e LoadLibraryA 267->275 276 713824-713828 GetSystemInfo 267->276 268->255 269->255 279 713726-71372f 270->279 280 6d43e3-6d43e5 270->280 271->255 282 713715-713721 272->282 283 713704-713710 272->283 284 7137f4-7137fc 273->284 285 71380b-71381a 273->285 281 7137ee 274->281 277 6d449c-6d44a6 GetSystemInfo 275->277 278 6d4460-6d446e GetProcAddress 275->278 287 6d4476-6d4478 277->287 278->277 286 6d4470-6d4474 GetNativeSystemInfo 278->286 290 713731-713737 279->290 291 71373c-713748 279->291 288 6d43eb-6d43ee 280->288 289 71374d-713762 280->289 281->284 282->255 283->255 284->273 285->281 292 71381c-713822 285->292 286->287 295 6d447a-6d447b FreeLibrary 287->295 296 6d4481-6d4493 287->296 297 713791-713794 288->297 298 6d43f4-6d440f 288->298 293 713764-71376a 289->293 294 71376f-71377b 289->294 290->255 291->255 292->284 293->255 294->255 295->296 297->255 299 71379a-7137c1 297->299 300 713780-71378c 298->300 301 6d4415 298->301 302 7137c3-7137c9 299->302 303 7137ce-7137da 299->303 300->255 301->255 302->255 303->255
                                                          APIs
                                                          • GetVersionExW.KERNEL32(?), ref: 006D430D
                                                            • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
                                                          • GetCurrentProcess.KERNEL32(?,0076CB64,00000000,?,?), ref: 006D4422
                                                          • IsWow64Process.KERNEL32(00000000,?,?), ref: 006D4429
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 006D4454
                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 006D4466
                                                          • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 006D4474
                                                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 006D447B
                                                          • GetSystemInfo.KERNEL32(?,?,?), ref: 006D44A0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                          • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                          • API String ID: 3290436268-3101561225
                                                          • Opcode ID: 5e58d419d6dfeb18fa973428e244d21e4e5ef5a0b52b42e5afb7f7e9ab991676
                                                          • Instruction ID: 569a3738feeeae290c9a7606aa7d775ee12e45a2e80a7a97d16c6f5d36e87631
                                                          • Opcode Fuzzy Hash: 5e58d419d6dfeb18fa973428e244d21e4e5ef5a0b52b42e5afb7f7e9ab991676
                                                          • Instruction Fuzzy Hash: 1AA1A465D0A2C0DFEF12CF6D78801E57FE5ABA7340F88C89AD08197B61D67C4949CB29
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1174 6d42a2-6d42ba CreateStreamOnHGlobal 1175 6d42bc-6d42d3 FindResourceExW 1174->1175 1176 6d42da-6d42dd 1174->1176 1177 6d42d9 1175->1177 1178 7135ba-7135c9 LoadResource 1175->1178 1177->1176 1178->1177 1179 7135cf-7135dd SizeofResource 1178->1179 1179->1177 1180 7135e3-7135ee LockResource 1179->1180 1180->1177 1181 7135f4-713612 1180->1181 1181->1177
                                                          APIs
                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,006D50AA,?,?,00000000,00000000), ref: 006D42B2
                                                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006D50AA,?,?,00000000,00000000), ref: 006D42C9
                                                          • LoadResource.KERNEL32(?,00000000,?,?,006D50AA,?,?,00000000,00000000,?,?,?,?,?,?,006D4F20), ref: 007135BE
                                                          • SizeofResource.KERNEL32(?,00000000,?,?,006D50AA,?,?,00000000,00000000,?,?,?,?,?,?,006D4F20), ref: 007135D3
                                                          • LockResource.KERNEL32(006D50AA,?,?,006D50AA,?,?,00000000,00000000,?,?,?,?,?,?,006D4F20,?), ref: 007135E6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                          • String ID: SCRIPT
                                                          • API String ID: 3051347437-3967369404
                                                          • Opcode ID: 246a075dd664262b1961dfb6f7a89e26ad9afcf8139f8b6a19e43dc05d42bf46
                                                          • Instruction ID: 8f7659fde18478b6f866f0df50208c0ada4bf0b7bd2b3275a48622568657523e
                                                          • Opcode Fuzzy Hash: 246a075dd664262b1961dfb6f7a89e26ad9afcf8139f8b6a19e43dc05d42bf46
                                                          • Instruction Fuzzy Hash: BB117C70600701BFE7228B65DC49F677BBAEFC5B51F10816AF847D6290DBB1DD008660
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00712BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 006D2B6B
                                                            • Part of subcall function 006D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007A1418,?,006D2E7F,?,?,?,00000000), ref: 006D3A78
                                                            • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                                          • GetForegroundWindow.USER32(runas,?,?,?,?,?,00792224), ref: 00712C10
                                                          • ShellExecuteW.SHELL32(00000000,?,?,00792224), ref: 00712C17
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                          • String ID: runas
                                                          • API String ID: 448630720-4000483414
                                                          • Opcode ID: 4e457e84b0337f6b2def289b8948fb577cca41b27f07d399df9512ccb59c3a60
                                                          • Instruction ID: d643540db0769af3fb9bac1b6c5997cb7f89ac590afa182eb39c11fd9de8d72d
                                                          • Opcode Fuzzy Hash: 4e457e84b0337f6b2def289b8948fb577cca41b27f07d399df9512ccb59c3a60
                                                          • Instruction Fuzzy Hash: 28112C31E083915AD755FF64D8519BE7BA69FE5744F44442FF082023A3CF68894AC71B
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,00715222), ref: 0073DBCE
                                                          • GetFileAttributesW.KERNELBASE(?), ref: 0073DBDD
                                                          • FindFirstFileW.KERNELBASE(?,?), ref: 0073DBEE
                                                          • FindClose.KERNEL32(00000000), ref: 0073DBFA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: FileFind$AttributesCloseFirstlstrlen
                                                          • String ID:
                                                          • API String ID: 2695905019-0
                                                          • Opcode ID: 72eac06d1bf322ed8667c13715d8a6a76d7f68eff1fb54395183526af14965d0
                                                          • Instruction ID: 643c8daf687ae83e39368bfd93b56a5a334912e88e81bdc431b8eb0b8de2b057
                                                          • Opcode Fuzzy Hash: 72eac06d1bf322ed8667c13715d8a6a76d7f68eff1fb54395183526af14965d0
                                                          • Instruction Fuzzy Hash: BFF0A7704206145FA2316B78AC0D47A776CAE01334F108702F876C10E1EBF89D5485AA
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006DD730 Relevance: 21.6, APIs: 14, Instructions: 627sleeptimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: InputSleepStateTimetime
                                                          • String ID:
                                                          • API String ID: 4149333218-0
                                                          • Opcode ID: 6dc2eeccbc8ce8293b8d3b6bd16f8b1e5b8e4c2c82dbe34fd2613c9aec0db9e8
                                                          • Instruction ID: 5a069a0b059f65590e8d978a29e9aa72318cd83de11aca0ebc9c769064dfa5ce
                                                          • Opcode Fuzzy Hash: 6dc2eeccbc8ce8293b8d3b6bd16f8b1e5b8e4c2c82dbe34fd2613c9aec0db9e8
                                                          • Instruction Fuzzy Hash: EB423670A04341EFD725EF24C844BAAB7E2BF86304F14851EF8568B392D779E845CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetSysColorBrush.USER32(0000000F), ref: 006D2D07
                                                          • RegisterClassExW.USER32(00000030), ref: 006D2D31
                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006D2D42
                                                          • InitCommonControlsEx.COMCTL32(?), ref: 006D2D5F
                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006D2D6F
                                                          • LoadIconW.USER32(000000A9), ref: 006D2D85
                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006D2D94
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                          • API String ID: 2914291525-1005189915
                                                          • Opcode ID: abf4921485fad8f7decfba4dde7d85d2729b00000cda5d9487c7e036090d72f4
                                                          • Instruction ID: d41e656721f8152c92dd79ceb61baa6bd4ecab2fdab06af11c530d46052495e0
                                                          • Opcode Fuzzy Hash: abf4921485fad8f7decfba4dde7d85d2729b00000cda5d9487c7e036090d72f4
                                                          • Instruction Fuzzy Hash: 712127B0901358AFEB01DFA4EC48BEEBBB4FB48700F00811AF552A62A0D7B91544CF99
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00708D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 305 708d45-708d55 306 708d57-708d6a call 6ff2c6 call 6ff2d9 305->306 307 708d6f-708d71 305->307 323 7090f1 306->323 309 708d77-708d7d 307->309 310 7090d9-7090e6 call 6ff2c6 call 6ff2d9 307->310 309->310 313 708d83-708dae 309->313 328 7090ec call 7027ec 310->328 313->310 316 708db4-708dbd 313->316 319 708dd7-708dd9 316->319 320 708dbf-708dd2 call 6ff2c6 call 6ff2d9 316->320 321 7090d5-7090d7 319->321 322 708ddf-708de3 319->322 320->328 327 7090f4-7090f9 321->327 322->321 326 708de9-708ded 322->326 323->327 326->320 330 708def-708e06 326->330 328->323 334 708e23-708e2c 330->334 335 708e08-708e0b 330->335 338 708e4a-708e54 334->338 339 708e2e-708e45 call 6ff2c6 call 6ff2d9 call 7027ec 334->339 336 708e15-708e1e 335->336 337 708e0d-708e13 335->337 342 708ebf-708ed9 336->342 337->336 337->339 340 708e56-708e58 338->340 341 708e5b-708e79 call 703820 call 7029c8 * 2 338->341 367 70900c 339->367 340->341 375 708e96-708ebc call 709424 341->375 376 708e7b-708e91 call 6ff2d9 call 6ff2c6 341->376 344 708fad-708fb6 call 70f89b 342->344 345 708edf-708eef 342->345 358 708fb8-708fca 344->358 359 709029 344->359 345->344 348 708ef5-708ef7 345->348 348->344 352 708efd-708f23 348->352 352->344 356 708f29-708f3c 352->356 356->344 361 708f3e-708f40 356->361 358->359 364 708fcc-708fdb GetConsoleMode 358->364 363 70902d-709045 ReadFile 359->363 361->344 368 708f42-708f6d 361->368 370 7090a1-7090ac GetLastError 363->370 371 709047-70904d 363->371 364->359 366 708fdd-708fe1 364->366 366->363 372 708fe3-708ffd ReadConsoleW 366->372 373 70900f-709019 call 7029c8 367->373 368->344 374 708f6f-708f82 368->374 377 7090c5-7090c8 370->377 378 7090ae-7090c0 call 6ff2d9 call 6ff2c6 370->378 371->370 379 70904f 371->379 380 70901e-709027 372->380 381 708fff GetLastError 372->381 373->327 374->344 385 708f84-708f86 374->385 375->342 376->367 382 709005-70900b call 6ff2a3 377->382 383 7090ce-7090d0 377->383 378->367 389 709052-709064 379->389 380->389 381->382 382->367 383->373 385->344 394 708f88-708fa8 385->394 389->373 391 709066-70906a 389->391 398 709083-70908e 391->398 399 70906c-70907c call 708a61 391->399 394->344 404 709090 call 708bb1 398->404 405 70909a-70909f call 7088a1 398->405 410 70907f-709081 399->410 411 709095-709098 404->411 405->411 410->373 411->410
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .o
                                                          • API String ID: 0-1957372423
                                                          • Opcode ID: a2d2d4247ac27b2bcf4d84df3ef3fe38d0109192b34bf9c5af5081b4b5290163
                                                          • Instruction ID: 828c8c3f5b6c32db5ec654f076e1baca557b93afdc6cd4675d5c4b882d78edf1
                                                          • Opcode Fuzzy Hash: a2d2d4247ac27b2bcf4d84df3ef3fe38d0109192b34bf9c5af5081b4b5290163
                                                          • Instruction Fuzzy Hash: E3C1F174A0424AEFDB51DFA8C844BADBBF1AF49310F044299F654AB3D3C7389941CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0071065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 413 71065b-71068b call 71042f 416 7106a6-7106b2 call 705221 413->416 417 71068d-710698 call 6ff2c6 413->417 423 7106b4-7106c9 call 6ff2c6 call 6ff2d9 416->423 424 7106cb-710714 call 71039a 416->424 422 71069a-7106a1 call 6ff2d9 417->422 431 71097d-710983 422->431 423->422 433 710781-71078a GetFileType 424->433 434 710716-71071f 424->434 437 7107d3-7107d6 433->437 438 71078c-7107bd GetLastError call 6ff2a3 CloseHandle 433->438 435 710721-710725 434->435 436 710756-71077c GetLastError call 6ff2a3 434->436 435->436 440 710727-710754 call 71039a 435->440 436->422 443 7107d8-7107dd 437->443 444 7107df-7107e5 437->444 438->422 452 7107c3-7107ce call 6ff2d9 438->452 440->433 440->436 445 7107e9-710837 call 70516a 443->445 444->445 446 7107e7 444->446 455 710847-71086b call 71014d 445->455 456 710839-710845 call 7105ab 445->456 446->445 452->422 463 71086d 455->463 464 71087e-7108c1 455->464 456->455 462 71086f-710879 call 7086ae 456->462 462->431 463->462 465 7108c3-7108c7 464->465 466 7108e2-7108f0 464->466 465->466 468 7108c9-7108dd 465->468 469 7108f6-7108fa 466->469 470 71097b 466->470 468->466 469->470 472 7108fc-71092f CloseHandle call 71039a 469->472 470->431 475 710931-71095d GetLastError call 6ff2a3 call 705333 472->475 476 710963-710977 472->476 475->476 476->470
                                                          APIs
                                                            • Part of subcall function 0071039A: CreateFileW.KERNELBASE(00000000,00000000,?,00710704,?,?,00000000,?,00710704,00000000,0000000C), ref: 007103B7
                                                          • GetLastError.KERNEL32 ref: 0071076F
                                                          • __dosmaperr.LIBCMT ref: 00710776
                                                          • GetFileType.KERNELBASE(00000000), ref: 00710782
                                                          • GetLastError.KERNEL32 ref: 0071078C
                                                          • __dosmaperr.LIBCMT ref: 00710795
                                                          • CloseHandle.KERNEL32(00000000), ref: 007107B5
                                                          • CloseHandle.KERNEL32(?), ref: 007108FF
                                                          • GetLastError.KERNEL32 ref: 00710931
                                                          • __dosmaperr.LIBCMT ref: 00710938
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                          • String ID: H
                                                          • API String ID: 4237864984-2852464175
                                                          • Opcode ID: 3d7b2947b5edf9c0b645642d35edd098d24897b8e53abf504cab54786642d6e1
                                                          • Instruction ID: de18356d564fffede57596023328c43ca7459cb933514b6fe10b67b89811eae9
                                                          • Opcode Fuzzy Hash: 3d7b2947b5edf9c0b645642d35edd098d24897b8e53abf504cab54786642d6e1
                                                          • Instruction Fuzzy Hash: 17A14332A001088FDF19AF6CD895BEE3BA1AF46320F14415DF811AB3D1C7799992CBD5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                            • Part of subcall function 006D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007A1418,?,006D2E7F,?,?,?,00000000), ref: 006D3A78
                                                            • Part of subcall function 006D3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006D3379
                                                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006D356A
                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0071318D
                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007131CE
                                                          • RegCloseKey.ADVAPI32(?), ref: 00713210
                                                          • _wcslen.LIBCMT ref: 00713277
                                                          • _wcslen.LIBCMT ref: 00713286
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                          • API String ID: 98802146-2727554177
                                                          • Opcode ID: 8b98d3d7ad8c35d0b3c58dae969be202aded1d5b9e19c00b76777e1b9df3233e
                                                          • Instruction ID: dc0eb2053d3abf49d6fd92b1ba64864e9878e76d5ca4e9013eeafbc660286080
                                                          • Opcode Fuzzy Hash: 8b98d3d7ad8c35d0b3c58dae969be202aded1d5b9e19c00b76777e1b9df3233e
                                                          • Instruction Fuzzy Hash: A571B6715043009FC744EF69DC418ABBBE8FF86740F40842EF545872B1EB789A49CB59
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetSysColorBrush.USER32(0000000F), ref: 006D2B8E
                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 006D2B9D
                                                          • LoadIconW.USER32(00000063), ref: 006D2BB3
                                                          • LoadIconW.USER32(000000A4), ref: 006D2BC5
                                                          • LoadIconW.USER32(000000A2), ref: 006D2BD7
                                                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006D2BEF
                                                          • RegisterClassExW.USER32(?), ref: 006D2C40
                                                            • Part of subcall function 006D2CD4: GetSysColorBrush.USER32(0000000F), ref: 006D2D07
                                                            • Part of subcall function 006D2CD4: RegisterClassExW.USER32(00000030), ref: 006D2D31
                                                            • Part of subcall function 006D2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006D2D42
                                                            • Part of subcall function 006D2CD4: InitCommonControlsEx.COMCTL32(?), ref: 006D2D5F
                                                            • Part of subcall function 006D2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006D2D6F
                                                            • Part of subcall function 006D2CD4: LoadIconW.USER32(000000A9), ref: 006D2D85
                                                            • Part of subcall function 006D2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006D2D94
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                          • String ID: #$0$AutoIt v3
                                                          • API String ID: 423443420-4155596026
                                                          • Opcode ID: f6d9fe7856e3c8a7354fb36c54262a62cdc0eea2523d96967e22a9d9ffcae6af
                                                          • Instruction ID: 7553c93a847984972d24c8f2b4edff7a2396c84a6737d1a18b6c23467bec22d9
                                                          • Opcode Fuzzy Hash: f6d9fe7856e3c8a7354fb36c54262a62cdc0eea2523d96967e22a9d9ffcae6af
                                                          • Instruction Fuzzy Hash: A7213874E00328AFEF119FA5EC55AA97FF4FB89B50F40802AE505A66A0D3B90540CF98
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 554 6d3170-6d3185 555 6d31e5-6d31e7 554->555 556 6d3187-6d318a 554->556 555->556 557 6d31e9 555->557 558 6d318c-6d3193 556->558 559 6d31eb 556->559 560 6d31d0-6d31d8 DefWindowProcW 557->560 563 6d3199-6d319e 558->563 564 6d3265-6d326d PostQuitMessage 558->564 561 712dfb-712e23 call 6d18e2 call 6ee499 559->561 562 6d31f1-6d31f6 559->562 570 6d31de-6d31e4 560->570 600 712e28-712e2f 561->600 565 6d321d-6d3244 SetTimer RegisterWindowMessageW 562->565 566 6d31f8-6d31fb 562->566 568 6d31a4-6d31a8 563->568 569 712e7c-712e90 call 73bf30 563->569 571 6d3219-6d321b 564->571 565->571 575 6d3246-6d3251 CreatePopupMenu 565->575 572 6d3201-6d3214 KillTimer call 6d30f2 call 6d3c50 566->572 573 712d9c-712d9f 566->573 576 6d31ae-6d31b3 568->576 577 712e68-712e77 call 73c161 568->577 569->571 595 712e96 569->595 571->570 572->571 579 712da1-712da5 573->579 580 712dd7-712df6 MoveWindow 573->580 575->571 584 6d31b9-6d31be 576->584 585 712e4d-712e54 576->585 577->571 587 712da7-712daa 579->587 588 712dc6-712dd2 SetFocus 579->588 580->571 593 6d31c4-6d31ca 584->593 594 6d3253-6d3263 call 6d326f 584->594 585->560 589 712e5a-712e63 call 730ad7 585->589 587->593 596 712db0-712dc1 call 6d18e2 587->596 588->571 589->560 593->560 593->600 594->571 595->560 596->571 600->560 604 712e35-712e48 call 6d30f2 call 6d3837 600->604 604->560
                                                          APIs
                                                          • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,006D316A,?,?), ref: 006D31D8
                                                          • KillTimer.USER32(?,00000001,?,?,?,?,?,006D316A,?,?), ref: 006D3204
                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006D3227
                                                          • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,006D316A,?,?), ref: 006D3232
                                                          • CreatePopupMenu.USER32 ref: 006D3246
                                                          • PostQuitMessage.USER32(00000000), ref: 006D3267
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                          • String ID: TaskbarCreated
                                                          • API String ID: 129472671-2362178303
                                                          • Opcode ID: cd151b0d83ca9ac18536566dfafa0400343550417e7bb65e33de03ee1d050927
                                                          • Instruction ID: 317a016b31a23cfbf3fec66c0101b0bc463eafdfe01ad8dcbd26cf9c7b3828b7
                                                          • Opcode Fuzzy Hash: cd151b0d83ca9ac18536566dfafa0400343550417e7bb65e33de03ee1d050927
                                                          • Instruction Fuzzy Hash: A2414C35E00261A7EF151F789C0D7B9361BE786340F048127F542853E2C7AE9B4197AB
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006DDFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: D%z$D%z$D%z$D%z$D%zD%z$Variable must be of type 'Object'.
                                                          • API String ID: 0-1874280672
                                                          • Opcode ID: 1ba4c701450d120870c23b11bd0d5dedf9c177155179cd8ee54735ea794cf9be
                                                          • Instruction ID: 1b46072e2f65bd35412a9813bf7e5d9bcaff1260729c27f0cccc1bcf8af2f3bc
                                                          • Opcode Fuzzy Hash: 1ba4c701450d120870c23b11bd0d5dedf9c177155179cd8ee54735ea794cf9be
                                                          • Instruction Fuzzy Hash: 43C28F71E00215CFCB24EF58D880AADB7B2BF49310F24855AE915AF351D37AED42CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01542660 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1120 1542660-154270e call 1540000 1123 1542715-154273b call 1543570 CreateFileW 1120->1123 1126 1542742-1542752 1123->1126 1127 154273d 1123->1127 1134 1542754 1126->1134 1135 1542759-1542773 VirtualAlloc 1126->1135 1128 154288d-1542891 1127->1128 1130 15428d3-15428d6 1128->1130 1131 1542893-1542897 1128->1131 1136 15428d9-15428e0 1130->1136 1132 15428a3-15428a7 1131->1132 1133 1542899-154289c 1131->1133 1137 15428b7-15428bb 1132->1137 1138 15428a9-15428b3 1132->1138 1133->1132 1134->1128 1139 1542775 1135->1139 1140 154277a-1542791 ReadFile 1135->1140 1141 1542935-154294a 1136->1141 1142 15428e2-15428ed 1136->1142 1145 15428bd-15428c7 1137->1145 1146 15428cb 1137->1146 1138->1137 1139->1128 1147 1542793 1140->1147 1148 1542798-15427d8 VirtualAlloc 1140->1148 1143 154294c-1542957 VirtualFree 1141->1143 1144 154295a-1542962 1141->1144 1149 15428f1-15428fd 1142->1149 1150 15428ef 1142->1150 1143->1144 1145->1146 1146->1130 1147->1128 1151 15427df-15427fa call 15437c0 1148->1151 1152 15427da 1148->1152 1153 1542911-154291d 1149->1153 1154 15428ff-154290f 1149->1154 1150->1141 1160 1542805-154280f 1151->1160 1152->1128 1156 154291f-1542928 1153->1156 1157 154292a-1542930 1153->1157 1155 1542933 1154->1155 1155->1136 1156->1155 1157->1155 1161 1542811-1542840 call 15437c0 1160->1161 1162 1542842-1542856 call 15435d0 1160->1162 1161->1160 1168 1542858 1162->1168 1169 154285a-154285e 1162->1169 1168->1128 1170 1542860-1542864 FindCloseChangeNotification 1169->1170 1171 154286a-154286e 1169->1171 1170->1171 1172 1542870-154287b VirtualFree 1171->1172 1173 154287e-1542887 1171->1173 1172->1173 1173->1123 1173->1128
                                                          APIs
                                                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01542731
                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01542957
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100886020.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1540000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CreateFileFreeVirtual
                                                          • String ID:
                                                          • API String ID: 204039940-0
                                                          • Opcode ID: 30e8af4b53c3aa052917812e21e5e8fbde56ed90f0e39d50c947676a587081b9
                                                          • Instruction ID: d6440a883c023d1124cbea5f1b9f31fe0b7e1db6ed303fd22efe4e1ee077c423
                                                          • Opcode Fuzzy Hash: 30e8af4b53c3aa052917812e21e5e8fbde56ed90f0e39d50c947676a587081b9
                                                          • Instruction Fuzzy Hash: C2A11A74E00219EBEB14CFA4D894BEEBBB5BF48308F108559F501BB280D7759A81CF94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1184 6d2c63-6d2cd3 CreateWindowExW * 2 ShowWindow * 2
                                                          APIs
                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006D2C91
                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006D2CB2
                                                          • ShowWindow.USER32(00000000,?,?,?,?,?,?,006D1CAD,?), ref: 006D2CC6
                                                          • ShowWindow.USER32(00000000,?,?,?,?,?,?,006D1CAD,?), ref: 006D2CCF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Window$CreateShow
                                                          • String ID: AutoIt v3$edit
                                                          • API String ID: 1584632944-3779509399
                                                          • Opcode ID: 8af7501be3801dd75187bb8726b3ba6a6747097ff38a971ee5dfa69d0d93c0a4
                                                          • Instruction ID: 787d24c39cf6fb796c215e81ff7ac9d04635382443816d346e496bd3e0d5c981
                                                          • Opcode Fuzzy Hash: 8af7501be3801dd75187bb8726b3ba6a6747097ff38a971ee5dfa69d0d93c0a4
                                                          • Instruction Fuzzy Hash: A2F0DA765403A07AFB311B17AC08E773EBDD7C7F61F40805AF900A29A0C6A91850DEB8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01542410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1299 1542410-1542562 call 1540000 call 1542300 CreateFileW 1306 1542564 1299->1306 1307 1542569-1542579 1299->1307 1308 1542619-154261e 1306->1308 1310 1542580-154259a VirtualAlloc 1307->1310 1311 154257b 1307->1311 1312 154259c 1310->1312 1313 154259e-15425b5 ReadFile 1310->1313 1311->1308 1312->1308 1314 15425b7 1313->1314 1315 15425b9-15425f3 call 1542340 call 1541300 1313->1315 1314->1308 1320 15425f5-154260a call 1542390 1315->1320 1321 154260f-1542617 ExitProcess 1315->1321 1320->1321 1321->1308
                                                          APIs
                                                            • Part of subcall function 01542300: Sleep.KERNELBASE(000001F4), ref: 01542311
                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01542558
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100886020.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1540000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CreateFileSleep
                                                          • String ID: 4OXOPRMO6A6XD4DF4I32RI0HDZFN
                                                          • API String ID: 2694422964-1448326144
                                                          • Opcode ID: 3614f3d71e9f9ec0d2f07881e63f9a535e33de7354b6d8595ba23a76a8fe67ed
                                                          • Instruction ID: 24251506c3e1f2787734d39aa4bc98468c7c3f73daaac09e4f61458dc0ae798a
                                                          • Opcode Fuzzy Hash: 3614f3d71e9f9ec0d2f07881e63f9a535e33de7354b6d8595ba23a76a8fe67ed
                                                          • Instruction Fuzzy Hash: AE61B570D04298DBEF11DBB4D854BEEBBB5AF15304F044199E2487B2C1D7B91B44CBAA
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00742947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1323 742947-7429b9 call 711f50 call 7425d6 call 6efe0b call 6d5722 call 74274e call 6d511f call 6f5232 1338 742a6c-742a73 call 742e66 1323->1338 1339 7429bf-7429c6 call 742e66 1323->1339 1344 742a75-742a77 1338->1344 1345 742a7c 1338->1345 1339->1344 1346 7429cc-742a6a call 6fd583 call 6f4983 call 6f9038 call 6fd583 call 6f9038 * 2 1339->1346 1347 742cb6-742cb7 1344->1347 1349 742a7f-742b3a call 6d50f5 * 8 call 743017 call 6fe5eb 1345->1349 1346->1349 1351 742cd5-742cdb 1347->1351 1388 742b43-742b5e call 742792 1349->1388 1389 742b3c-742b3e 1349->1389 1355 742cf0-742cf6 1351->1355 1356 742cdd-742ced call 6efdcd call 6efe14 1351->1356 1356->1355 1392 742b64-742b6c 1388->1392 1393 742bf0-742bfc call 6fe678 1388->1393 1389->1347 1394 742b74 1392->1394 1395 742b6e-742b72 1392->1395 1400 742c12-742c16 1393->1400 1401 742bfe-742c0d DeleteFileW 1393->1401 1397 742b79-742b97 call 6d50f5 1394->1397 1395->1397 1407 742bc1-742bd7 call 74211d call 6fdbb3 1397->1407 1408 742b99-742b9e 1397->1408 1403 742c91-742ca5 CopyFileW 1400->1403 1404 742c18-742c7e call 7425d6 call 6fd2eb * 2 call 7422ce 1400->1404 1401->1347 1405 742ca7-742cb4 DeleteFileW 1403->1405 1406 742cb9-742ccf DeleteFileW call 742fd8 1403->1406 1404->1406 1428 742c80-742c8f DeleteFileW 1404->1428 1405->1347 1417 742cd4 1406->1417 1423 742bdc-742be7 1407->1423 1413 742ba1-742bb4 call 7428d2 1408->1413 1421 742bb6-742bbf 1413->1421 1417->1351 1421->1407 1423->1392 1425 742bed 1423->1425 1425->1393 1428->1347
                                                          APIs
                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00742C05
                                                          • DeleteFileW.KERNEL32(?), ref: 00742C87
                                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00742C9D
                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00742CAE
                                                          • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00742CC0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: File$Delete$Copy
                                                          • String ID:
                                                          • API String ID: 3226157194-0
                                                          • Opcode ID: 1c6c23f8ade6f0850e2ee23a89e2ee6a179da21f564f4ca5ba1363492a69e7ba
                                                          • Instruction ID: 445dfe9723d1cc7f5bda5f376bfaf13b66ee5bf9e829e6538597da3803ab7554
                                                          • Opcode Fuzzy Hash: 1c6c23f8ade6f0850e2ee23a89e2ee6a179da21f564f4ca5ba1363492a69e7ba
                                                          • Instruction Fuzzy Hash: 10B16EB1D0011DABDF11DBA4CC85EEEBB7DEF48300F5040AAFA09E6152EB349A558F65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00705AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1429 705aa9-705ace 1430 705ad0-705ad2 1429->1430 1431 705ad7-705ad9 1429->1431 1432 705ca5-705cb4 call 6f0a8c 1430->1432 1433 705afa-705b1f 1431->1433 1434 705adb-705af5 call 6ff2c6 call 6ff2d9 call 7027ec 1431->1434 1435 705b21-705b24 1433->1435 1436 705b26-705b2c 1433->1436 1434->1432 1435->1436 1439 705b4e-705b53 1435->1439 1440 705b4b 1436->1440 1441 705b2e-705b46 call 6ff2c6 call 6ff2d9 call 7027ec 1436->1441 1445 705b64-705b6d call 70564e 1439->1445 1446 705b55-705b61 call 709424 1439->1446 1440->1439 1480 705c9c-705c9f 1441->1480 1457 705ba8-705bba 1445->1457 1458 705b6f-705b71 1445->1458 1446->1445 1463 705c02-705c23 WriteFile 1457->1463 1464 705bbc-705bc2 1457->1464 1460 705b73-705b78 1458->1460 1461 705b95-705b9e call 70542e 1458->1461 1465 705c6c-705c7e 1460->1465 1466 705b7e-705b8b call 7055e1 1460->1466 1479 705ba3-705ba6 1461->1479 1469 705c25-705c2b GetLastError 1463->1469 1470 705c2e 1463->1470 1471 705bf2-705c00 call 7056c4 1464->1471 1472 705bc4-705bc7 1464->1472 1477 705c80-705c83 1465->1477 1478 705c89-705c99 call 6ff2d9 call 6ff2c6 1465->1478 1489 705b8e-705b90 1466->1489 1469->1470 1481 705c31-705c3c 1470->1481 1471->1479 1473 705be2-705bf0 call 705891 1472->1473 1474 705bc9-705bcc 1472->1474 1473->1479 1474->1465 1482 705bd2-705be0 call 7057a3 1474->1482 1477->1478 1487 705c85-705c87 1477->1487 1478->1480 1479->1489 1483 705ca4 1480->1483 1490 705ca1 1481->1490 1491 705c3e-705c43 1481->1491 1482->1479 1483->1432 1487->1483 1489->1481 1490->1483 1495 705c45-705c4a 1491->1495 1496 705c69 1491->1496 1497 705c60-705c67 call 6ff2a3 1495->1497 1498 705c4c-705c5e call 6ff2d9 call 6ff2c6 1495->1498 1496->1465 1497->1480 1498->1480
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: JOm
                                                          • API String ID: 0-3333332779
                                                          • Opcode ID: cde4c688588551de0a28c681058d18ecc55db013d10646234923373592580bfd
                                                          • Instruction ID: ec307cee2fc0882e5dbade6ab52665bad6e072e5f87d58178f11db81b096e02d
                                                          • Opcode Fuzzy Hash: cde4c688588551de0a28c681058d18ecc55db013d10646234923373592580bfd
                                                          • Instruction Fuzzy Hash: 3451CEB190060AEFDF219FA4C849EBFBBF9AF45314F14025AF405A72D2D6799A01CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,006D3B0F,SwapMouseButtons,00000004,?), ref: 006D3B40
                                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,006D3B0F,SwapMouseButtons,00000004,?), ref: 006D3B61
                                                          • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,006D3B0F,SwapMouseButtons,00000004,?), ref: 006D3B83
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CloseOpenQueryValue
                                                          • String ID: Control Panel\Mouse
                                                          • API String ID: 3677997916-824357125
                                                          • Opcode ID: 2a1ac18a7148543ce1773203751be109abdcc8a83c13f953537b7875f6a4ae53
                                                          • Instruction ID: a016f2bcac2245288c30e5814549a6a72c063dfa92362300d28b2eb19b8a528d
                                                          • Opcode Fuzzy Hash: 2a1ac18a7148543ce1773203751be109abdcc8a83c13f953537b7875f6a4ae53
                                                          • Instruction Fuzzy Hash: 64112AB5910218FFDB218FA5DC44AEEB7B9EF24744B10846BE845D7310E2719E409765
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01541300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 01541B2D
                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01541B51
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01541B73
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100886020.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1540000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                          • String ID:
                                                          • API String ID: 2438371351-0
                                                          • Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                                                          • Instruction ID: 8695a47f51e8eda22c35ae667a97760ccd81eb521c98d70fe73b275421cb2211
                                                          • Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
                                                          • Instruction Fuzzy Hash: DA621934A14658DBEB24CBA4C880BDEB772FF58304F1095A9D20DEB290E7759E81CB59
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007133A2
                                                            • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
                                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 006D3A04
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: IconLoadNotifyShell_String_wcslen
                                                          • String ID: Line:
                                                          • API String ID: 2289894680-1585850449
                                                          • Opcode ID: 90582174f391c145553440d274284043cc55c2baf4c46ac9af5002137d513350
                                                          • Instruction ID: 0354fac024e60cba6414f79df7e83547fb0b576bcdba87e76b01c74a7e09d29a
                                                          • Opcode Fuzzy Hash: 90582174f391c145553440d274284043cc55c2baf4c46ac9af5002137d513350
                                                          • Instruction Fuzzy Hash: 6531E171908324AED761EF20DC45BEBB7D9AB81710F00492FF59982391EB749A48C7DB
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetOpenFileNameW.COMDLG32(?), ref: 00712C8C
                                                            • Part of subcall function 006D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D3A97,?,?,006D2E7F,?,?,?,00000000), ref: 006D3AC2
                                                            • Part of subcall function 006D2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006D2DC4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Name$Path$FileFullLongOpen
                                                          • String ID: X$`ey
                                                          • API String ID: 779396738-2559956516
                                                          • Opcode ID: e94d857ff92967d5dc60788d4c5aeac331d5f787aa5bd4110fd4c6f216114c4d
                                                          • Instruction ID: f3acd069783520a3427f4d5b7f73361928434ce1b4181c12e51c1640b2e94f7e
                                                          • Opcode Fuzzy Hash: e94d857ff92967d5dc60788d4c5aeac331d5f787aa5bd4110fd4c6f216114c4d
                                                          • Instruction Fuzzy Hash: 8F21D571E002989FCF41EF94D805BEE7BFDAF49304F00805AE505A7381DBB85A898FA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006EFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 006F0668
                                                            • Part of subcall function 006F32A4: RaiseException.KERNEL32(?,?,?,006F068A,?,007A1444,?,?,?,?,?,?,006F068A,006D1129,00798738,006D1129), ref: 006F3304
                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 006F0685
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Exception@8Throw$ExceptionRaise
                                                          • String ID: Unknown exception
                                                          • API String ID: 3476068407-410509341
                                                          • Opcode ID: 9624c099be955ac27282aee6e8feb6b4d6941a1a7faf43a8a943944316501cc5
                                                          • Instruction ID: b9d73844da9c657c03d5d666fbaf22f2a80c3876ad2761b0dae18602de265253
                                                          • Opcode Fuzzy Hash: 9624c099be955ac27282aee6e8feb6b4d6941a1a7faf43a8a943944316501cc5
                                                          • Instruction Fuzzy Hash: 81F0AF2490030D678F40BBA5EC46CBE7B6E5E40350B604139BA14D6697EF71EA268685
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00743017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0074302F
                                                          • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00743044
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Temp$FileNamePath
                                                          • String ID: aut
                                                          • API String ID: 3285503233-3010740371
                                                          • Opcode ID: 12435f73c79b8c93f44dd01208a040813a5f9e4d8c42e0d4135ebda64f38900d
                                                          • Instruction ID: c0ca576805dbb845f597cac923ba711d507ade49646d5fa07fe5abf165e31afc
                                                          • Opcode Fuzzy Hash: 12435f73c79b8c93f44dd01208a040813a5f9e4d8c42e0d4135ebda64f38900d
                                                          • Instruction Fuzzy Hash: B9D05B715003146BDA209794EC0DFD73A6CD704750F004251BA96D6091DAF89544CAD4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00757F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 007582F5
                                                          • TerminateProcess.KERNEL32(00000000), ref: 007582FC
                                                          • FreeLibrary.KERNEL32(?,?,?,?), ref: 007584DD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Process$CurrentFreeLibraryTerminate
                                                          • String ID:
                                                          • API String ID: 146820519-0
                                                          • Opcode ID: 24c73e08cb2023b97aac20ce09ac73ba743f85452ce88929c1b519645db0b259
                                                          • Instruction ID: 492b68a35eb308cde17d29ef77a5c1290b98a34d2730457b71771603d70e04b6
                                                          • Opcode Fuzzy Hash: 24c73e08cb2023b97aac20ce09ac73ba743f85452ce88929c1b519645db0b259
                                                          • Instruction Fuzzy Hash: 75128971A08341CFC754DF28C484B6ABBE1BF88315F04895DE8999B392DB74ED49CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006D1BF4
                                                            • Part of subcall function 006D1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 006D1BFC
                                                            • Part of subcall function 006D1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006D1C07
                                                            • Part of subcall function 006D1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006D1C12
                                                            • Part of subcall function 006D1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 006D1C1A
                                                            • Part of subcall function 006D1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 006D1C22
                                                            • Part of subcall function 006D1B4A: RegisterWindowMessageW.USER32(00000004,?,006D12C4), ref: 006D1BA2
                                                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 006D136A
                                                          • OleInitialize.OLE32 ref: 006D1388
                                                          • CloseHandle.KERNEL32(00000000,00000000), ref: 007124AB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                          • String ID:
                                                          • API String ID: 1986988660-0
                                                          • Opcode ID: 0bcfe639f88879c6f69d3b224a70e40c5c3f1fd45fd58c7fb386079a14c7a82a
                                                          • Instruction ID: 9f17bce51822351b02d89f9c5d9e550283cde2b9cd763b378b77b8fce3830cc7
                                                          • Opcode Fuzzy Hash: 0bcfe639f88879c6f69d3b224a70e40c5c3f1fd45fd58c7fb386079a14c7a82a
                                                          • Instruction Fuzzy Hash: 0771ADB8D053508EE388DF79A8556653AE1BBCB394B84C22ED41ACB361EB3C4450CF4D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D54C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 006D556D
                                                          • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 006D557D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: FilePointer
                                                          • String ID:
                                                          • API String ID: 973152223-0
                                                          • Opcode ID: 61cc7047ccae535b3b8f35f37f63957d47c67e1100644cf54cf3716a1a6be66a
                                                          • Instruction ID: 324f777e3f7241a3dfa0e983bf6925132d86f33d0ae656c4cce722fa51764e2c
                                                          • Opcode Fuzzy Hash: 61cc7047ccae535b3b8f35f37f63957d47c67e1100644cf54cf3716a1a6be66a
                                                          • Instruction Fuzzy Hash: 05314D71A00609EFDB15CF28D880B99B7B6FB48314F14862AE91697740D775FEA4CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007086AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,007085CC,?,00798CC8,0000000C), ref: 00708704
                                                          • GetLastError.KERNEL32(?,007085CC,?,00798CC8,0000000C), ref: 0070870E
                                                          • __dosmaperr.LIBCMT ref: 00708739
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                                                          • String ID:
                                                          • API String ID: 490808831-0
                                                          • Opcode ID: 1f3ace2534ec1a84c40c088d125207bb0b5266ea70c8fa8b1b060441bec4b30f
                                                          • Instruction ID: 692483a3ab54d14df2aed2cacb12682a3488c419d939deebaf568e5245d38394
                                                          • Opcode Fuzzy Hash: 1f3ace2534ec1a84c40c088d125207bb0b5266ea70c8fa8b1b060441bec4b30f
                                                          • Instruction Fuzzy Hash: 6E018232604220D6C6A06374984977F6BC54B92778F3A0319F8449B1D3DEAECC818696
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00742FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00742CD4,?,?,?,00000004,00000001), ref: 00742FF2
                                                          • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00742CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00743006
                                                          • CloseHandle.KERNEL32(00000000,?,00742CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0074300D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleTime
                                                          • String ID:
                                                          • API String ID: 3397143404-0
                                                          • Opcode ID: 4df2f300734c34f3ecb1ca41f86b93a254bf06f43d938499bfbbbc7d656619c2
                                                          • Instruction ID: dd4e283d859ded6fdf0dd26c028b53e92d08271436bc54c910d74d90e3d2b355
                                                          • Opcode Fuzzy Hash: 4df2f300734c34f3ecb1ca41f86b93a254bf06f43d938499bfbbbc7d656619c2
                                                          • Instruction Fuzzy Hash: BCE0863228031477D6352756BC0DF9B3A5CD786B71F118210F7AA751D086E5250142AC
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006E1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 006E17F6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Init_thread_footer
                                                          • String ID: CALL
                                                          • API String ID: 1385522511-4196123274
                                                          • Opcode ID: 509a72afa86ebbcc6de8e12583905fe8b33f592e2870c0288b05dfecbb48081b
                                                          • Instruction ID: f6da508861ad4953d508e1535e926df3e83e9875443ea41a12b65b0f5a42479b
                                                          • Opcode Fuzzy Hash: 509a72afa86ebbcc6de8e12583905fe8b33f592e2870c0288b05dfecbb48081b
                                                          • Instruction Fuzzy Hash: AE22BEB0609381DFC714DF15C480A2ABBF2BF86314F24895EF4968B3A2D735E955DB82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00746EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 00746F6B
                                                            • Part of subcall function 006D4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4EFD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad_wcslen
                                                          • String ID: >>>AUTOIT SCRIPT<<<
                                                          • API String ID: 3312870042-2806939583
                                                          • Opcode ID: b205f975b122a5bfa5a7af97bb1c52a299224c204401b5b1f7c3169816acb848
                                                          • Instruction ID: ba556efb17790d468b4679f8ad39c5c8b89a74873f183d39f8a95131d7afef9c
                                                          • Opcode Fuzzy Hash: b205f975b122a5bfa5a7af97bb1c52a299224c204401b5b1f7c3169816acb848
                                                          • Instruction Fuzzy Hash: C9B181315082018FCB58EF24D49196EB7E6BF94310F04895EF896973A2EF34ED49CB96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00742557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: __fread_nolock
                                                          • String ID: EA06
                                                          • API String ID: 2638373210-3962188686
                                                          • Opcode ID: 2aaa211946ca004be0fbfac83bf44f52a32881ab08cbab255393847560222f4a
                                                          • Instruction ID: 23abeb72c3a8032d126283f335a7ac7ed2691ffe952cb8db910ec02898426db4
                                                          • Opcode Fuzzy Hash: 2aaa211946ca004be0fbfac83bf44f52a32881ab08cbab255393847560222f4a
                                                          • Instruction Fuzzy Hash: 9F01B5729042587EDF58D7A8CC56EBEBBF8DB05305F00459EF252D21C2E5B9E7188B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 006D3908
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: IconNotifyShell_
                                                          • String ID:
                                                          • API String ID: 1144537725-0
                                                          • Opcode ID: adb28ec2223352f5104074ac1a07ba821361ee7aaaf62b0607d5f67549f1b09c
                                                          • Instruction ID: 79c42ccf176c1bb4e22486b7fba26b862c6b782aefb7d067f0c048c44b7b10dd
                                                          • Opcode Fuzzy Hash: adb28ec2223352f5104074ac1a07ba821361ee7aaaf62b0607d5f67549f1b09c
                                                          • Instruction Fuzzy Hash: 29317F709043119FE761DF24D885797BBE8FB49708F00092EF59A97380E7B5AA44CB56
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,006D949C,?,00008000), ref: 006D5773
                                                          • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,006D949C,?,00008000), ref: 00714052
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: 298f3c27fa7c68238330becef5bbabcf1b9e56ada1568108029b39bf56ca598f
                                                          • Instruction ID: 346007ad283ce3e9b144501b5bb7471edee31e46c44241eafa73c8a1764f2ad4
                                                          • Opcode Fuzzy Hash: 298f3c27fa7c68238330becef5bbabcf1b9e56ada1568108029b39bf56ca598f
                                                          • Instruction Fuzzy Hash: F1018030545325B6E3310A2ACC0EFA77F99EF067B0F208201BAAD5A2E0C7B45855CB94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 015412FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 01541B2D
                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01541B51
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01541B73
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100886020.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1540000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                          • String ID:
                                                          • API String ID: 2438371351-0
                                                          • Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                          • Instruction ID: 28a45b32559271609c4eb5b82c21bb9cd58f0a9e2b9a5db56336373273321ee2
                                                          • Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
                                                          • Instruction Fuzzy Hash: 7812EC24E24658C6EB24DF64D8507DEB232FF68300F1090E9910DEB7A4E77A5F81CB5A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006D4EDD,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4E9C
                                                            • Part of subcall function 006D4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006D4EAE
                                                            • Part of subcall function 006D4E90: FreeLibrary.KERNEL32(00000000,?,?,006D4EDD,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4EC0
                                                          • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4EFD
                                                            • Part of subcall function 006D4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00713CDE,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4E62
                                                            • Part of subcall function 006D4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006D4E74
                                                            • Part of subcall function 006D4E59: FreeLibrary.KERNEL32(00000000,?,?,00713CDE,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4E87
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressFreeProc
                                                          • String ID:
                                                          • API String ID: 2632591731-0
                                                          • Opcode ID: 3384d938227856286177b584c6346504aad8db13baf462737e5054dba906d9d4
                                                          • Instruction ID: 3769fc95d8d3bfc9fa5135d166221eefd0471c2d829a7552919076a1cec7f099
                                                          • Opcode Fuzzy Hash: 3384d938227856286177b584c6346504aad8db13baf462737e5054dba906d9d4
                                                          • Instruction Fuzzy Hash: C511E332A10205ABCB14AF64DC06FAD77A6AF80710F10842FF542A62E1EE759E4597A8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00708402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: __wsopen_s
                                                          • String ID:
                                                          • API String ID: 3347428461-0
                                                          • Opcode ID: 8f691da837c2b9d5e3b2184535bbfddf57517aa4d00098b90e1ff1029d6efb54
                                                          • Instruction ID: 9e74547d622ed3aa9fcfc4ab4b14abffb69a5afdee45ef2d717e5a564d98165f
                                                          • Opcode Fuzzy Hash: 8f691da837c2b9d5e3b2184535bbfddf57517aa4d00098b90e1ff1029d6efb54
                                                          • Instruction Fuzzy Hash: A911487190410AEFCB05DF58E9459DE7BF4EF48300F104159F808AB352DA30EA11CBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D9A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,006D543F,?,00010000,00000000,00000000,00000000,00000000), ref: 006D9A9C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: b276c0220771caa3507def97566c475bd086dce3efe55db1224fd6a55891fa6f
                                                          • Instruction ID: ff09315885b6a971cc6fba888ee036656481c24d39c6c56eeb2224d3343062b4
                                                          • Opcode Fuzzy Hash: b276c0220771caa3507def97566c475bd086dce3efe55db1224fd6a55891fa6f
                                                          • Instruction Fuzzy Hash: F6114C32604B059FD720CF09C880BA6B7FAEF44754F18C42EE59B86751C770A945CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00705000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00704C7D: RtlAllocateHeap.NTDLL(00000008,006D1129,00000000,?,00702E29,00000001,00000364,?,?,?,006FF2DE,00703863,007A1444,?,006EFDF5,?), ref: 00704CBE
                                                          • _free.LIBCMT ref: 0070506C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeap_free
                                                          • String ID:
                                                          • API String ID: 614378929-0
                                                          • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                          • Instruction ID: 11cf934ffb77c74cd605304aa006e28a374b8a00ecd16baae9fbab7f5e5de82b
                                                          • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                          • Instruction Fuzzy Hash: 13012672204704EBE3218E65D885A5BFBECFB89370F250B1DE184972C0EA34A805CAB4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006FE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                          • Instruction ID: 01e240f1e917896abc80fe4516ec04b53bd0c628eb0e8dd1ba13734fee0edde0
                                                          • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                          • Instruction Fuzzy Hash: 52F0F932510A1CD6C6313E698C09BBA37DA9F52335F100719F721D62E2DF75A40286AA
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00704C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000008,006D1129,00000000,?,00702E29,00000001,00000364,?,?,?,006FF2DE,00703863,007A1444,?,006EFDF5,?), ref: 00704CBE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 2a1da503a197f9b7ce5f53b2590544daa5a8d2e2f6e172effb38e5e2b0a3a7dc
                                                          • Instruction ID: 3199269f572017f9a9c47764da8140db7e3c88412d754547f9726722210c50b0
                                                          • Opcode Fuzzy Hash: 2a1da503a197f9b7ce5f53b2590544daa5a8d2e2f6e172effb38e5e2b0a3a7dc
                                                          • Instruction Fuzzy Hash: 43F0B471602228E7FB215F629C09B6B37C9AF817A0F148315FA1AA61C1CA78DC0046F4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00703820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(00000000,?,007A1444,?,006EFDF5,?,?,006DA976,00000010,007A1440,006D13FC,?,006D13C6,?,006D1129), ref: 00703852
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: 07224ee06ba8bbdae8e40ca07ef8ee1516b08c0374c19c0fcf1cdc2d67d875c3
                                                          • Instruction ID: 09fa9a2ec818a8685a1700816b2f390152e1071dd1a73c792986c850c77d881d
                                                          • Opcode Fuzzy Hash: 07224ee06ba8bbdae8e40ca07ef8ee1516b08c0374c19c0fcf1cdc2d67d875c3
                                                          • Instruction Fuzzy Hash: EEE0E531101228DAE7212A669C01BAB37CEAF827B0F0582A5FD05928C0CB59DE0182F4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FreeLibrary.KERNEL32(?,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4F6D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: FreeLibrary
                                                          • String ID:
                                                          • API String ID: 3664257935-0
                                                          • Opcode ID: 6f379503e744c828ed5a7a4d3527db2dc167e4f66e722b20b2b062dffc90dd9a
                                                          • Instruction ID: b1c3d25e88725391489fe39014f31fdd2428bd8c71544a5fa44e7e858eb0eb40
                                                          • Opcode Fuzzy Hash: 6f379503e744c828ed5a7a4d3527db2dc167e4f66e722b20b2b062dffc90dd9a
                                                          • Instruction Fuzzy Hash: 79F01571905752CFDB389F64D490862BBE6AF54329320C96FE2EA82721CB329C44DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006D2DC4
                                                            • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: LongNamePath_wcslen
                                                          • String ID:
                                                          • API String ID: 541455249-0
                                                          • Opcode ID: 563135c96dd1cd83bd4d3c0f82aa29a19eab532faf434f93fec962cb82b71e52
                                                          • Instruction ID: 96d139bb0ee0fadfac485d8c487a3b054639c80b056c9e4d9a34d1f3b425df6e
                                                          • Opcode Fuzzy Hash: 563135c96dd1cd83bd4d3c0f82aa29a19eab532faf434f93fec962cb82b71e52
                                                          • Instruction Fuzzy Hash: 48E0CD72A042245BC711A258DC05FEA77EDDFC8790F044076FD09D7248D964AD808554
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00742693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: __fread_nolock
                                                          • String ID:
                                                          • API String ID: 2638373210-0
                                                          • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                                          • Instruction ID: 5af7a22c18f3a1d3a3e355b2a7601ce10ab7de3fbd559ca8b801ade10961ad6c
                                                          • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                                                          • Instruction Fuzzy Hash: 9CE048B06097005FDF395E28A8517B677D59F49340F00045EF69B83653E6726856864D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006D3908
                                                            • Part of subcall function 006DD730: GetInputState.USER32 ref: 006DD807
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 006D2B6B
                                                            • Part of subcall function 006D30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 006D314E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                          • String ID:
                                                          • API String ID: 3667716007-0
                                                          • Opcode ID: 8e08083ccb4785e4b37018182a35aefbb346bb1311863634109e1ca0bef28834
                                                          • Instruction ID: edef477a271c63e4342d898df42b961692f0689ed6ecfbeef44e16163f68a6d8
                                                          • Opcode Fuzzy Hash: 8e08083ccb4785e4b37018182a35aefbb346bb1311863634109e1ca0bef28834
                                                          • Instruction Fuzzy Hash: 5DE08621F0425406CA48BB75A8525BDB75B9BD6355F40553FF14283362CE684945426B
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0071039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNELBASE(00000000,00000000,?,00710704,?,?,00000000,?,00710704,00000000,0000000C), ref: 007103B7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: 4e6aa5a6ef8f924cad1b38639b3a92f54c517a509182a61a8fd547d73fc8e583
                                                          • Instruction ID: d477e03677c6218b0e6dc21e58d2b071fe16924a180e92311d64b03e088f60c5
                                                          • Opcode Fuzzy Hash: 4e6aa5a6ef8f924cad1b38639b3a92f54c517a509182a61a8fd547d73fc8e583
                                                          • Instruction Fuzzy Hash: 57D06C3204020DBBDF028F84DD06EDA3BAAFB48714F018000FE5856020C776E821AB94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 006D1CBC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: InfoParametersSystem
                                                          • String ID:
                                                          • API String ID: 3098949447-0
                                                          • Opcode ID: 23e464ea5a9d661a48ab30560df067c658f9e8b9fc96428defa99192b8fb3478
                                                          • Instruction ID: 437d8e80dc457f589fb94835ac0b8ea9e3086a13963fd3a3fd871fd89376ef4c
                                                          • Opcode Fuzzy Hash: 23e464ea5a9d661a48ab30560df067c658f9e8b9fc96428defa99192b8fb3478
                                                          • Instruction Fuzzy Hash: DFC09B352803049FF6154B84BC5AF107754B389B10F54C001F64A555E3C3E51430DA58
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0074744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,006D949C,?,00008000), ref: 006D5773
                                                          • GetLastError.KERNEL32(00000002,00000000), ref: 007476DE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CreateErrorFileLast
                                                          • String ID:
                                                          • API String ID: 1214770103-0
                                                          • Opcode ID: 9139217b49f0d6fbf8306fcccd8b4d4264967c36d87a3ec3481ef98cc3a16f15
                                                          • Instruction ID: 3af75a5d5b8f53d49ffd51c9acb6b61f9fb134d8550b67a20c25b822f1501558
                                                          • Opcode Fuzzy Hash: 9139217b49f0d6fbf8306fcccd8b4d4264967c36d87a3ec3481ef98cc3a16f15
                                                          • Instruction Fuzzy Hash: 0781A2306087019FCB59EF28C491B69B7E2BF89310F05491EF8865B392DB34ED45CB96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006EFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                          • Instruction ID: 25dd7bffc6e890be414f4559e2f7636999aa0405ef473f3cd4b0355041b4ef49
                                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                          • Instruction Fuzzy Hash: 8031F575A01249DBD718CF5AD4809A9FBA2FF49310B7486A5E809CB755E731EDC1CBC0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01542300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNELBASE(000001F4), ref: 01542311
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100886020.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1540000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                          • Instruction ID: ada75789803c6da979cb7e7b43b0521b0eda98a82c4fc1e18519e2a71427ceca
                                                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                          • Instruction Fuzzy Hash: BDE0E67494010DDFDB00EFB4D54969E7FB4FF04701F100561FD01D2281D6309D508A72
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 00769576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
                                                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0076961A
                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0076965B
                                                          • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0076969F
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007696C9
                                                          • SendMessageW.USER32 ref: 007696F2
                                                          • GetKeyState.USER32(00000011), ref: 0076978B
                                                          • GetKeyState.USER32(00000009), ref: 00769798
                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007697AE
                                                          • GetKeyState.USER32(00000010), ref: 007697B8
                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007697E9
                                                          • SendMessageW.USER32 ref: 00769810
                                                          • SendMessageW.USER32(?,00001030,?,00767E95), ref: 00769918
                                                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0076992E
                                                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00769941
                                                          • SetCapture.USER32(?), ref: 0076994A
                                                          • ClientToScreen.USER32(?,?), ref: 007699AF
                                                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007699BC
                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007699D6
                                                          • ReleaseCapture.USER32 ref: 007699E1
                                                          • GetCursorPos.USER32(?), ref: 00769A19
                                                          • ScreenToClient.USER32(?,?), ref: 00769A26
                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00769A80
                                                          • SendMessageW.USER32 ref: 00769AAE
                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00769AEB
                                                          • SendMessageW.USER32 ref: 00769B1A
                                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00769B3B
                                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00769B4A
                                                          • GetCursorPos.USER32(?), ref: 00769B68
                                                          • ScreenToClient.USER32(?,?), ref: 00769B75
                                                          • GetParent.USER32(?), ref: 00769B93
                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00769BFA
                                                          • SendMessageW.USER32 ref: 00769C2B
                                                          • ClientToScreen.USER32(?,?), ref: 00769C84
                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00769CB4
                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00769CDE
                                                          • SendMessageW.USER32 ref: 00769D01
                                                          • ClientToScreen.USER32(?,?), ref: 00769D4E
                                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00769D82
                                                            • Part of subcall function 006E9944: GetWindowLongW.USER32(?,000000EB), ref: 006E9952
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00769E05
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                          • String ID: @GUI_DRAGID$F$p#z
                                                          • API String ID: 3429851547-1540955567
                                                          • Opcode ID: 18407d5d379044c738a14a471f30f9b7a152623ffde180bb60533c7ac23c1760
                                                          • Instruction ID: 7a275131c28007e500befe792f2272de77986f046660e3848057fefe466901d2
                                                          • Opcode Fuzzy Hash: 18407d5d379044c738a14a471f30f9b7a152623ffde180bb60533c7ac23c1760
                                                          • Instruction Fuzzy Hash: 44429C34204341EFDB25CF28CC44AAABBE9FF89310F14465DFA9A872A1D779E850CB55
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00764873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007648F3
                                                          • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00764908
                                                          • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00764927
                                                          • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0076494B
                                                          • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0076495C
                                                          • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0076497B
                                                          • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007649AE
                                                          • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007649D4
                                                          • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00764A0F
                                                          • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00764A56
                                                          • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00764A7E
                                                          • IsMenu.USER32(?), ref: 00764A97
                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00764AF2
                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00764B20
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00764B94
                                                          • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00764BE3
                                                          • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00764C82
                                                          • wsprintfW.USER32 ref: 00764CAE
                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00764CC9
                                                          • GetWindowTextW.USER32(?,00000000,00000001), ref: 00764CF1
                                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00764D13
                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00764D33
                                                          • GetWindowTextW.USER32(?,00000000,00000001), ref: 00764D5A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                          • String ID: %d/%02d/%02d
                                                          • API String ID: 4054740463-328681919
                                                          • Opcode ID: d5d44792b1b92751a0229674857614c4d5ea4eeedd68674eb412d0029f4cd1d8
                                                          • Instruction ID: ad4ffb4d250d748a69cbfe89c402f1c4327c732937e39f5e5be5d4a7b59b8de7
                                                          • Opcode Fuzzy Hash: d5d44792b1b92751a0229674857614c4d5ea4eeedd68674eb412d0029f4cd1d8
                                                          • Instruction Fuzzy Hash: CB12FD71600345ABEB258F24DC49FBE7BF8EF45310F148169F916EB2A1DBB89940CB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006EF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 006EF998
                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0072F474
                                                          • IsIconic.USER32(00000000), ref: 0072F47D
                                                          • ShowWindow.USER32(00000000,00000009), ref: 0072F48A
                                                          • SetForegroundWindow.USER32(00000000), ref: 0072F494
                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0072F4AA
                                                          • GetCurrentThreadId.KERNEL32 ref: 0072F4B1
                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0072F4BD
                                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 0072F4CE
                                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 0072F4D6
                                                          • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0072F4DE
                                                          • SetForegroundWindow.USER32(00000000), ref: 0072F4E1
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0072F4F6
                                                          • keybd_event.USER32(00000012,00000000), ref: 0072F501
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0072F50B
                                                          • keybd_event.USER32(00000012,00000000), ref: 0072F510
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0072F519
                                                          • keybd_event.USER32(00000012,00000000), ref: 0072F51E
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0072F528
                                                          • keybd_event.USER32(00000012,00000000), ref: 0072F52D
                                                          • SetForegroundWindow.USER32(00000000), ref: 0072F530
                                                          • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0072F557
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                          • String ID: Shell_TrayWnd
                                                          • API String ID: 4125248594-2988720461
                                                          • Opcode ID: 17de642866ee97a1ccacce39f5d04e374aea8e4a31b135403823bef0630b0f23
                                                          • Instruction ID: 926c1e45b0aee2b34e01e9e6b845a478888befba4b1de5e980da59b5c3e4829e
                                                          • Opcode Fuzzy Hash: 17de642866ee97a1ccacce39f5d04e374aea8e4a31b135403823bef0630b0f23
                                                          • Instruction Fuzzy Hash: F2319671A403187BEB216FB65C4AFBF7E7CEB44B50F204065F602E61D1C6F55D10AA64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00731201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 007316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0073170D
                                                            • Part of subcall function 007316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0073173A
                                                            • Part of subcall function 007316C3: GetLastError.KERNEL32 ref: 0073174A
                                                          • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00731286
                                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007312A8
                                                          • CloseHandle.KERNEL32(?), ref: 007312B9
                                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007312D1
                                                          • GetProcessWindowStation.USER32 ref: 007312EA
                                                          • SetProcessWindowStation.USER32(00000000), ref: 007312F4
                                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00731310
                                                            • Part of subcall function 007310BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007311FC), ref: 007310D4
                                                            • Part of subcall function 007310BF: CloseHandle.KERNEL32(?,?,007311FC), ref: 007310E9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                          • String ID: $default$winsta0$Zy
                                                          • API String ID: 22674027-3658735108
                                                          • Opcode ID: 26597b89d09fd08367231ad6219be8908724a0f2f93460ee0d6e83ae2b29a5be
                                                          • Instruction ID: 2286707e369433f30c1929e76b8c96cb9e6e2cba471c3f6a0c462a38e4463468
                                                          • Opcode Fuzzy Hash: 26597b89d09fd08367231ad6219be8908724a0f2f93460ee0d6e83ae2b29a5be
                                                          • Instruction Fuzzy Hash: AB81AC71900349AFEF219FA4DC49FFE7BB9EF04700F188129F911A61A2CB798944CB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00730B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 007310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00731114
                                                            • Part of subcall function 007310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 00731120
                                                            • Part of subcall function 007310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 0073112F
                                                            • Part of subcall function 007310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 00731136
                                                            • Part of subcall function 007310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0073114D
                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00730BCC
                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00730C00
                                                          • GetLengthSid.ADVAPI32(?), ref: 00730C17
                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00730C51
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00730C6D
                                                          • GetLengthSid.ADVAPI32(?), ref: 00730C84
                                                          • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00730C8C
                                                          • HeapAlloc.KERNEL32(00000000), ref: 00730C93
                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00730CB4
                                                          • CopySid.ADVAPI32(00000000), ref: 00730CBB
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00730CEA
                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00730D0C
                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00730D1E
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00730D45
                                                          • HeapFree.KERNEL32(00000000), ref: 00730D4C
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00730D55
                                                          • HeapFree.KERNEL32(00000000), ref: 00730D5C
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00730D65
                                                          • HeapFree.KERNEL32(00000000), ref: 00730D6C
                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00730D78
                                                          • HeapFree.KERNEL32(00000000), ref: 00730D7F
                                                            • Part of subcall function 00731193: GetProcessHeap.KERNEL32(00000008,00730BB1,?,00000000,?,00730BB1,?), ref: 007311A1
                                                            • Part of subcall function 00731193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00730BB1,?), ref: 007311A8
                                                            • Part of subcall function 00731193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00730BB1,?), ref: 007311B7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                          • String ID:
                                                          • API String ID: 4175595110-0
                                                          • Opcode ID: d0da6c846c2da9ede811e80dd3f2df1d32031d6f1a5231efb55b3de6e90706bc
                                                          • Instruction ID: 2e4cc43748dea0ee93f3fc4515fb786a8a89af4e5da4d4779ff994940bc917d0
                                                          • Opcode Fuzzy Hash: d0da6c846c2da9ede811e80dd3f2df1d32031d6f1a5231efb55b3de6e90706bc
                                                          • Instruction Fuzzy Hash: 13717D72A0020AABEF11DFA4DC45FEEBBB8BF04300F048555E955A7192D7B9A905CBB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0074EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenClipboard.USER32(0076CC08), ref: 0074EB29
                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 0074EB37
                                                          • GetClipboardData.USER32(0000000D), ref: 0074EB43
                                                          • CloseClipboard.USER32 ref: 0074EB4F
                                                          • GlobalLock.KERNEL32(00000000), ref: 0074EB87
                                                          • CloseClipboard.USER32 ref: 0074EB91
                                                          • GlobalUnlock.KERNEL32(00000000,00000000), ref: 0074EBBC
                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 0074EBC9
                                                          • GetClipboardData.USER32(00000001), ref: 0074EBD1
                                                          • GlobalLock.KERNEL32(00000000), ref: 0074EBE2
                                                          • GlobalUnlock.KERNEL32(00000000,?), ref: 0074EC22
                                                          • IsClipboardFormatAvailable.USER32(0000000F), ref: 0074EC38
                                                          • GetClipboardData.USER32(0000000F), ref: 0074EC44
                                                          • GlobalLock.KERNEL32(00000000), ref: 0074EC55
                                                          • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0074EC77
                                                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0074EC94
                                                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0074ECD2
                                                          • GlobalUnlock.KERNEL32(00000000,?,?), ref: 0074ECF3
                                                          • CountClipboardFormats.USER32 ref: 0074ED14
                                                          • CloseClipboard.USER32 ref: 0074ED59
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                          • String ID:
                                                          • API String ID: 420908878-0
                                                          • Opcode ID: e6de626559e3714a5b2a4c68e8a654830f8243c08acc1ddeee093c2b34f3a24c
                                                          • Instruction ID: 26bca0bc1d2f79236c8b5b7e59c8c7fe617b200fc349f9ecedf46cbd8b36394c
                                                          • Opcode Fuzzy Hash: e6de626559e3714a5b2a4c68e8a654830f8243c08acc1ddeee093c2b34f3a24c
                                                          • Instruction Fuzzy Hash: E661AC742043019FD301EF24D898F3A77A5FF84724F08855EF896872A2CB79E905CBA6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0074698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 007469BE
                                                          • FindClose.KERNEL32(00000000), ref: 00746A12
                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00746A4E
                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00746A75
                                                            • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00746AB2
                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00746ADF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                          • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                          • API String ID: 3830820486-3289030164
                                                          • Opcode ID: ce5ab46fd1609299e68eb528a3760ec7fe76e7fba490e43b7a37ed0cebaf3dc8
                                                          • Instruction ID: fe9c467129c160baf71d1a7cbb9fe03151f040d5701f3ae4040243f957447cb9
                                                          • Opcode Fuzzy Hash: ce5ab46fd1609299e68eb528a3760ec7fe76e7fba490e43b7a37ed0cebaf3dc8
                                                          • Instruction Fuzzy Hash: 42D173B1908340AFC754EBA4D891EABB7EDBF88704F44491EF585C7291EB74DA04CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00749642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00749663
                                                          • GetFileAttributesW.KERNEL32(?), ref: 007496A1
                                                          • SetFileAttributesW.KERNEL32(?,?), ref: 007496BB
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 007496D3
                                                          • FindClose.KERNEL32(00000000), ref: 007496DE
                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 007496FA
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0074974A
                                                          • SetCurrentDirectoryW.KERNEL32(00796B7C), ref: 00749768
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00749772
                                                          • FindClose.KERNEL32(00000000), ref: 0074977F
                                                          • FindClose.KERNEL32(00000000), ref: 0074978F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                          • String ID: *.*
                                                          • API String ID: 1409584000-438819550
                                                          • Opcode ID: 6a189900d562fd0f3cfdd0de180322517b7f1be12165ae9442f54888fe8bf475
                                                          • Instruction ID: 9dd12a5f6265c9a0a3a34b12d2d3c94abe420f8161b55ac953df22588976fcbd
                                                          • Opcode Fuzzy Hash: 6a189900d562fd0f3cfdd0de180322517b7f1be12165ae9442f54888fe8bf475
                                                          • Instruction Fuzzy Hash: B731F9725402196EDF11EFB4DC09AEF77ACAF09320F148156FA56E2190EB78DE448B14
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0074979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 007497BE
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00749819
                                                          • FindClose.KERNEL32(00000000), ref: 00749824
                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00749840
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00749890
                                                          • SetCurrentDirectoryW.KERNEL32(00796B7C), ref: 007498AE
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 007498B8
                                                          • FindClose.KERNEL32(00000000), ref: 007498C5
                                                          • FindClose.KERNEL32(00000000), ref: 007498D5
                                                            • Part of subcall function 0073DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0073DB00
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                          • String ID: *.*
                                                          • API String ID: 2640511053-438819550
                                                          • Opcode ID: c780874a21ad45ac86f7947febb4d53a835f8b8b8cef2efe8260e8610610cd08
                                                          • Instruction ID: c049285ddb61d30c35fcd9dfff684781a7d875f4b443f07a49a77d302ff12b77
                                                          • Opcode Fuzzy Hash: c780874a21ad45ac86f7947febb4d53a835f8b8b8cef2efe8260e8610610cd08
                                                          • Instruction Fuzzy Hash: C931E4715003196EEF11EFB8EC49AEF77ACAF06320F148256FA51A2191DB78DE44CB24
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00748195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLocalTime.KERNEL32(?), ref: 00748257
                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00748267
                                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00748273
                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00748310
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00748324
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00748356
                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0074838C
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00748395
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CurrentDirectoryTime$File$Local$System
                                                          • String ID: *.*
                                                          • API String ID: 1464919966-438819550
                                                          • Opcode ID: 0c3c1c8d972425a22753478f90c2e5629657babe5ecc5d1133feb463515690b3
                                                          • Instruction ID: b7adcd07df4f8150e2f4655e967cec24d17107c75c5b6f2a12519b71cc609257
                                                          • Opcode Fuzzy Hash: 0c3c1c8d972425a22753478f90c2e5629657babe5ecc5d1133feb463515690b3
                                                          • Instruction Fuzzy Hash: 5A616A725043099FCB50EF64D8449AEB3E9FF89310F04891EF989C7251EB39E945CB96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D3A97,?,?,006D2E7F,?,?,?,00000000), ref: 006D3AC2
                                                            • Part of subcall function 0073E199: GetFileAttributesW.KERNEL32(?,0073CF95), ref: 0073E19A
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0073D122
                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0073D1DD
                                                          • MoveFileW.KERNEL32(?,?), ref: 0073D1F0
                                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 0073D20D
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0073D237
                                                            • Part of subcall function 0073D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0073D21C,?,?), ref: 0073D2B2
                                                          • FindClose.KERNEL32(00000000,?,?,?), ref: 0073D253
                                                          • FindClose.KERNEL32(00000000), ref: 0073D264
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                          • String ID: \*.*
                                                          • API String ID: 1946585618-1173974218
                                                          • Opcode ID: 8d8350918ee7d2835e02ad51641f89498d10bb290706d340d4796fa6929d2817
                                                          • Instruction ID: bce085d378b6d754e39ed4505b7288ef27929317601873dc31b4c67e6b6eb938
                                                          • Opcode Fuzzy Hash: 8d8350918ee7d2835e02ad51641f89498d10bb290706d340d4796fa6929d2817
                                                          • Instruction Fuzzy Hash: 75618D31D0110D9FDF15EBE0EA929EEB776AF15300F24416AE40277292EB345F09DB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0074ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                          • String ID:
                                                          • API String ID: 1737998785-0
                                                          • Opcode ID: d7bc9851155d743fe890564f93417b07b91641f4f64ea739b960c5818ef115ae
                                                          • Instruction ID: 76fd42fe24232da41f34ba76e19fb0f16b4ea39360d2add1a9b01192d92906c7
                                                          • Opcode Fuzzy Hash: d7bc9851155d743fe890564f93417b07b91641f4f64ea739b960c5818ef115ae
                                                          • Instruction Fuzzy Hash: 1C417935604611AFE721DF15D888F2ABBA5FF44328F14C099E8568B662C779EC42CB98
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 007316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0073170D
                                                            • Part of subcall function 007316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0073173A
                                                            • Part of subcall function 007316C3: GetLastError.KERNEL32 ref: 0073174A
                                                          • ExitWindowsEx.USER32(?,00000000), ref: 0073E932
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                          • String ID: $ $@$SeShutdownPrivilege
                                                          • API String ID: 2234035333-3163812486
                                                          • Opcode ID: 29605785c4c4f674a4c988537f27825083788cba4fe7177f13e150eb66884608
                                                          • Instruction ID: 7644832773076d6076f8b54017c6d6cdc5ef9e16c7ca41c84611a131e81c1e17
                                                          • Opcode Fuzzy Hash: 29605785c4c4f674a4c988537f27825083788cba4fe7177f13e150eb66884608
                                                          • Instruction Fuzzy Hash: 4B01D672610315EBFB5466B49C8ABBB725CA714750F154522FC03E21D3D5AD6C408395
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00751204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00751276
                                                          • WSAGetLastError.WSOCK32 ref: 00751283
                                                          • bind.WSOCK32(00000000,?,00000010), ref: 007512BA
                                                          • WSAGetLastError.WSOCK32 ref: 007512C5
                                                          • closesocket.WSOCK32(00000000), ref: 007512F4
                                                          • listen.WSOCK32(00000000,00000005), ref: 00751303
                                                          • WSAGetLastError.WSOCK32 ref: 0075130D
                                                          • closesocket.WSOCK32(00000000), ref: 0075133C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$closesocket$bindlistensocket
                                                          • String ID:
                                                          • API String ID: 540024437-0
                                                          • Opcode ID: e11f8cacd6958e878d31d180a7fc7d56a5fac0d13bd429cabf37b67a729695c9
                                                          • Instruction ID: 4a023fd7b94370d9522c3e88ee3e41cf9f48f41cd75a973526b27d2c490e090f
                                                          • Opcode Fuzzy Hash: e11f8cacd6958e878d31d180a7fc7d56a5fac0d13bd429cabf37b67a729695c9
                                                          • Instruction Fuzzy Hash: B6419331A002019FD710DF24C498B69BBE6BF86319F588199D8568F396C7B9EC85CBE1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0070B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 0070B9D4
                                                          • _free.LIBCMT ref: 0070B9F8
                                                          • _free.LIBCMT ref: 0070BB7F
                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00773700), ref: 0070BB91
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,007A121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0070BC09
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,007A1270,000000FF,?,0000003F,00000000,?), ref: 0070BC36
                                                          • _free.LIBCMT ref: 0070BD4B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                          • String ID:
                                                          • API String ID: 314583886-0
                                                          • Opcode ID: ff62f05893bd03654710251118826394acccf7fcb898ef9175009f9c40334fa1
                                                          • Instruction ID: 8b73b1cf3add4b2e3befb79fdd0ba1a848c2488a021a9335b104180babde4212
                                                          • Opcode Fuzzy Hash: ff62f05893bd03654710251118826394acccf7fcb898ef9175009f9c40334fa1
                                                          • Instruction Fuzzy Hash: A6C118B1A04205DFDB20DF688C45BAABBE9EF82310F64839AE594D72D1D7389F418754
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D3A97,?,?,006D2E7F,?,?,?,00000000), ref: 006D3AC2
                                                            • Part of subcall function 0073E199: GetFileAttributesW.KERNEL32(?,0073CF95), ref: 0073E19A
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0073D420
                                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 0073D470
                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0073D481
                                                          • FindClose.KERNEL32(00000000), ref: 0073D498
                                                          • FindClose.KERNEL32(00000000), ref: 0073D4A1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                          • String ID: \*.*
                                                          • API String ID: 2649000838-1173974218
                                                          • Opcode ID: 259ae27599149230326c94fc5309cffa0ad0133f2c9da835e2d544ee5b2c9276
                                                          • Instruction ID: eac0b61cea7083ceae01ddbda10383e577232688b13f8a8e79fb91f9164828a7
                                                          • Opcode Fuzzy Hash: 259ae27599149230326c94fc5309cffa0ad0133f2c9da835e2d544ee5b2c9276
                                                          • Instruction Fuzzy Hash: 793190314083819FD315EF60D8918AFB7A9BE91300F444A1EF8D152292EB34AE09C7A7
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0070E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: __floor_pentium4
                                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                          • API String ID: 4168288129-2761157908
                                                          • Opcode ID: 4e7c5b1c64c152118a28c5fc1936f06ccb31f59c6b77d74653aaee0572b1885b
                                                          • Instruction ID: fc4c059e3dd3992df76e8b32b6770aea6016ab072556c73e08d9e955c1b7d637
                                                          • Opcode Fuzzy Hash: 4e7c5b1c64c152118a28c5fc1936f06ccb31f59c6b77d74653aaee0572b1885b
                                                          • Instruction Fuzzy Hash: C1C22971E04628CFDB65CE289D407EAB7F5EB44314F1446EAD84DE7281E778AE818F40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0074648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 007464DC
                                                          • CoInitialize.OLE32(00000000), ref: 00746639
                                                          • CoCreateInstance.OLE32(0076FCF8,00000000,00000001,0076FB68,?), ref: 00746650
                                                          • CoUninitialize.OLE32 ref: 007468D4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                          • String ID: .lnk
                                                          • API String ID: 886957087-24824748
                                                          • Opcode ID: 23728add326f4e8799e038a8273b90ec5e76e3cf346854aa68f885b76ec5ca21
                                                          • Instruction ID: cb9ef2f34f99fcac94052ca47b1de849c821af0f6a8f52df6ca59be83f865122
                                                          • Opcode Fuzzy Hash: 23728add326f4e8799e038a8273b90ec5e76e3cf346854aa68f885b76ec5ca21
                                                          • Instruction Fuzzy Hash: 80D12871908301AFC354EF24C88196BB7E9FF95704F40496DF5958B2A1EB71ED05CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007522DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32(?,?,00000000), ref: 007522E8
                                                            • Part of subcall function 0074E4EC: GetWindowRect.USER32(?,?), ref: 0074E504
                                                          • GetDesktopWindow.USER32 ref: 00752312
                                                          • GetWindowRect.USER32(00000000), ref: 00752319
                                                          • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00752355
                                                          • GetCursorPos.USER32(?), ref: 00752381
                                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007523DF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                          • String ID:
                                                          • API String ID: 2387181109-0
                                                          • Opcode ID: 765aaeedce4ff849935b1ed7c3d945a0398f145955c4d746b5e8d2adc2ed0767
                                                          • Instruction ID: ada55b00d8781adb8c5756bfe7e74830e864a914e828ce3784f89565fd000adf
                                                          • Opcode Fuzzy Hash: 765aaeedce4ff849935b1ed7c3d945a0398f145955c4d746b5e8d2adc2ed0767
                                                          • Instruction Fuzzy Hash: 1F310072104345AFD720DF54CC48BABBBA9FF85310F000919F98697182DBB8EA09CB96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00749B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                                          • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00749B78
                                                          • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00749C8B
                                                            • Part of subcall function 00743874: GetInputState.USER32 ref: 007438CB
                                                            • Part of subcall function 00743874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00743966
                                                          • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00749BA8
                                                          • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00749C75
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                          • String ID: *.*
                                                          • API String ID: 1972594611-438819550
                                                          • Opcode ID: b3df43d570d51e2f402f6c553749f3b61d804d4bbd63d15b49ce6f7720d72e27
                                                          • Instruction ID: 182ebe23035464f94f5a1a4284ce08357c866eb50e0760f73a40d2cca932f5be
                                                          • Opcode Fuzzy Hash: b3df43d570d51e2f402f6c553749f3b61d804d4bbd63d15b49ce6f7720d72e27
                                                          • Instruction Fuzzy Hash: 6C419071D0020A9FCF55DFB4C989AEEBBB9EF05300F24415AE905A2291EB349E84CF64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006E997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
                                                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 006E9A4E
                                                          • GetSysColor.USER32(0000000F), ref: 006E9B23
                                                          • SetBkColor.GDI32(?,00000000), ref: 006E9B36
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Color$LongProcWindow
                                                          • String ID:
                                                          • API String ID: 3131106179-0
                                                          • Opcode ID: 71d67bfb49a92f646ffba73c8a7da5ac1453249e6257f14826549e441ab62c2c
                                                          • Instruction ID: 28c86317299bfd33e0a8eb43354ab93956642fb2f3a4ce3490b17ac741a9cfeb
                                                          • Opcode Fuzzy Hash: 71d67bfb49a92f646ffba73c8a7da5ac1453249e6257f14826549e441ab62c2c
                                                          • Instruction Fuzzy Hash: 08A1397010A7A0FEE72D9A2E9D59DBB365FDF82304F144229F902C6791CA2D9D02C676
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00751806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0075304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0075307A
                                                            • Part of subcall function 0075304E: _wcslen.LIBCMT ref: 0075309B
                                                          • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0075185D
                                                          • WSAGetLastError.WSOCK32 ref: 00751884
                                                          • bind.WSOCK32(00000000,?,00000010), ref: 007518DB
                                                          • WSAGetLastError.WSOCK32 ref: 007518E6
                                                          • closesocket.WSOCK32(00000000), ref: 00751915
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                          • String ID:
                                                          • API String ID: 1601658205-0
                                                          • Opcode ID: 221ae7fb6fafcf6d4f0d8de9b9a7653b987f2afc802010eae11212d87297ac2e
                                                          • Instruction ID: c407075c5f2950f4b479861e2bb77e6603acefab2388f9c2327bb913dbe9ed29
                                                          • Opcode Fuzzy Hash: 221ae7fb6fafcf6d4f0d8de9b9a7653b987f2afc802010eae11212d87297ac2e
                                                          • Instruction Fuzzy Hash: 5551D471A002009FE720AF24C886F6A77E69B44718F54805DF9469F3C3C7B5AD41CBE5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00761C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                          • String ID:
                                                          • API String ID: 292994002-0
                                                          • Opcode ID: 5469aca9d19c6d7456f4cd595aaae1e6a56209e90352807a8c12b26d45962c13
                                                          • Instruction ID: 57dad3b70f95f710f34e9ebd65a39afcc3aa1d7c0278e67fac60c56f80b37cf1
                                                          • Opcode Fuzzy Hash: 5469aca9d19c6d7456f4cd595aaae1e6a56209e90352807a8c12b26d45962c13
                                                          • Instruction Fuzzy Hash: 7A21B1317406019FD7218F2AC848B6A7BA5EF95324B9D8059EC47CB352CBB9DC42CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                          • API String ID: 0-1546025612
                                                          • Opcode ID: ba38798e410491dae5b845a6c3c9afdf7cdbd403ea7af68e1c94db77ac390410
                                                          • Instruction ID: efcc6938f8e35a1f35dbea4f23efc3e309a218667f0b2e7dc190ecb63132d0b8
                                                          • Opcode Fuzzy Hash: ba38798e410491dae5b845a6c3c9afdf7cdbd403ea7af68e1c94db77ac390410
                                                          • Instruction Fuzzy Hash: 1CA23C71E0061ACFDF24CF58C8447EDB7B2BB54314F2481AAE855A7385EB789D81CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00738298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 007382AA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: lstrlen
                                                          • String ID: ($tby$|
                                                          • API String ID: 1659193697-2466584908
                                                          • Opcode ID: 0de242d7e481386d20b9973b7026b7ce26163057704f0b49402403698da2ec18
                                                          • Instruction ID: ba284e5c921038b52b2eb15278b4e4f79bf28b77b3e0acc91572e785a4e4fe4e
                                                          • Opcode Fuzzy Hash: 0de242d7e481386d20b9973b7026b7ce26163057704f0b49402403698da2ec18
                                                          • Instruction Fuzzy Hash: B2323574A00705DFDB68CF59C081A6AB7F1FF48710B15856EE49ADB3A2EB74E941CB40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0075A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 0075A6AC
                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0075A6BA
                                                            • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                                          • Process32NextW.KERNEL32(00000000,?), ref: 0075A79C
                                                          • CloseHandle.KERNEL32(00000000), ref: 0075A7AB
                                                            • Part of subcall function 006ECE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00713303,?), ref: 006ECE8A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                          • String ID:
                                                          • API String ID: 1991900642-0
                                                          • Opcode ID: b02fa3c39eccef152df7966749a865c0280b53784d8aa20ac033c79fa64ed8b8
                                                          • Instruction ID: 7846b0c523e5dbecaee7f45f4c12ba40fca8bb249599fd89b8535eaecb573475
                                                          • Opcode Fuzzy Hash: b02fa3c39eccef152df7966749a865c0280b53784d8aa20ac033c79fa64ed8b8
                                                          • Instruction Fuzzy Hash: 28518F71908300AFD750DF24C885A6BBBE9FF89754F00892EF98597351EB74D904CB96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0073AAAC
                                                          • SetKeyboardState.USER32(00000080), ref: 0073AAC8
                                                          • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0073AB36
                                                          • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0073AB88
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: KeyboardState$InputMessagePostSend
                                                          • String ID:
                                                          • API String ID: 432972143-0
                                                          • Opcode ID: 4bd650200eb1c085d6d9ef9c9f27ca8063e517b6d0ee1f2c7e1094429be5ee9a
                                                          • Instruction ID: 129404737919c7410d2705fcaff36fe9de98f035896fdfe152072b2e7bf3ceb6
                                                          • Opcode Fuzzy Hash: 4bd650200eb1c085d6d9ef9c9f27ca8063e517b6d0ee1f2c7e1094429be5ee9a
                                                          • Instruction Fuzzy Hash: E131E7B1A40248BEFF35CB65CC06BFABBAAAB44310F04821AE5C1565D2D37D8981C767
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0074CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetReadFile.WININET(?,?,00000400,?), ref: 0074CE89
                                                          • GetLastError.KERNEL32(?,00000000), ref: 0074CEEA
                                                          • SetEvent.KERNEL32(?,?,00000000), ref: 0074CEFE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ErrorEventFileInternetLastRead
                                                          • String ID:
                                                          • API String ID: 234945975-0
                                                          • Opcode ID: 370d55c21c6df1f56bf593ecd3ddd77ff4c135276c20d69096285406fc835a3a
                                                          • Instruction ID: 5e83847490e8a6298e77c76b65a89ae602836447611fa2be20e10eb850a88be2
                                                          • Opcode Fuzzy Hash: 370d55c21c6df1f56bf593ecd3ddd77ff4c135276c20d69096285406fc835a3a
                                                          • Instruction Fuzzy Hash: 8021CFB2501305DFEB62DFA5C948BA77BFCEB00314F10842EE646D2151E778EE088B54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00745C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00745CC1
                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00745D17
                                                          • FindClose.KERNEL32(?), ref: 00745D5F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Find$File$CloseFirstNext
                                                          • String ID:
                                                          • API String ID: 3541575487-0
                                                          • Opcode ID: 73242736e3870168cf8150d49649f91d606bbb03bde18f89c77f7e53cf9faeb4
                                                          • Instruction ID: a565a0a961876adbc12d59d87389946b627acb421cecd4df7ad2889286429179
                                                          • Opcode Fuzzy Hash: 73242736e3870168cf8150d49649f91d606bbb03bde18f89c77f7e53cf9faeb4
                                                          • Instruction Fuzzy Hash: EA516874A04A019FC714DF28C494A9AB7E5FF49324F14855EE99A8B3A2DB34ED04CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00702622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • IsDebuggerPresent.KERNEL32 ref: 0070271A
                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00702724
                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 00702731
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                          • String ID:
                                                          • API String ID: 3906539128-0
                                                          • Opcode ID: 10c37ab6fa80ee9a3f2465fad78fcb503204293edf5eb32fb2fad4c58867823e
                                                          • Instruction ID: 6de7ad7c03e04120af60d7a20141a5c827c0e0574be8d558ef923d8ef415efe7
                                                          • Opcode Fuzzy Hash: 10c37ab6fa80ee9a3f2465fad78fcb503204293edf5eb32fb2fad4c58867823e
                                                          • Instruction Fuzzy Hash: 9631C47591121C9BCB61DF68DC88798BBB8BF08310F5042EAE90CA6261E7749F818F49
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007451CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 007451DA
                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00745238
                                                          • SetErrorMode.KERNEL32(00000000), ref: 007452A1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$DiskFreeSpace
                                                          • String ID:
                                                          • API String ID: 1682464887-0
                                                          • Opcode ID: 1368a1a95e7841840ae6ee3b64f494694afe8f662db0178cf1cb354328d4a80a
                                                          • Instruction ID: cb428331a942e173e58d8081716f406feec75a5c1e3b666248eb3a6dbb6df7db
                                                          • Opcode Fuzzy Hash: 1368a1a95e7841840ae6ee3b64f494694afe8f662db0178cf1cb354328d4a80a
                                                          • Instruction Fuzzy Hash: F3318F75A00608DFDB00DF94D884EADBBB5FF49314F08809AE805AB362DB75EC46CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007316C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006EFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 006F0668
                                                            • Part of subcall function 006EFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 006F0685
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0073170D
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0073173A
                                                          • GetLastError.KERNEL32 ref: 0073174A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                          • String ID:
                                                          • API String ID: 577356006-0
                                                          • Opcode ID: b3972c858636e6ab0fa7aff2e3fdc459fc30a003364eef0cd6d1f50bdbc1210d
                                                          • Instruction ID: 058585ce52833b0e7ae5efef695a214eb2aea3def8902183c3392c42866e24c2
                                                          • Opcode Fuzzy Hash: b3972c858636e6ab0fa7aff2e3fdc459fc30a003364eef0cd6d1f50bdbc1210d
                                                          • Instruction Fuzzy Hash: 0011C1B2404309AFE718AF54DC86D6ABBBDEF04754B24852EE05657242EB75BC418B24
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0073D608
                                                          • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0073D645
                                                          • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0073D650
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CloseControlCreateDeviceFileHandle
                                                          • String ID:
                                                          • API String ID: 33631002-0
                                                          • Opcode ID: 92cd15ec0e4607a55dfc0f5c3501bdad32f40509ec84ba31778af0b7981eb8b4
                                                          • Instruction ID: 4b94de717043dfe8f0183ecbf240466d265ef23043a4e2c3a595e0f54d22b1a6
                                                          • Opcode Fuzzy Hash: 92cd15ec0e4607a55dfc0f5c3501bdad32f40509ec84ba31778af0b7981eb8b4
                                                          • Instruction Fuzzy Hash: 4C117C71E01228BFEB208F95EC45FAFBBBCEB45B50F108111F914E7290C2B44A058BA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00731663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0073168C
                                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007316A1
                                                          • FreeSid.ADVAPI32(?), ref: 007316B1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                          • String ID:
                                                          • API String ID: 3429775523-0
                                                          • Opcode ID: fe61f2be3367b20cc2006f2da4fc4e16b2eacfb869aaa6c095d1f1dea4584750
                                                          • Instruction ID: ce25ff58142e55fb1f2cacf6199394dbe537d454f2c16ef468f29fa9f995e1fd
                                                          • Opcode Fuzzy Hash: fe61f2be3367b20cc2006f2da4fc4e16b2eacfb869aaa6c095d1f1dea4584750
                                                          • Instruction Fuzzy Hash: 29F0F471950309FBEB00DFE49D89AAEBBBCEB08604F508565E601E2181E778AA448A54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006F4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(007028E9,?,006F4CBE,007028E9,007988B8,0000000C,006F4E15,007028E9,00000002,00000000,?,007028E9), ref: 006F4D09
                                                          • TerminateProcess.KERNEL32(00000000,?,006F4CBE,007028E9,007988B8,0000000C,006F4E15,007028E9,00000002,00000000,?,007028E9), ref: 006F4D10
                                                          • ExitProcess.KERNEL32 ref: 006F4D22
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Process$CurrentExitTerminate
                                                          • String ID:
                                                          • API String ID: 1703294689-0
                                                          • Opcode ID: 1718cc2e888df65891bc45fcf5e540061adf48f7a6a3b0a8cc9986c471beacb1
                                                          • Instruction ID: 53034d1fc41a8cb638c4b4dab46f84ac2bb22d4284ca608a6440f235a070d544
                                                          • Opcode Fuzzy Hash: 1718cc2e888df65891bc45fcf5e540061adf48f7a6a3b0a8cc9986c471beacb1
                                                          • Instruction Fuzzy Hash: A8E0B63100024CABDF12AF55DD09AAA3F6AEF86781B108018FD569A722DB79DD42CA84
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0070C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: /
                                                          • API String ID: 0-2043925204
                                                          • Opcode ID: 3b70dd2df338deecaea4cae5e0a9675701409c17ec331c537c5c7a859d3da43e
                                                          • Instruction ID: e4962ac9915e105f42fb9ed5e245cadedddf7245ddaaffb5c048f85a8d2ff4cb
                                                          • Opcode Fuzzy Hash: 3b70dd2df338deecaea4cae5e0a9675701409c17ec331c537c5c7a859d3da43e
                                                          • Instruction Fuzzy Hash: 15411372900219EBCB209FB9DC89EBBB7B8EB84314F1083A9F905D71C0E6749D818B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0072D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetUserNameW.ADVAPI32(?,?), ref: 0072D28C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: NameUser
                                                          • String ID: X64
                                                          • API String ID: 2645101109-893830106
                                                          • Opcode ID: b8cfc341ca2d6c387d59d4fa769c0111609583b75a211ffec9d90fcdf6681f46
                                                          • Instruction ID: 1119d53399aea9467d0e0056da3568c405e23970d8a8cd78d314b90c0294ea57
                                                          • Opcode Fuzzy Hash: b8cfc341ca2d6c387d59d4fa769c0111609583b75a211ffec9d90fcdf6681f46
                                                          • Instruction Fuzzy Hash: 8BD0C9B480122DEACB90CB90EC88DE9B3BCBB04305F104151F106A2000D77495498F20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006FCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                          • Instruction ID: ba0365c1a72ca61a4afb93015a2935d88e6a427ea186bc285cec63f6549ed68a
                                                          • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                          • Instruction Fuzzy Hash: 73020B71E0111D9BDF14CFA9C9806EDFBB2EF48324F254169D919EB384D731A941CB94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006DCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Variable is not of type 'Object'.$p#z
                                                          • API String ID: 0-3775082255
                                                          • Opcode ID: e9922dae80c8e01bca960004ccc62ac921d87443b11cc9f9c57d48b7ff8316da
                                                          • Instruction ID: c77ace521d97e9d5065aeab2a68c06def175dfd7d0993c73d22dcdbcd5200f6e
                                                          • Opcode Fuzzy Hash: e9922dae80c8e01bca960004ccc62ac921d87443b11cc9f9c57d48b7ff8316da
                                                          • Instruction Fuzzy Hash: 44327B70D00219DBCF14DF94D895AEDB7B6FF05314F24805AE806AB392D779AE46CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007468EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00746918
                                                          • FindClose.KERNEL32(00000000), ref: 00746961
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Find$CloseFileFirst
                                                          • String ID:
                                                          • API String ID: 2295610775-0
                                                          • Opcode ID: b0fbcef897da9bea61239b0c047e1023915fba8999aefa7a7093640c398d35d2
                                                          • Instruction ID: 2b3f235004075b184e7897b598c60a9ae3230abdf1cd7d8b6e16b88bbccaa9a2
                                                          • Opcode Fuzzy Hash: b0fbcef897da9bea61239b0c047e1023915fba8999aefa7a7093640c398d35d2
                                                          • Instruction Fuzzy Hash: DC1190716042019FD710DF29D484A26BBE5FF85328F14C69EE8698F3A2CB74EC05CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007437B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00754891,?,?,00000035,?), ref: 007437E4
                                                          • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00754891,?,?,00000035,?), ref: 007437F4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ErrorFormatLastMessage
                                                          • String ID:
                                                          • API String ID: 3479602957-0
                                                          • Opcode ID: eeeb3748f0d9b9cd206abbd29b1514b920e9d5f0827959c6d410a24b046f5aba
                                                          • Instruction ID: 451ca3856260a129efc65e0ee2f8adc78b029877127fe934cec231ddd7e37ac2
                                                          • Opcode Fuzzy Hash: eeeb3748f0d9b9cd206abbd29b1514b920e9d5f0827959c6d410a24b046f5aba
                                                          • Instruction Fuzzy Hash: 7CF0E5B06053286AE76117668C8DFEB3AAEEFC4761F004265F509D22C1DAB49944C6B0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0073B25D
                                                          • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 0073B270
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: InputSendkeybd_event
                                                          • String ID:
                                                          • API String ID: 3536248340-0
                                                          • Opcode ID: 0b9322a0ada63b926752078078164d882f61f2b2d9f033001b7b2244826bcd80
                                                          • Instruction ID: 6df41ec45da500ad7f6b0bc06ff971cdef3be87976634d45c7f951161a561928
                                                          • Opcode Fuzzy Hash: 0b9322a0ada63b926752078078164d882f61f2b2d9f033001b7b2244826bcd80
                                                          • Instruction Fuzzy Hash: F7F0127180424DABDB059FA1C8057BE7BB4FF04305F148009F955A5192C77D86119F94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007310BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007311FC), ref: 007310D4
                                                          • CloseHandle.KERNEL32(?,?,007311FC), ref: 007310E9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: AdjustCloseHandlePrivilegesToken
                                                          • String ID:
                                                          • API String ID: 81990902-0
                                                          • Opcode ID: 0c81c028360bf33ce80bfcaa292c82e6c64f4e96744a20b51d712221978ea4f1
                                                          • Instruction ID: 0472cc47743c23b4a69a508b70ba4da402f138558793fee8756d09e48af970e2
                                                          • Opcode Fuzzy Hash: 0c81c028360bf33ce80bfcaa292c82e6c64f4e96744a20b51d712221978ea4f1
                                                          • Instruction Fuzzy Hash: 08E04F32008740AFF7262B12FC05E777BA9EF04310F10C82DF4A6804B1DBA26C90DB14
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0070676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00706766,?,?,00000008,?,?,0070FEFE,00000000), ref: 00706998
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ExceptionRaise
                                                          • String ID:
                                                          • API String ID: 3997070919-0
                                                          • Opcode ID: bafe0fec2148d9f80ad823e64421f9f7561004f523f59739c99b8bdad8f904e5
                                                          • Instruction ID: 7e1ce935d055ed727ac09b44ab553ceba95f5c1b5a756cb68a1575e2e3a477ea
                                                          • Opcode Fuzzy Hash: bafe0fec2148d9f80ad823e64421f9f7561004f523f59739c99b8bdad8f904e5
                                                          • Instruction Fuzzy Hash: D1B10571610608DFDB15CF28C49AB657BE0FB45364F25C658E899CF2E2C339E9A1CB40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006EB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: 302f7e0a285ee33d16a564a68d366b9222082ee351ff8102c472410c7a6da864
                                                          • Instruction ID: 0a38e2fa34a2571865719cf329d9a6ff479ba65fcd3c584dcf644860f6bfdf72
                                                          • Opcode Fuzzy Hash: 302f7e0a285ee33d16a564a68d366b9222082ee351ff8102c472410c7a6da864
                                                          • Instruction Fuzzy Hash: 11127F71901229DBCB54CF59D881AEEB7F5FF48310F1481AAE809EB255EB349E81CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0074EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • BlockInput.USER32(00000001), ref: 0074EABD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: BlockInput
                                                          • String ID:
                                                          • API String ID: 3456056419-0
                                                          • Opcode ID: f3d81005c38b7611183402324b452e2980b936fdf5a5f03f3ac515f1accfb41a
                                                          • Instruction ID: 40037cca7cd9eb2455f7838ba556cfbcf0cf3592421f0df82704f92a4fce4f06
                                                          • Opcode Fuzzy Hash: f3d81005c38b7611183402324b452e2980b936fdf5a5f03f3ac515f1accfb41a
                                                          • Instruction Fuzzy Hash: 11E01A312002059FC710EF59D804EAAB7E9BF98770F00C41AFD8AC7361DBB4A8408B94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006F09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,006F03EE), ref: 006F09DA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterUnhandled
                                                          • String ID:
                                                          • API String ID: 3192549508-0
                                                          • Opcode ID: f489ea8c91d0fb0b7a3c1d3df5387af7881b36bf58a62d3a021276c51cd31ab5
                                                          • Instruction ID: affbd668b4b02449cdead1a49988709635f711dc891ddf25beb500da3dd9948e
                                                          • Opcode Fuzzy Hash: f489ea8c91d0fb0b7a3c1d3df5387af7881b36bf58a62d3a021276c51cd31ab5
                                                          • Instruction Fuzzy Hash:
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006F781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0
                                                          • API String ID: 0-4108050209
                                                          • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                          • Instruction ID: 49cd43dd53e8c6a144dd8756219a9541778ea1c39d6a0f3090c4c4d325dec89c
                                                          • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                          • Instruction Fuzzy Hash: 6951797160C70D5BDB388968885E7FE67DB9B12380F18052EEB92D7382CA55DE03D35A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00742046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0&z
                                                          • API String ID: 0-2820941700
                                                          • Opcode ID: d13d7ad5f396863204dd0080da75ade720c532cb8c51b8f80897acd95b46c113
                                                          • Instruction ID: 78fa2d245e396c6b82c44dd04dae84c5b4ab51d1a6adbcccf999210eff2e8e03
                                                          • Opcode Fuzzy Hash: d13d7ad5f396863204dd0080da75ade720c532cb8c51b8f80897acd95b46c113
                                                          • Instruction Fuzzy Hash: BD21E7323216118BD728CF79C82367E73E5A794310F148A2EE4A7C37D1DE3AA905CB84
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00706DD9 Relevance: .6, Instructions: 637COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a9c2066cb2894a89233c51479eac4db81d8b812cabec05727c6e5fca42b3365f
                                                          • Instruction ID: 381d433856c0a6ee5eb19534b33c23f731c6521d023dbd8b145d0cc7e36860a5
                                                          • Opcode Fuzzy Hash: a9c2066cb2894a89233c51479eac4db81d8b812cabec05727c6e5fca42b3365f
                                                          • Instruction Fuzzy Hash: 9D32F221D29F418DD7279634CC22335A689AFB73C5F15D737E82AB59AAEB2DD4C38100
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006ECC39 Relevance: .6, Instructions: 635COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5e82e2b8fff1fdea07d106e46cdf284e001a0bed0978d97c4c53d528e9ae46c9
                                                          • Instruction ID: aaca0146c2dc89ad00afd5e2e1306f3546f902c4b8fff4ad2527d53b354d3168
                                                          • Opcode Fuzzy Hash: 5e82e2b8fff1fdea07d106e46cdf284e001a0bed0978d97c4c53d528e9ae46c9
                                                          • Instruction Fuzzy Hash: FA323931A002A58BDF26CF29E490ABD77B2EF55310F38816AE449DB391D63CDD82DB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D7920 Relevance: .6, Instructions: 563COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 74c34daaeaa1e2ede023197de2a985f2165b0b22d79c905658dc180e700dfae4
                                                          • Instruction ID: a7fd4614074684c2e14e2281b999083a289a15b8dd61a8c58ccfec64ab8c6b87
                                                          • Opcode Fuzzy Hash: 74c34daaeaa1e2ede023197de2a985f2165b0b22d79c905658dc180e700dfae4
                                                          • Instruction Fuzzy Hash: A7229F70E04609DFDF18CF68C881AEEB7B6FF44300F14462AE816A7391EB39A955CB55
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D91C0 Relevance: .5, Instructions: 475COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 396ddd88ece3eff881530101071a19e93c03552739033ea832a2ab20e5b013c8
                                                          • Instruction ID: 019e2c88f922e2e323763c35d3a9862419e3fe54cc70df31c9e81240140fddc2
                                                          • Opcode Fuzzy Hash: 396ddd88ece3eff881530101071a19e93c03552739033ea832a2ab20e5b013c8
                                                          • Instruction Fuzzy Hash: 7E02A6B1E0020AEBDB14DF58D881AADB7B2FF44300F118169E8569B3D1EB35EE51CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006F7A4A Relevance: .2, Instructions: 237COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4a27130f7ea7df12b1d90b501ae831a013f3873148f0a08b9036079981984457
                                                          • Instruction ID: 6834b538051ee04cdaa27bc7852b169284fef0925481475f05999aaa2a527a22
                                                          • Opcode Fuzzy Hash: 4a27130f7ea7df12b1d90b501ae831a013f3873148f0a08b9036079981984457
                                                          • Instruction Fuzzy Hash: 5461677120C70E9AEE749E2C8D95BFE2397DF52704F10095EEB42DB381DA51AE42C319
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006F7CA7 Relevance: .2, Instructions: 237COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7ce18890b009c9d1ea0a50a033c640a930bf900d30e7c0a9526041f981020174
                                                          • Instruction ID: c0bb6f476d9b33720590524def0e98de7b3ce2365d4b6b4e72c523cbe3c40260
                                                          • Opcode Fuzzy Hash: 7ce18890b009c9d1ea0a50a033c640a930bf900d30e7c0a9526041f981020174
                                                          • Instruction Fuzzy Hash: 2E61693160870D56DE388A289856BFF239BEF42704F90195EEB42DB381DA529D42C359
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01543680 Relevance: .1, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100886020.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1540000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                          • Instruction ID: 4febe6097c4eec187ce9222b9cec745e906c6974684e1b8264e52157b12fbf0c
                                                          • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                          • Instruction Fuzzy Hash: 5741C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01543570 Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100886020.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1540000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                          • Instruction ID: fec4eca32dc9b5af95bbc7d2ca2a2ca4e8970ac961b711122957024943aa15f6
                                                          • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                          • Instruction Fuzzy Hash: 28019278A01109EFCB84DF98C5909AEF7F5FF48314F208599D909AB311E730AE41DB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01543510 Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100886020.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1540000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                          • Instruction ID: 99535082c281f7c589f7f5a2a36de1887b0c6d32c5694867b9668e3d919e15a9
                                                          • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                          • Instruction Fuzzy Hash: C9019278A00109EFCB85DF98C5909AEF7F5FB48314F208599D819AB311D730AE41DB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01541ED0 Relevance: .0, Instructions: 6COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100886020.0000000001540000.00000040.00001000.00020000.00000000.sdmp, Offset: 01540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1540000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                          • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                          • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                          • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00752ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteObject.GDI32(00000000), ref: 00752B30
                                                          • DeleteObject.GDI32(00000000), ref: 00752B43
                                                          • DestroyWindow.USER32 ref: 00752B52
                                                          • GetDesktopWindow.USER32 ref: 00752B6D
                                                          • GetWindowRect.USER32(00000000), ref: 00752B74
                                                          • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00752CA3
                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00752CB1
                                                          • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752CF8
                                                          • GetClientRect.USER32(00000000,?), ref: 00752D04
                                                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00752D40
                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752D62
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752D75
                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752D80
                                                          • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752D89
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752D98
                                                          • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752DA1
                                                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752DA8
                                                          • GlobalFree.KERNEL32(00000000), ref: 00752DB3
                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752DC5
                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,0076FC38,00000000), ref: 00752DDB
                                                          • GlobalFree.KERNEL32(00000000), ref: 00752DEB
                                                          • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00752E11
                                                          • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00752E30
                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00752E52
                                                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0075303F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                          • String ID: $AutoIt v3$DISPLAY$static
                                                          • API String ID: 2211948467-2373415609
                                                          • Opcode ID: f5595ed05157340c7329c10a2d959f1f58b19d3bff0d5c2eab9e6e32c35dd2e4
                                                          • Instruction ID: 14c82aa4abbbfd0fa01d2a284d004b6a8ef68a0de11b8e12991e8fc07b1321b2
                                                          • Opcode Fuzzy Hash: f5595ed05157340c7329c10a2d959f1f58b19d3bff0d5c2eab9e6e32c35dd2e4
                                                          • Instruction Fuzzy Hash: 89029F71900209EFDB15DF64DC89EAE7BB9FB49311F008109F915AB2A1DBB8AD05CF64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007670D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetTextColor.GDI32(?,00000000), ref: 0076712F
                                                          • GetSysColorBrush.USER32(0000000F), ref: 00767160
                                                          • GetSysColor.USER32(0000000F), ref: 0076716C
                                                          • SetBkColor.GDI32(?,000000FF), ref: 00767186
                                                          • SelectObject.GDI32(?,?), ref: 00767195
                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 007671C0
                                                          • GetSysColor.USER32(00000010), ref: 007671C8
                                                          • CreateSolidBrush.GDI32(00000000), ref: 007671CF
                                                          • FrameRect.USER32(?,?,00000000), ref: 007671DE
                                                          • DeleteObject.GDI32(00000000), ref: 007671E5
                                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 00767230
                                                          • FillRect.USER32(?,?,?), ref: 00767262
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00767284
                                                            • Part of subcall function 007673E8: GetSysColor.USER32(00000012), ref: 00767421
                                                            • Part of subcall function 007673E8: SetTextColor.GDI32(?,?), ref: 00767425
                                                            • Part of subcall function 007673E8: GetSysColorBrush.USER32(0000000F), ref: 0076743B
                                                            • Part of subcall function 007673E8: GetSysColor.USER32(0000000F), ref: 00767446
                                                            • Part of subcall function 007673E8: GetSysColor.USER32(00000011), ref: 00767463
                                                            • Part of subcall function 007673E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00767471
                                                            • Part of subcall function 007673E8: SelectObject.GDI32(?,00000000), ref: 00767482
                                                            • Part of subcall function 007673E8: SetBkColor.GDI32(?,00000000), ref: 0076748B
                                                            • Part of subcall function 007673E8: SelectObject.GDI32(?,?), ref: 00767498
                                                            • Part of subcall function 007673E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007674B7
                                                            • Part of subcall function 007673E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007674CE
                                                            • Part of subcall function 007673E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007674DB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                          • String ID:
                                                          • API String ID: 4124339563-0
                                                          • Opcode ID: 527a456a0f2a23dffb19e1cb182c3a74db89f48813fbf6d5ea85849cd04e7438
                                                          • Instruction ID: 4b0e5bbc4b233345bf4b39c2bd8dd3a77010c4f2737830aa4d694ecc755e83cf
                                                          • Opcode Fuzzy Hash: 527a456a0f2a23dffb19e1cb182c3a74db89f48813fbf6d5ea85849cd04e7438
                                                          • Instruction Fuzzy Hash: F6A1C172008305EFDB069F60DC48E6B7BA9FF89364F104A19F9A3961E1D7B8E844CB55
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00752711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(00000000), ref: 0075273E
                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0075286A
                                                          • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007528A9
                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007528B9
                                                          • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00752900
                                                          • GetClientRect.USER32(00000000,?), ref: 0075290C
                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00752955
                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00752964
                                                          • GetStockObject.GDI32(00000011), ref: 00752974
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00752978
                                                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00752988
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00752991
                                                          • DeleteDC.GDI32(00000000), ref: 0075299A
                                                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007529C6
                                                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 007529DD
                                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00752A1D
                                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00752A31
                                                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 00752A42
                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00752A77
                                                          • GetStockObject.GDI32(00000011), ref: 00752A82
                                                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00752A8D
                                                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00752A97
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                          • API String ID: 2910397461-517079104
                                                          • Opcode ID: e46c81caba3f7c2be75e273f40b999662f3c021ce17b873d71caf55c3614345e
                                                          • Instruction ID: 3b431d28ec751e0e2ab31efd205dc064d2ec17bd1ac2c34280db8d5a36c3aeaa
                                                          • Opcode Fuzzy Hash: e46c81caba3f7c2be75e273f40b999662f3c021ce17b873d71caf55c3614345e
                                                          • Instruction Fuzzy Hash: 6EB19FB1A00215AFEB14DFA8DC45FAE7BA9EB49711F008115F915E7291D7B8ED00CF98
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00744ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 00744AED
                                                          • GetDriveTypeW.KERNEL32(?,0076CB68,?,\\.\,0076CC08), ref: 00744BCA
                                                          • SetErrorMode.KERNEL32(00000000,0076CB68,?,\\.\,0076CC08), ref: 00744D36
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$DriveType
                                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                          • API String ID: 2907320926-4222207086
                                                          • Opcode ID: 529dcb761114f399433c4dfc1f8dca62882209177102c791c74b0f918ba0c289
                                                          • Instruction ID: 3a58bc7a985b63cb0183a992cc02bb70f01550bdfcd92e2eeda452b9ffbda9ef
                                                          • Opcode Fuzzy Hash: 529dcb761114f399433c4dfc1f8dca62882209177102c791c74b0f918ba0c289
                                                          • Instruction Fuzzy Hash: 7E61AFB0B05205DBCF04DF24DAD2A78B7B1EB05341B28851AF806AB691DB3DED41FB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007673E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSysColor.USER32(00000012), ref: 00767421
                                                          • SetTextColor.GDI32(?,?), ref: 00767425
                                                          • GetSysColorBrush.USER32(0000000F), ref: 0076743B
                                                          • GetSysColor.USER32(0000000F), ref: 00767446
                                                          • CreateSolidBrush.GDI32(?), ref: 0076744B
                                                          • GetSysColor.USER32(00000011), ref: 00767463
                                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00767471
                                                          • SelectObject.GDI32(?,00000000), ref: 00767482
                                                          • SetBkColor.GDI32(?,00000000), ref: 0076748B
                                                          • SelectObject.GDI32(?,?), ref: 00767498
                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 007674B7
                                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007674CE
                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 007674DB
                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0076752A
                                                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00767554
                                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00767572
                                                          • DrawFocusRect.USER32(?,?), ref: 0076757D
                                                          • GetSysColor.USER32(00000011), ref: 0076758E
                                                          • SetTextColor.GDI32(?,00000000), ref: 00767596
                                                          • DrawTextW.USER32(?,007670F5,000000FF,?,00000000), ref: 007675A8
                                                          • SelectObject.GDI32(?,?), ref: 007675BF
                                                          • DeleteObject.GDI32(?), ref: 007675CA
                                                          • SelectObject.GDI32(?,?), ref: 007675D0
                                                          • DeleteObject.GDI32(?), ref: 007675D5
                                                          • SetTextColor.GDI32(?,?), ref: 007675DB
                                                          • SetBkColor.GDI32(?,?), ref: 007675E5
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                          • String ID:
                                                          • API String ID: 1996641542-0
                                                          • Opcode ID: cb74cac0860a11caf90fa6b305049b0bb34769fa4e808fe997a03dabbe834f6b
                                                          • Instruction ID: 5e77953fe0ae5e53e073ba6c4d726d11ad724c936057cc3fc1a2ae2c0381b77a
                                                          • Opcode Fuzzy Hash: cb74cac0860a11caf90fa6b305049b0bb34769fa4e808fe997a03dabbe834f6b
                                                          • Instruction Fuzzy Hash: 2C616072900218AFDF069FA4DC49EAE7F79EF09360F118115F916AB2A1D7B89940CF94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00760FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCursorPos.USER32(?), ref: 00761128
                                                          • GetDesktopWindow.USER32 ref: 0076113D
                                                          • GetWindowRect.USER32(00000000), ref: 00761144
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00761199
                                                          • DestroyWindow.USER32(?), ref: 007611B9
                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007611ED
                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0076120B
                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0076121D
                                                          • SendMessageW.USER32(00000000,00000421,?,?), ref: 00761232
                                                          • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00761245
                                                          • IsWindowVisible.USER32(00000000), ref: 007612A1
                                                          • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007612BC
                                                          • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007612D0
                                                          • GetWindowRect.USER32(00000000,?), ref: 007612E8
                                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 0076130E
                                                          • GetMonitorInfoW.USER32(00000000,?), ref: 00761328
                                                          • CopyRect.USER32(?,?), ref: 0076133F
                                                          • SendMessageW.USER32(00000000,00000412,00000000), ref: 007613AA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                          • String ID: ($0$tooltips_class32
                                                          • API String ID: 698492251-4156429822
                                                          • Opcode ID: 51f1f5a2ef300bdacf789e752000f07e32a24241baa57f5194a2af815d7a2a3f
                                                          • Instruction ID: dfedbd7fac7fcbcedf2abbcb37c2fb22ad7444279f19c7ed3efc658e5483ad75
                                                          • Opcode Fuzzy Hash: 51f1f5a2ef300bdacf789e752000f07e32a24241baa57f5194a2af815d7a2a3f
                                                          • Instruction Fuzzy Hash: 90B1BC71604341AFDB44DF64C888B6ABBE4FF88300F44891DF99A9B2A1C774E844CB96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00760241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?), ref: 007602E5
                                                          • _wcslen.LIBCMT ref: 0076031F
                                                          • _wcslen.LIBCMT ref: 00760389
                                                          • _wcslen.LIBCMT ref: 007603F1
                                                          • _wcslen.LIBCMT ref: 00760475
                                                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007604C5
                                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00760504
                                                            • Part of subcall function 006EF9F2: _wcslen.LIBCMT ref: 006EF9FD
                                                            • Part of subcall function 0073223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00732258
                                                            • Part of subcall function 0073223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0073228A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$MessageSend$BuffCharUpper
                                                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                          • API String ID: 1103490817-719923060
                                                          • Opcode ID: fc4a58411b16676a63654272b80aff399db1f349fb966ceca5eb29331b47fc16
                                                          • Instruction ID: 66262d7673ca1f9feee3293f4e2ffc4d412a22eedae870d1cc206f5c3b4961b6
                                                          • Opcode Fuzzy Hash: fc4a58411b16676a63654272b80aff399db1f349fb966ceca5eb29331b47fc16
                                                          • Instruction Fuzzy Hash: 75E19C312182418FCB28DF24C45083BB7E6BF89314B14496DF8979B3A2DB38ED45CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006E8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006E8968
                                                          • GetSystemMetrics.USER32(00000007), ref: 006E8970
                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006E899B
                                                          • GetSystemMetrics.USER32(00000008), ref: 006E89A3
                                                          • GetSystemMetrics.USER32(00000004), ref: 006E89C8
                                                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006E89E5
                                                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006E89F5
                                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 006E8A28
                                                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 006E8A3C
                                                          • GetClientRect.USER32(00000000,000000FF), ref: 006E8A5A
                                                          • GetStockObject.GDI32(00000011), ref: 006E8A76
                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 006E8A81
                                                            • Part of subcall function 006E912D: GetCursorPos.USER32(?), ref: 006E9141
                                                            • Part of subcall function 006E912D: ScreenToClient.USER32(00000000,?), ref: 006E915E
                                                            • Part of subcall function 006E912D: GetAsyncKeyState.USER32(00000001), ref: 006E9183
                                                            • Part of subcall function 006E912D: GetAsyncKeyState.USER32(00000002), ref: 006E919D
                                                          • SetTimer.USER32(00000000,00000000,00000028,006E90FC), ref: 006E8AA8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                          • String ID: AutoIt v3 GUI
                                                          • API String ID: 1458621304-248962490
                                                          • Opcode ID: 90ca036b657eb90872723f3038cff3e8c8f60c3b23119ed548afd0cfc702bdf6
                                                          • Instruction ID: fe331e6d99001d01456d9528e8ce7a5db171a5cce4727d6a11fed194aaf2b0c1
                                                          • Opcode Fuzzy Hash: 90ca036b657eb90872723f3038cff3e8c8f60c3b23119ed548afd0cfc702bdf6
                                                          • Instruction Fuzzy Hash: 00B18F75A003599FDB14DFA8DC45BAE3BB5FB48314F10822AFA16A7290DB78E841CF54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00730D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 007310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00731114
                                                            • Part of subcall function 007310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 00731120
                                                            • Part of subcall function 007310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 0073112F
                                                            • Part of subcall function 007310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 00731136
                                                            • Part of subcall function 007310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0073114D
                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00730DF5
                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00730E29
                                                          • GetLengthSid.ADVAPI32(?), ref: 00730E40
                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00730E7A
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00730E96
                                                          • GetLengthSid.ADVAPI32(?), ref: 00730EAD
                                                          • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00730EB5
                                                          • HeapAlloc.KERNEL32(00000000), ref: 00730EBC
                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00730EDD
                                                          • CopySid.ADVAPI32(00000000), ref: 00730EE4
                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00730F13
                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00730F35
                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00730F47
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00730F6E
                                                          • HeapFree.KERNEL32(00000000), ref: 00730F75
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00730F7E
                                                          • HeapFree.KERNEL32(00000000), ref: 00730F85
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00730F8E
                                                          • HeapFree.KERNEL32(00000000), ref: 00730F95
                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00730FA1
                                                          • HeapFree.KERNEL32(00000000), ref: 00730FA8
                                                            • Part of subcall function 00731193: GetProcessHeap.KERNEL32(00000008,00730BB1,?,00000000,?,00730BB1,?), ref: 007311A1
                                                            • Part of subcall function 00731193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00730BB1,?), ref: 007311A8
                                                            • Part of subcall function 00731193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00730BB1,?), ref: 007311B7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                          • String ID:
                                                          • API String ID: 4175595110-0
                                                          • Opcode ID: e0830977437497ec22398bdbf383c3b791d1770c116ca8d3355a8563cac0c123
                                                          • Instruction ID: c366cb2ccd8912e91f2d12477ee66689e63de2c464b4d817d65b030004802b09
                                                          • Opcode Fuzzy Hash: e0830977437497ec22398bdbf383c3b791d1770c116ca8d3355a8563cac0c123
                                                          • Instruction Fuzzy Hash: 79715FB190020AEBEF219FA4DC49FBEBBB8BF05700F048115F959A6152D7799A05CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0075C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0075C4BD
                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,0076CC08,00000000,?,00000000,?,?), ref: 0075C544
                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0075C5A4
                                                          • _wcslen.LIBCMT ref: 0075C5F4
                                                          • _wcslen.LIBCMT ref: 0075C66F
                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0075C6B2
                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0075C7C1
                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0075C84D
                                                          • RegCloseKey.ADVAPI32(?), ref: 0075C881
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0075C88E
                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0075C960
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                          • API String ID: 9721498-966354055
                                                          • Opcode ID: 312461ecf753c85b271b79878967602b90c60accc2b7b562fc9fb7dac0fceb21
                                                          • Instruction ID: 3d1e5a5c1bf9f969cf39678abe4ae1ea190436f0a9e9305c36b4f5bb90e4cf64
                                                          • Opcode Fuzzy Hash: 312461ecf753c85b271b79878967602b90c60accc2b7b562fc9fb7dac0fceb21
                                                          • Instruction Fuzzy Hash: 041265316043019FDB15DF14C881B6AB7E6EF88714F04889DF88A9B3A2DB75ED45CB86
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0076091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?), ref: 007609C6
                                                          • _wcslen.LIBCMT ref: 00760A01
                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00760A54
                                                          • _wcslen.LIBCMT ref: 00760A8A
                                                          • _wcslen.LIBCMT ref: 00760B06
                                                          • _wcslen.LIBCMT ref: 00760B81
                                                            • Part of subcall function 006EF9F2: _wcslen.LIBCMT ref: 006EF9FD
                                                            • Part of subcall function 00732BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00732BFA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$MessageSend$BuffCharUpper
                                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                          • API String ID: 1103490817-4258414348
                                                          • Opcode ID: 849569dcbd39db08d92af3e14125bbf71dd8ca933a1238d87ec62dd52fc07bc5
                                                          • Instruction ID: 04dbe636cf8e561c7d453acd2a8e7893e6bc889a1034b387f0f490ce66d3a86b
                                                          • Opcode Fuzzy Hash: 849569dcbd39db08d92af3e14125bbf71dd8ca933a1238d87ec62dd52fc07bc5
                                                          • Instruction Fuzzy Hash: B1E19B716087018FCB14DF24C45092BB7E2BF98354F148A5DF89A9B3A2DB39ED45CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0075C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$BuffCharUpper
                                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                          • API String ID: 1256254125-909552448
                                                          • Opcode ID: de7dfea91e7efa3be898fd113bfdd0781fe4e29cbb1a4b5c8a086a0451928232
                                                          • Instruction ID: f87b5bd4aac68ed4e85dc9caf4e280d90faeda04030946cff4c211237e982e9c
                                                          • Opcode Fuzzy Hash: de7dfea91e7efa3be898fd113bfdd0781fe4e29cbb1a4b5c8a086a0451928232
                                                          • Instruction Fuzzy Hash: 2171163260036A8FCF22DE7CCD417FB37929B61751B244528FC56A7284EAB9CD48C3A4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0076833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 0076835A
                                                          • _wcslen.LIBCMT ref: 0076836E
                                                          • _wcslen.LIBCMT ref: 00768391
                                                          • _wcslen.LIBCMT ref: 007683B4
                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007683F2
                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00765BF2), ref: 0076844E
                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00768487
                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007684CA
                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00768501
                                                          • FreeLibrary.KERNEL32(?), ref: 0076850D
                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0076851D
                                                          • DestroyIcon.USER32(?,?,?,?,?,00765BF2), ref: 0076852C
                                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00768549
                                                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00768555
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                          • String ID: .dll$.exe$.icl
                                                          • API String ID: 799131459-1154884017
                                                          • Opcode ID: d1ff607b6ce1307a88a1248954ea99055940d1b6e9293a6d181f2625c7cc5108
                                                          • Instruction ID: 9ed7bf26ed66169a14c575a7095c0dc1af235f3b816747f53ebc24dd89417597
                                                          • Opcode Fuzzy Hash: d1ff607b6ce1307a88a1248954ea99055940d1b6e9293a6d181f2625c7cc5108
                                                          • Instruction Fuzzy Hash: E861D171540219BAEB54DF64CC41BBF7BA8FB04711F10860AFD16D61D1DFB8AA50C7A4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                          • API String ID: 0-1645009161
                                                          • Opcode ID: f215f933b9444e66847754d62809eea4f394157034e41ca83cbf5add4b7def94
                                                          • Instruction ID: 38c1538164f9b5bcfe7b821dc5538857447e3ed4f05df522a62635104860f13a
                                                          • Opcode Fuzzy Hash: f215f933b9444e66847754d62809eea4f394157034e41ca83cbf5add4b7def94
                                                          • Instruction Fuzzy Hash: 978119B1A00209BBDB25AF64DC42FFE3766AF55300F04442AF905AB292FB74D941D7A5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00735A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadIconW.USER32(00000063), ref: 00735A2E
                                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00735A40
                                                          • SetWindowTextW.USER32(?,?), ref: 00735A57
                                                          • GetDlgItem.USER32(?,000003EA), ref: 00735A6C
                                                          • SetWindowTextW.USER32(00000000,?), ref: 00735A72
                                                          • GetDlgItem.USER32(?,000003E9), ref: 00735A82
                                                          • SetWindowTextW.USER32(00000000,?), ref: 00735A88
                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00735AA9
                                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00735AC3
                                                          • GetWindowRect.USER32(?,?), ref: 00735ACC
                                                          • _wcslen.LIBCMT ref: 00735B33
                                                          • SetWindowTextW.USER32(?,?), ref: 00735B6F
                                                          • GetDesktopWindow.USER32 ref: 00735B75
                                                          • GetWindowRect.USER32(00000000), ref: 00735B7C
                                                          • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00735BD3
                                                          • GetClientRect.USER32(?,?), ref: 00735BE0
                                                          • PostMessageW.USER32(?,00000005,00000000,?), ref: 00735C05
                                                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00735C2F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                          • String ID:
                                                          • API String ID: 895679908-0
                                                          • Opcode ID: bd7462111b9fd9440a9b398c3dd00e82ef9826fbbcf745ab37f591e42f29a42c
                                                          • Instruction ID: e5fc60b5c4976b6e09ffbd9301ec72b4a315fc50e295a05c331f14811f42206d
                                                          • Opcode Fuzzy Hash: bd7462111b9fd9440a9b398c3dd00e82ef9826fbbcf745ab37f591e42f29a42c
                                                          • Instruction Fuzzy Hash: 79718E71900B09EFEB21DFA8CE85BAEBBF5FF48704F104518E582A25A1D779E940CB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007330F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _wcslen
                                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[y
                                                          • API String ID: 176396367-3387399910
                                                          • Opcode ID: f5f3ce1916eb6aafc11b2f378f6e5e6581fdafc6b4c5e24f730f717e83a3babe
                                                          • Instruction ID: 040b674cb789fe72fafa46d0a0cce46a2112abe4a959f54d375696d2b52a7210
                                                          • Opcode Fuzzy Hash: f5f3ce1916eb6aafc11b2f378f6e5e6581fdafc6b4c5e24f730f717e83a3babe
                                                          • Instruction Fuzzy Hash: 0FE1E632A005269BEF359FB8C4516FEFBB1BF44710F54812AE456E7242DB38AE4587D0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006F00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 006F00C6
                                                            • Part of subcall function 006F00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(007A070C,00000FA0,79826AD7,?,?,?,?,007123B3,000000FF), ref: 006F011C
                                                            • Part of subcall function 006F00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,007123B3,000000FF), ref: 006F0127
                                                            • Part of subcall function 006F00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,007123B3,000000FF), ref: 006F0138
                                                            • Part of subcall function 006F00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 006F014E
                                                            • Part of subcall function 006F00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 006F015C
                                                            • Part of subcall function 006F00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 006F016A
                                                            • Part of subcall function 006F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006F0195
                                                            • Part of subcall function 006F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006F01A0
                                                          • ___scrt_fastfail.LIBCMT ref: 006F00E7
                                                            • Part of subcall function 006F00A3: __onexit.LIBCMT ref: 006F00A9
                                                          Strings
                                                          • kernel32.dll, xrefs: 006F0133
                                                          • InitializeConditionVariable, xrefs: 006F0148
                                                          • api-ms-win-core-synch-l1-2-0.dll, xrefs: 006F0122
                                                          • SleepConditionVariableCS, xrefs: 006F0154
                                                          • WakeAllConditionVariable, xrefs: 006F0162
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                          • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                          • API String ID: 66158676-1714406822
                                                          • Opcode ID: 6bd65af9ed493c8fa03855f3d70aad972db18e670e984b24461f714dbbb2fee1
                                                          • Instruction ID: e24a7f522972086bf83ff5013222f03e4ca6482920ad853d092288d3f28995da
                                                          • Opcode Fuzzy Hash: 6bd65af9ed493c8fa03855f3d70aad972db18e670e984b24461f714dbbb2fee1
                                                          • Instruction Fuzzy Hash: D1210E726457196BFB11ABF4AC05B7A3396EB46B51F104539FD0293392DFBC6C008A98
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007444C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharLowerBuffW.USER32(00000000,00000000,0076CC08), ref: 00744527
                                                          • _wcslen.LIBCMT ref: 0074453B
                                                          • _wcslen.LIBCMT ref: 00744599
                                                          • _wcslen.LIBCMT ref: 007445F4
                                                          • _wcslen.LIBCMT ref: 0074463F
                                                          • _wcslen.LIBCMT ref: 007446A7
                                                            • Part of subcall function 006EF9F2: _wcslen.LIBCMT ref: 006EF9FD
                                                          • GetDriveTypeW.KERNEL32(?,00796BF0,00000061), ref: 00744743
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$BuffCharDriveLowerType
                                                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                          • API String ID: 2055661098-1000479233
                                                          • Opcode ID: 2ff707f14f4fd79194ab6d13c4dbddac39cc9da941895c77acb8ac107f70ef58
                                                          • Instruction ID: f34687a7da7809d218eba8213f9a73587bcce700bb4f577d60b9a33e96ab7d58
                                                          • Opcode Fuzzy Hash: 2ff707f14f4fd79194ab6d13c4dbddac39cc9da941895c77acb8ac107f70ef58
                                                          • Instruction Fuzzy Hash: D0B1F2716083029FC710DF28D890A7AB7E5BFA6760F504A1DF496C7291EB38D845DBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0076911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
                                                          • DragQueryPoint.SHELL32(?,?), ref: 00769147
                                                            • Part of subcall function 00767674: ClientToScreen.USER32(?,?), ref: 0076769A
                                                            • Part of subcall function 00767674: GetWindowRect.USER32(?,?), ref: 00767710
                                                            • Part of subcall function 00767674: PtInRect.USER32(?,?,00768B89), ref: 00767720
                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 007691B0
                                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007691BB
                                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007691DE
                                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00769225
                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0076923E
                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00769255
                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00769277
                                                          • DragFinish.SHELL32(?), ref: 0076927E
                                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00769371
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#z
                                                          • API String ID: 221274066-3231298687
                                                          • Opcode ID: 756ad91427686e561ccce6e17cecd414268d9a8f7f0373d83dae252c36d10f58
                                                          • Instruction ID: 20594622f7e8b337e6cbfa15bc3dedc2908bf26f51c96fc560a9fcf049e175f2
                                                          • Opcode Fuzzy Hash: 756ad91427686e561ccce6e17cecd414268d9a8f7f0373d83dae252c36d10f58
                                                          • Instruction Fuzzy Hash: 8E619B71508301AFC701DF60DC85DAFBBE9EFC9750F00492EF596922A0DB749A09CB66
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0075AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 0075B198
                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0075B1B0
                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0075B1D4
                                                          • _wcslen.LIBCMT ref: 0075B200
                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0075B214
                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0075B236
                                                          • _wcslen.LIBCMT ref: 0075B332
                                                            • Part of subcall function 007405A7: GetStdHandle.KERNEL32(000000F6), ref: 007405C6
                                                          • _wcslen.LIBCMT ref: 0075B34B
                                                          • _wcslen.LIBCMT ref: 0075B366
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0075B3B6
                                                          • GetLastError.KERNEL32(00000000), ref: 0075B407
                                                          • CloseHandle.KERNEL32(?), ref: 0075B439
                                                          • CloseHandle.KERNEL32(00000000), ref: 0075B44A
                                                          • CloseHandle.KERNEL32(00000000), ref: 0075B45C
                                                          • CloseHandle.KERNEL32(00000000), ref: 0075B46E
                                                          • CloseHandle.KERNEL32(?), ref: 0075B4E3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                          • String ID:
                                                          • API String ID: 2178637699-0
                                                          • Opcode ID: aa6edde7c18cd8ebfa2b83af6b0c29d6277af6acd0ce55e50773468056dc4b14
                                                          • Instruction ID: 8a069dc9506b9730d9e87a6e3fe8491c36a3174ce7ac5b834e27a111a506f05e
                                                          • Opcode Fuzzy Hash: aa6edde7c18cd8ebfa2b83af6b0c29d6277af6acd0ce55e50773468056dc4b14
                                                          • Instruction Fuzzy Hash: C7F18C31604340DFC764EF24C891B6EBBE1AF85310F14855EF8999B2A2DB75EC48CB96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetMenuItemCount.USER32(007A1990), ref: 00712F8D
                                                          • GetMenuItemCount.USER32(007A1990), ref: 0071303D
                                                          • GetCursorPos.USER32(?), ref: 00713081
                                                          • SetForegroundWindow.USER32(00000000), ref: 0071308A
                                                          • TrackPopupMenuEx.USER32(007A1990,00000000,?,00000000,00000000,00000000), ref: 0071309D
                                                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007130A9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                          • String ID: 0
                                                          • API String ID: 36266755-4108050209
                                                          • Opcode ID: 48c1bc70b071fdbbcfdfe5dda439fcff4eb2da154057c46928184aaa816b0f13
                                                          • Instruction ID: 312b12dc30439dbbb5635d9f7e9a28ea5d2ad112ed8205ad4770f427095123e0
                                                          • Opcode Fuzzy Hash: 48c1bc70b071fdbbcfdfe5dda439fcff4eb2da154057c46928184aaa816b0f13
                                                          • Instruction Fuzzy Hash: FB712A70A44215BEFB218F28CC49FEABF69FF04324F204207F5156A2E1C7B9A965CB55
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00766CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(?,?), ref: 00766DEB
                                                            • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00766E5F
                                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00766E81
                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00766E94
                                                          • DestroyWindow.USER32(?), ref: 00766EB5
                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,006D0000,00000000), ref: 00766EE4
                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00766EFD
                                                          • GetDesktopWindow.USER32 ref: 00766F16
                                                          • GetWindowRect.USER32(00000000), ref: 00766F1D
                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00766F35
                                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00766F4D
                                                            • Part of subcall function 006E9944: GetWindowLongW.USER32(?,000000EB), ref: 006E9952
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                          • String ID: 0$tooltips_class32
                                                          • API String ID: 2429346358-3619404913
                                                          • Opcode ID: 191b8d542b2494c2e41f250a23be50da6f5f320f2bbf34e9c88cdaa78826e270
                                                          • Instruction ID: d87ebba7d47b521b59e25487d28d154e75642803ade32e3ee881fafeca5263a7
                                                          • Opcode Fuzzy Hash: 191b8d542b2494c2e41f250a23be50da6f5f320f2bbf34e9c88cdaa78826e270
                                                          • Instruction Fuzzy Hash: D2716674104340AFEB21CF18D844EBABBE9FB99304F84445EF99A87261C779E916CB19
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0074C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0074C4B0
                                                          • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0074C4C3
                                                          • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0074C4D7
                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0074C4F0
                                                          • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0074C533
                                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0074C549
                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0074C554
                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0074C584
                                                          • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0074C5DC
                                                          • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0074C5F0
                                                          • InternetCloseHandle.WININET(00000000), ref: 0074C5FB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                          • String ID:
                                                          • API String ID: 3800310941-3916222277
                                                          • Opcode ID: d3eaba74513dce57d48ef928219fc7d48b4ce0d210665a889e09e64584309048
                                                          • Instruction ID: c7cd51456fce75c2fe57731f67fd84d72ab91f73504c1b401c987aa4210b7f58
                                                          • Opcode Fuzzy Hash: d3eaba74513dce57d48ef928219fc7d48b4ce0d210665a889e09e64584309048
                                                          • Instruction Fuzzy Hash: F9518EB1501308BFDB629F65C948ABBBBFCFF08344F108419F98696210DB78E914DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0076856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00768592
                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007685A2
                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007685AD
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007685BA
                                                          • GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007685C8
                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007685D7
                                                          • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007685E0
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007685E7
                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007685F8
                                                          • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0076FC38,?), ref: 00768611
                                                          • GlobalFree.KERNEL32(00000000), ref: 00768621
                                                          • GetObjectW.GDI32(?,00000018,?), ref: 00768641
                                                          • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00768671
                                                          • DeleteObject.GDI32(?), ref: 00768699
                                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007686AF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                          • String ID:
                                                          • API String ID: 3840717409-0
                                                          • Opcode ID: eb3c30d5affcfa0ccd82823cd27a89650dc7dd919516fa932f8fecbc162b5ce3
                                                          • Instruction ID: 5ebb3cbf9c5c1b90859c4d049f1c11b3e252c764ba5b04a3f02b637f2a98c6dd
                                                          • Opcode Fuzzy Hash: eb3c30d5affcfa0ccd82823cd27a89650dc7dd919516fa932f8fecbc162b5ce3
                                                          • Instruction Fuzzy Hash: A8412875600208AFDB129FA5CC48EAA7BB8FF89B11F108159FD46E7261DB789D01CF25
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007414BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VariantInit.OLEAUT32(00000000), ref: 00741502
                                                          • VariantCopy.OLEAUT32(?,?), ref: 0074150B
                                                          • VariantClear.OLEAUT32(?), ref: 00741517
                                                          • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007415FB
                                                          • VarR8FromDec.OLEAUT32(?,?), ref: 00741657
                                                          • VariantInit.OLEAUT32(?), ref: 00741708
                                                          • SysFreeString.OLEAUT32(?), ref: 0074178C
                                                          • VariantClear.OLEAUT32(?), ref: 007417D8
                                                          • VariantClear.OLEAUT32(?), ref: 007417E7
                                                          • VariantInit.OLEAUT32(00000000), ref: 00741823
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                          • API String ID: 1234038744-3931177956
                                                          • Opcode ID: 05228d4c3f8b1cc9573b3d7f44bef767aa7c55e9fb1e4406a7e8f8bc1c33183b
                                                          • Instruction ID: 5e126d131e37f5975fa5dc322948794febb279cdd899d2c5552e4875c3c40ff9
                                                          • Opcode Fuzzy Hash: 05228d4c3f8b1cc9573b3d7f44bef767aa7c55e9fb1e4406a7e8f8bc1c33183b
                                                          • Instruction Fuzzy Hash: 4DD1E271A00219DBDB00FF65D885BB9FBB6BF44700F54815AF446AB280DB38EC91DBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0075B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                                            • Part of subcall function 0075C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0075B6AE,?,?), ref: 0075C9B5
                                                            • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075C9F1
                                                            • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075CA68
                                                            • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075CA9E
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0075B6F4
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0075B772
                                                          • RegDeleteValueW.ADVAPI32(?,?), ref: 0075B80A
                                                          • RegCloseKey.ADVAPI32(?), ref: 0075B87E
                                                          • RegCloseKey.ADVAPI32(?), ref: 0075B89C
                                                          • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0075B8F2
                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0075B904
                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 0075B922
                                                          • FreeLibrary.KERNEL32(00000000), ref: 0075B983
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0075B994
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                          • API String ID: 146587525-4033151799
                                                          • Opcode ID: ce366675221b07dc4a002bc98296aed2713ea70288fc0038b65e222dd3ddce04
                                                          • Instruction ID: da68f1e1edd1ca2d0e375a5f745c1c7fdb33612ca775d12da4eda411db99b46f
                                                          • Opcode Fuzzy Hash: ce366675221b07dc4a002bc98296aed2713ea70288fc0038b65e222dd3ddce04
                                                          • Instruction Fuzzy Hash: 5FC16C30604201EFD714DF14C495F6ABBE5AF84319F14859DF89A8B3A2CBB9EC49CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0075255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(00000000), ref: 007525D8
                                                          • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007525E8
                                                          • CreateCompatibleDC.GDI32(?), ref: 007525F4
                                                          • SelectObject.GDI32(00000000,?), ref: 00752601
                                                          • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0075266D
                                                          • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007526AC
                                                          • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007526D0
                                                          • SelectObject.GDI32(?,?), ref: 007526D8
                                                          • DeleteObject.GDI32(?), ref: 007526E1
                                                          • DeleteDC.GDI32(?), ref: 007526E8
                                                          • ReleaseDC.USER32(00000000,?), ref: 007526F3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                          • String ID: (
                                                          • API String ID: 2598888154-3887548279
                                                          • Opcode ID: 2762c069e0fe0fafc6130e63fdfd8ea5b1c2774ebf9e007482994c0e38a6d9ec
                                                          • Instruction ID: 339b68b6ccc4e8b2b747b313eb488de7da2ea882d66853ce70fb172437d29f44
                                                          • Opcode Fuzzy Hash: 2762c069e0fe0fafc6130e63fdfd8ea5b1c2774ebf9e007482994c0e38a6d9ec
                                                          • Instruction Fuzzy Hash: FA6105B5D00219EFCF05CFA4D884AAEBBF5FF48310F208529E956A7251E7B4A941CF94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0070DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___free_lconv_mon.LIBCMT ref: 0070DAA1
                                                            • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D659
                                                            • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D66B
                                                            • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D67D
                                                            • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D68F
                                                            • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D6A1
                                                            • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D6B3
                                                            • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D6C5
                                                            • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D6D7
                                                            • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D6E9
                                                            • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D6FB
                                                            • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D70D
                                                            • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D71F
                                                            • Part of subcall function 0070D63C: _free.LIBCMT ref: 0070D731
                                                          • _free.LIBCMT ref: 0070DA96
                                                            • Part of subcall function 007029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000), ref: 007029DE
                                                            • Part of subcall function 007029C8: GetLastError.KERNEL32(00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000,00000000), ref: 007029F0
                                                          • _free.LIBCMT ref: 0070DAB8
                                                          • _free.LIBCMT ref: 0070DACD
                                                          • _free.LIBCMT ref: 0070DAD8
                                                          • _free.LIBCMT ref: 0070DAFA
                                                          • _free.LIBCMT ref: 0070DB0D
                                                          • _free.LIBCMT ref: 0070DB1B
                                                          • _free.LIBCMT ref: 0070DB26
                                                          • _free.LIBCMT ref: 0070DB5E
                                                          • _free.LIBCMT ref: 0070DB65
                                                          • _free.LIBCMT ref: 0070DB82
                                                          • _free.LIBCMT ref: 0070DB9A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                          • String ID:
                                                          • API String ID: 161543041-0
                                                          • Opcode ID: 0b50f2e46493ae6a8fa6652d446d4f72f3fbf7efdec349bbdef2f80f4d200b3d
                                                          • Instruction ID: 6018ebed41e9d267bea4c28b79fa41bbac574d83e224d63c9a569dc357b537f2
                                                          • Opcode Fuzzy Hash: 0b50f2e46493ae6a8fa6652d446d4f72f3fbf7efdec349bbdef2f80f4d200b3d
                                                          • Instruction Fuzzy Hash: B0313BB2604305DFEB31AAB9E849B5677E9FF00310F254629E449E71E2DB79BC41CB20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetClassNameW.USER32(?,?,00000100), ref: 0073369C
                                                          • _wcslen.LIBCMT ref: 007336A7
                                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00733797
                                                          • GetClassNameW.USER32(?,?,00000400), ref: 0073380C
                                                          • GetDlgCtrlID.USER32(?), ref: 0073385D
                                                          • GetWindowRect.USER32(?,?), ref: 00733882
                                                          • GetParent.USER32(?), ref: 007338A0
                                                          • ScreenToClient.USER32(00000000), ref: 007338A7
                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00733921
                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 0073395D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                          • String ID: %s%u
                                                          • API String ID: 4010501982-679674701
                                                          • Opcode ID: 5b86906b69c6d471b1fb5825197008676316b16e2cc47cdb9842836720eeaff3
                                                          • Instruction ID: 77a44cab104a3df3e87f57f2509f6c521f3c2253fe6fecfc8bcadcfbe7e3cc6a
                                                          • Opcode Fuzzy Hash: 5b86906b69c6d471b1fb5825197008676316b16e2cc47cdb9842836720eeaff3
                                                          • Instruction Fuzzy Hash: FC91B371204706EFE725DF24C885BEAF7A9FF44314F008619FA9AC2151DB78EA45CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00734954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00734994
                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 007349DA
                                                          • _wcslen.LIBCMT ref: 007349EB
                                                          • CharUpperBuffW.USER32(?,00000000), ref: 007349F7
                                                          • _wcsstr.LIBVCRUNTIME ref: 00734A2C
                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00734A64
                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00734A9D
                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00734AE6
                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00734B20
                                                          • GetWindowRect.USER32(?,?), ref: 00734B8B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                          • String ID: ThumbnailClass
                                                          • API String ID: 1311036022-1241985126
                                                          • Opcode ID: cc00528501475ab3f434850dab90e39b297c74276aaec789c25e82aa852bc4cc
                                                          • Instruction ID: 3fb23d8e35cc4b88847fddd582befdc8fbffc90a06de1bce9d5188855df0817b
                                                          • Opcode Fuzzy Hash: cc00528501475ab3f434850dab90e39b297c74276aaec789c25e82aa852bc4cc
                                                          • Instruction Fuzzy Hash: 8691DE711042099FEB08CF14C985BBAB7E9FF84314F04846AFD869A196DB38FD45CBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00768D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
                                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00768D5A
                                                          • GetFocus.USER32 ref: 00768D6A
                                                          • GetDlgCtrlID.USER32(00000000), ref: 00768D75
                                                          • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00768E1D
                                                          • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00768ECF
                                                          • GetMenuItemCount.USER32(?), ref: 00768EEC
                                                          • GetMenuItemID.USER32(?,00000000), ref: 00768EFC
                                                          • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00768F2E
                                                          • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00768F70
                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00768FA1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                          • String ID: 0
                                                          • API String ID: 1026556194-4108050209
                                                          • Opcode ID: 5d0b466d17f744cfb62589d16a58c63abf2e7167682eb7868730a09a1a35c803
                                                          • Instruction ID: 10a2a4f5845e8c3d90b36a96496ba7b2a45b6c59256668b71782eab77808b2e2
                                                          • Opcode Fuzzy Hash: 5d0b466d17f744cfb62589d16a58c63abf2e7167682eb7868730a09a1a35c803
                                                          • Instruction Fuzzy Hash: 8F81E071508301AFDB50CF24C884AAB7BE9FF88314F144A1DFD9697291DB79E904CB66
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0073DC20
                                                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0073DC46
                                                          • _wcslen.LIBCMT ref: 0073DC50
                                                          • _wcsstr.LIBVCRUNTIME ref: 0073DCA0
                                                          • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0073DCBC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                          • API String ID: 1939486746-1459072770
                                                          • Opcode ID: 7926164579818308cb09b79c014fa0e7776a4aa343cae8f5612e1c05484d6f59
                                                          • Instruction ID: 4e0c656834795dcbc8da0990e1a3d0b0a0b5c1a438bb8f401d60f3dae81764ce
                                                          • Opcode Fuzzy Hash: 7926164579818308cb09b79c014fa0e7776a4aa343cae8f5612e1c05484d6f59
                                                          • Instruction Fuzzy Hash: 7D41F772A403047BEB55A775AC43EBF776DDF42750F10406EFA01A6183EB79AE0186B8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0075CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0075CC64
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0075CC8D
                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0075CD48
                                                            • Part of subcall function 0075CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0075CCAA
                                                            • Part of subcall function 0075CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0075CCBD
                                                            • Part of subcall function 0075CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0075CCCF
                                                            • Part of subcall function 0075CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0075CD05
                                                            • Part of subcall function 0075CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0075CD28
                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 0075CCF3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                          • API String ID: 2734957052-4033151799
                                                          • Opcode ID: 57230b7916e5c44c7b99b1be2f0fb1987dc9807ef0004c05555a77df9ebdcab5
                                                          • Instruction ID: b8ba0860d2586482295cdb6391ca90cd043205d7a179a3e936eb068bd3f112d6
                                                          • Opcode Fuzzy Hash: 57230b7916e5c44c7b99b1be2f0fb1987dc9807ef0004c05555a77df9ebdcab5
                                                          • Instruction Fuzzy Hash: AF3170B1A01318BFDB229B90DC88EFFBB7CEF05741F004165E906E6140D6B89E49DAB4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00743D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00743D40
                                                          • _wcslen.LIBCMT ref: 00743D6D
                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00743D9D
                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00743DBE
                                                          • RemoveDirectoryW.KERNEL32(?), ref: 00743DCE
                                                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00743E55
                                                          • CloseHandle.KERNEL32(00000000), ref: 00743E60
                                                          • CloseHandle.KERNEL32(00000000), ref: 00743E6B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                          • String ID: :$\$\??\%s
                                                          • API String ID: 1149970189-3457252023
                                                          • Opcode ID: 3beba508eb6fb765d907c1012c108067378ff24e783ea408df0fe7f4e70cde52
                                                          • Instruction ID: 3e2694ff55ff1c8c69f8b126240d10e10e447081ab6b0b1f6786e06245e609f3
                                                          • Opcode Fuzzy Hash: 3beba508eb6fb765d907c1012c108067378ff24e783ea408df0fe7f4e70cde52
                                                          • Instruction Fuzzy Hash: 3831B471A00209ABDB219BA1DC49FEF37BDEF89700F1041B5F619D6150E77897448B68
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • timeGetTime.WINMM ref: 0073E6B4
                                                            • Part of subcall function 006EE551: timeGetTime.WINMM(?,?,0073E6D4), ref: 006EE555
                                                          • Sleep.KERNEL32(0000000A), ref: 0073E6E1
                                                          • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0073E705
                                                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0073E727
                                                          • SetActiveWindow.USER32 ref: 0073E746
                                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0073E754
                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 0073E773
                                                          • Sleep.KERNEL32(000000FA), ref: 0073E77E
                                                          • IsWindow.USER32 ref: 0073E78A
                                                          • EndDialog.USER32(00000000), ref: 0073E79B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                          • String ID: BUTTON
                                                          • API String ID: 1194449130-3405671355
                                                          • Opcode ID: fc667f9e1056235d70f9d9d2e829fa35b1041ac5780bf39ff9e35c545dc4f876
                                                          • Instruction ID: 45b46c6be4eaf3b4137bb4aeeb3ae404af5ceccf8a5c06e72832753c35833b95
                                                          • Opcode Fuzzy Hash: fc667f9e1056235d70f9d9d2e829fa35b1041ac5780bf39ff9e35c545dc4f876
                                                          • Instruction Fuzzy Hash: 0D2184B0241305EFFB125F64EC99A353B69F796348F108425F55682AE3DBBD9C118B2C
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0073EA5D
                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0073EA73
                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0073EA84
                                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0073EA96
                                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0073EAA7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: SendString$_wcslen
                                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                          • API String ID: 2420728520-1007645807
                                                          • Opcode ID: 7bf90f6dafb71b8cf3497a45f062c5af8be2aaa790c8b2f9799816e7afe02a1a
                                                          • Instruction ID: 8c738fe0caa5d1a88ce1add17fe38ff80b08772ae4c49754e8bac7581892db83
                                                          • Opcode Fuzzy Hash: 7bf90f6dafb71b8cf3497a45f062c5af8be2aaa790c8b2f9799816e7afe02a1a
                                                          • Instruction Fuzzy Hash: C6117371A5026979EB20A7A2EC4AEFF6B7CEBD1F50F00452EB401A21D1EEB45D05C5B0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00735CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,00000001), ref: 00735CE2
                                                          • GetWindowRect.USER32(00000000,?), ref: 00735CFB
                                                          • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00735D59
                                                          • GetDlgItem.USER32(?,00000002), ref: 00735D69
                                                          • GetWindowRect.USER32(00000000,?), ref: 00735D7B
                                                          • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00735DCF
                                                          • GetDlgItem.USER32(?,000003E9), ref: 00735DDD
                                                          • GetWindowRect.USER32(00000000,?), ref: 00735DEF
                                                          • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00735E31
                                                          • GetDlgItem.USER32(?,000003EA), ref: 00735E44
                                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00735E5A
                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00735E67
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Window$ItemMoveRect$Invalidate
                                                          • String ID:
                                                          • API String ID: 3096461208-0
                                                          • Opcode ID: 84c38101670eb317aa8a9116b6d30fffbca60a82bfc25b16431c40b213f7cd46
                                                          • Instruction ID: 270efe1b0e20eff5c49428aa34c8725e81bc6462c3f629ca918c95c07a98c087
                                                          • Opcode Fuzzy Hash: 84c38101670eb317aa8a9116b6d30fffbca60a82bfc25b16431c40b213f7cd46
                                                          • Instruction Fuzzy Hash: 49512FB1B10705AFDB18CF68CD89AAE7BB5FB48301F148129F516E7291D7B49E00CB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006E8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006E8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006E8BE8,?,00000000,?,?,?,?,006E8BBA,00000000,?), ref: 006E8FC5
                                                          • DestroyWindow.USER32(?), ref: 006E8C81
                                                          • KillTimer.USER32(00000000,?,?,?,?,006E8BBA,00000000,?), ref: 006E8D1B
                                                          • DestroyAcceleratorTable.USER32(00000000), ref: 00726973
                                                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,006E8BBA,00000000,?), ref: 007269A1
                                                          • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,006E8BBA,00000000,?), ref: 007269B8
                                                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,006E8BBA,00000000), ref: 007269D4
                                                          • DeleteObject.GDI32(00000000), ref: 007269E6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                          • String ID:
                                                          • API String ID: 641708696-0
                                                          • Opcode ID: 4bb26aec956ead845dbad22fb697a3635e9652425212de7769618bfd86d23a28
                                                          • Instruction ID: c532157a4ffe608edce663264216bfb64cc7f2faa5811376aa32e0b3253d1f69
                                                          • Opcode Fuzzy Hash: 4bb26aec956ead845dbad22fb697a3635e9652425212de7769618bfd86d23a28
                                                          • Instruction Fuzzy Hash: E861AF30003790DFDB229F16D94872677F2FB82712F64851DE0869B660CB79B981CF98
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006E9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006E9944: GetWindowLongW.USER32(?,000000EB), ref: 006E9952
                                                          • GetSysColor.USER32(0000000F), ref: 006E9862
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ColorLongWindow
                                                          • String ID:
                                                          • API String ID: 259745315-0
                                                          • Opcode ID: f2cb288920d473719dd114cdb5f38dd60a17ceecf1f6f24acf7a6f9c6bf5cb41
                                                          • Instruction ID: f2ec25cf4292dc54dc20e237437823fe99ca42be3dae8a77c56f510eeffe5df2
                                                          • Opcode Fuzzy Hash: f2cb288920d473719dd114cdb5f38dd60a17ceecf1f6f24acf7a6f9c6bf5cb41
                                                          • Instruction Fuzzy Hash: 8B41E2311017949FDB255F399C84BBA3B66AF06330F248A05F9A28B2F2D3749C42DB21
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007396E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0071F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00739717
                                                          • LoadStringW.USER32(00000000,?,0071F7F8,00000001), ref: 00739720
                                                            • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                                          • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0071F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00739742
                                                          • LoadStringW.USER32(00000000,?,0071F7F8,00000001), ref: 00739745
                                                          • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00739866
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: HandleLoadModuleString$Message_wcslen
                                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                          • API String ID: 747408836-2268648507
                                                          • Opcode ID: a0b434aca8f55dad4b28e0eeab1aed15579c73b28106b53d5bff374f8aea8f2d
                                                          • Instruction ID: b73178ec05fd28a1bbcd66298862a916ee90a2b44c65ef12ab536a63cca4b8ad
                                                          • Opcode Fuzzy Hash: a0b434aca8f55dad4b28e0eeab1aed15579c73b28106b53d5bff374f8aea8f2d
                                                          • Instruction Fuzzy Hash: EB416F72D00219AADF44EBE0DE86DEE7379AF55740F10012AF60172292EB796F48CB75
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007306DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
                                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007307A2
                                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007307BE
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007307DA
                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00730804
                                                          • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0073082C
                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00730837
                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0073083C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                          • API String ID: 323675364-22481851
                                                          • Opcode ID: cfb9c19c16f42b70bf31833d3ba84efbc11f4b4f6bd1da4e63659d21e7fca732
                                                          • Instruction ID: 95c8acfcb59d74591375d26b5b1ddc976a2b038311719d0d3ca05f91431dd805
                                                          • Opcode Fuzzy Hash: cfb9c19c16f42b70bf31833d3ba84efbc11f4b4f6bd1da4e63659d21e7fca732
                                                          • Instruction Fuzzy Hash: 4E413872C10229ABDF15EBA4DC95CFDB779FF04350F04412AE901A32A1EB74AE04CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00753C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VariantInit.OLEAUT32(?), ref: 00753C5C
                                                          • CoInitialize.OLE32(00000000), ref: 00753C8A
                                                          • CoUninitialize.OLE32 ref: 00753C94
                                                          • _wcslen.LIBCMT ref: 00753D2D
                                                          • GetRunningObjectTable.OLE32(00000000,?), ref: 00753DB1
                                                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 00753ED5
                                                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00753F0E
                                                          • CoGetObject.OLE32(?,00000000,0076FB98,?), ref: 00753F2D
                                                          • SetErrorMode.KERNEL32(00000000), ref: 00753F40
                                                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00753FC4
                                                          • VariantClear.OLEAUT32(?), ref: 00753FD8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                          • String ID:
                                                          • API String ID: 429561992-0
                                                          • Opcode ID: 1ee407a23cb2d8df8c45d521919288e2c7b5a920656552f23e890d2d55d3a0fc
                                                          • Instruction ID: 841770becafaa3893e06454ff6e696ba423a71e296c377707055a0e028d4a502
                                                          • Opcode Fuzzy Hash: 1ee407a23cb2d8df8c45d521919288e2c7b5a920656552f23e890d2d55d3a0fc
                                                          • Instruction Fuzzy Hash: B0C135716083059FD700DF64C88496BB7E9FF89785F00491DF98A9B260DBB5ED09CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00747A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoInitialize.OLE32(00000000), ref: 00747AF3
                                                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00747B8F
                                                          • SHGetDesktopFolder.SHELL32(?), ref: 00747BA3
                                                          • CoCreateInstance.OLE32(0076FD08,00000000,00000001,00796E6C,?), ref: 00747BEF
                                                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00747C74
                                                          • CoTaskMemFree.OLE32(?,?), ref: 00747CCC
                                                          • SHBrowseForFolderW.SHELL32(?), ref: 00747D57
                                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00747D7A
                                                          • CoTaskMemFree.OLE32(00000000), ref: 00747D81
                                                          • CoTaskMemFree.OLE32(00000000), ref: 00747DD6
                                                          • CoUninitialize.OLE32 ref: 00747DDC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                          • String ID:
                                                          • API String ID: 2762341140-0
                                                          • Opcode ID: 336efb01a9b17f2d91b6f9a7c54d470ee070cbf344fc729576b345c46eac765d
                                                          • Instruction ID: 88fa4f46b2ed3f8bcd1c0b43ce7eeebb851591999076f28b77f8412965df9cd9
                                                          • Opcode Fuzzy Hash: 336efb01a9b17f2d91b6f9a7c54d470ee070cbf344fc729576b345c46eac765d
                                                          • Instruction Fuzzy Hash: 0DC12B75A04209AFCB14DFA4C884DAEBBF9FF48314B148499E81A9B361DB34ED45CF94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0076541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00765504
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00765515
                                                          • CharNextW.USER32(00000158), ref: 00765544
                                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00765585
                                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0076559B
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007655AC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CharNext
                                                          • String ID:
                                                          • API String ID: 1350042424-0
                                                          • Opcode ID: a9f19b519fba1ca7e1668433fffe26b91a0a4dee532c32914e6578a40c3d989e
                                                          • Instruction ID: a9d3765b25db9d9cb9c25acf3f0b136b4d4e2724887bcd4f0457ca8e471b50d3
                                                          • Opcode Fuzzy Hash: a9f19b519fba1ca7e1668433fffe26b91a0a4dee532c32914e6578a40c3d989e
                                                          • Instruction Fuzzy Hash: FB618E30900609EFDF118F64CC84DFE7BB9EB05724F108185F967A6291DB7C9A80EB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0072FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0072FAAF
                                                          • SafeArrayAllocData.OLEAUT32(?), ref: 0072FB08
                                                          • VariantInit.OLEAUT32(?), ref: 0072FB1A
                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 0072FB3A
                                                          • VariantCopy.OLEAUT32(?,?), ref: 0072FB8D
                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 0072FBA1
                                                          • VariantClear.OLEAUT32(?), ref: 0072FBB6
                                                          • SafeArrayDestroyData.OLEAUT32(?), ref: 0072FBC3
                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0072FBCC
                                                          • VariantClear.OLEAUT32(?), ref: 0072FBDE
                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0072FBE9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                          • String ID:
                                                          • API String ID: 2706829360-0
                                                          • Opcode ID: 087bfa131f44d690eacc3a97a6ded732074b4658513fc3f214a4300d00ee15d7
                                                          • Instruction ID: 510550fcb4b1984d36b7978bfcc8d2588bb2ad7a7bbf485244397592e94b6b2f
                                                          • Opcode Fuzzy Hash: 087bfa131f44d690eacc3a97a6ded732074b4658513fc3f214a4300d00ee15d7
                                                          • Instruction Fuzzy Hash: 26418E75A00269DFCB01DF64D8589AEBFB9EF08354F00C039E946A7261CB78A945CFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00739C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?), ref: 00739CA1
                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00739D22
                                                          • GetKeyState.USER32(000000A0), ref: 00739D3D
                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00739D57
                                                          • GetKeyState.USER32(000000A1), ref: 00739D6C
                                                          • GetAsyncKeyState.USER32(00000011), ref: 00739D84
                                                          • GetKeyState.USER32(00000011), ref: 00739D96
                                                          • GetAsyncKeyState.USER32(00000012), ref: 00739DAE
                                                          • GetKeyState.USER32(00000012), ref: 00739DC0
                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00739DD8
                                                          • GetKeyState.USER32(0000005B), ref: 00739DEA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: State$Async$Keyboard
                                                          • String ID:
                                                          • API String ID: 541375521-0
                                                          • Opcode ID: fb361379aad0776e414fa5a19382949fe7b27a2882a2f76306813bcc5f1e7414
                                                          • Instruction ID: 6d32a2f2b0f9efbf5ff9596b3831d434f2d91112b2025aa6cb171632a572426d
                                                          • Opcode Fuzzy Hash: fb361379aad0776e414fa5a19382949fe7b27a2882a2f76306813bcc5f1e7414
                                                          • Instruction Fuzzy Hash: BC41B5346047CA69FF719674C8053B6BEA06F11344F08805ADBC7566C3EBED99D8CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0075055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WSAStartup.WSOCK32(00000101,?), ref: 007505BC
                                                          • inet_addr.WSOCK32(?), ref: 0075061C
                                                          • gethostbyname.WSOCK32(?), ref: 00750628
                                                          • IcmpCreateFile.IPHLPAPI ref: 00750636
                                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007506C6
                                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007506E5
                                                          • IcmpCloseHandle.IPHLPAPI(?), ref: 007507B9
                                                          • WSACleanup.WSOCK32 ref: 007507BF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                          • String ID: Ping
                                                          • API String ID: 1028309954-2246546115
                                                          • Opcode ID: 3d0551ae519d38d9f73b255a06cb717fa7b4d2c880b2c17cb72265b180e75a89
                                                          • Instruction ID: feb911616852a11f65a144d2db004482e7efd395c37ba8469346978a71fce0e8
                                                          • Opcode Fuzzy Hash: 3d0551ae519d38d9f73b255a06cb717fa7b4d2c880b2c17cb72265b180e75a89
                                                          • Instruction Fuzzy Hash: 7B918D755042019FD720CF15C488F5ABBE1EF48318F1489A9E86A8B7A2D7B8ED49CFD1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00758CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$BuffCharLower
                                                          • String ID: cdecl$none$stdcall$winapi
                                                          • API String ID: 707087890-567219261
                                                          • Opcode ID: 5c643f9dc279783118a9dc3de1e2d3a1fd070a837c8a66843c51095ff92acf33
                                                          • Instruction ID: a7b34931148121a93e99812c5ecf47b64bce4b8377e0ade6bc4057e9b4f34c78
                                                          • Opcode Fuzzy Hash: 5c643f9dc279783118a9dc3de1e2d3a1fd070a837c8a66843c51095ff92acf33
                                                          • Instruction Fuzzy Hash: 8751AE31A001169BCB94DF68C8419FEB3B2AF69721B204229E866F7284DFB9DD44C791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0075372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoInitialize.OLE32 ref: 00753774
                                                          • CoUninitialize.OLE32 ref: 0075377F
                                                          • CoCreateInstance.OLE32(?,00000000,00000017,0076FB78,?), ref: 007537D9
                                                          • IIDFromString.OLE32(?,?), ref: 0075384C
                                                          • VariantInit.OLEAUT32(?), ref: 007538E4
                                                          • VariantClear.OLEAUT32(?), ref: 00753936
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                          • API String ID: 636576611-1287834457
                                                          • Opcode ID: 4cc741089aa3eeca5cf264f1aa6b29aff0cb5bc83ac1cd052b50c9dec4f16bd3
                                                          • Instruction ID: 463e6d4598e71809c39e55dd969ee3055a8d7088d5a7e92745fe8f3fa9fb499c
                                                          • Opcode Fuzzy Hash: 4cc741089aa3eeca5cf264f1aa6b29aff0cb5bc83ac1cd052b50c9dec4f16bd3
                                                          • Instruction Fuzzy Hash: 1861C4B06083019FD315DF54C889FAABBE4EF48755F00490DF985972A1D7B8EE48CBA6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00768B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
                                                            • Part of subcall function 006E912D: GetCursorPos.USER32(?), ref: 006E9141
                                                            • Part of subcall function 006E912D: ScreenToClient.USER32(00000000,?), ref: 006E915E
                                                            • Part of subcall function 006E912D: GetAsyncKeyState.USER32(00000001), ref: 006E9183
                                                            • Part of subcall function 006E912D: GetAsyncKeyState.USER32(00000002), ref: 006E919D
                                                          • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00768B6B
                                                          • ImageList_EndDrag.COMCTL32 ref: 00768B71
                                                          • ReleaseCapture.USER32 ref: 00768B77
                                                          • SetWindowTextW.USER32(?,00000000), ref: 00768C12
                                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00768C25
                                                          • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00768CFF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID$p#z
                                                          • API String ID: 1924731296-3428299791
                                                          • Opcode ID: d09c2f1fd0388035152ca006513814f274069e0585bf28f786c765d95c8412c7
                                                          • Instruction ID: 0427278163f4a04506eda5804f82da71ebc179f050c7d3a8171f01216d4815d6
                                                          • Opcode Fuzzy Hash: d09c2f1fd0388035152ca006513814f274069e0585bf28f786c765d95c8412c7
                                                          • Instruction Fuzzy Hash: 4D51AB70504340AFE744DF14DC5AFAA77E5FB88710F40062EF996972A2CB78AD04CB66
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00743388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007433CF
                                                            • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007433F0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: LoadString$_wcslen
                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                          • API String ID: 4099089115-3080491070
                                                          • Opcode ID: 4d5f1c91b362c3c5f27dc170850a04f9fce42670f2beb50ddbc39bf69c709e38
                                                          • Instruction ID: a179a63fe67848d848bab646894733614720871dcb4199b9bc08650f7e9364d0
                                                          • Opcode Fuzzy Hash: 4d5f1c91b362c3c5f27dc170850a04f9fce42670f2beb50ddbc39bf69c709e38
                                                          • Instruction Fuzzy Hash: 3E51F471D00219AAEF15EBE0DD46EEEB779EF04340F10416AF10572252EB392F58DB65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$BuffCharUpper
                                                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                          • API String ID: 1256254125-769500911
                                                          • Opcode ID: 5aa0e9982f3e774866ad0446cf34bef2aa17330b8e9f8bbb5af3296760146114
                                                          • Instruction ID: bcff0bc1f5e9aa95ec3128bd82eed675067377857034562d704d549b8473f148
                                                          • Opcode Fuzzy Hash: 5aa0e9982f3e774866ad0446cf34bef2aa17330b8e9f8bbb5af3296760146114
                                                          • Instruction Fuzzy Hash: 27410632A01026DBDB205F7DC8925BE77A5AFA1754F24422AE621DB287E739CD81C790
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00745393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 007453A0
                                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00745416
                                                          • GetLastError.KERNEL32 ref: 00745420
                                                          • SetErrorMode.KERNEL32(00000000,READY), ref: 007454A7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                          • API String ID: 4194297153-14809454
                                                          • Opcode ID: 9f732e74d15cd74c6a5dc1c8ca7b74b3e253f004fedcd62343a2a524719d2b2f
                                                          • Instruction ID: 1cc20de00ed15d343bb3e455532a33f1a24b0991f87a91e164da613ff53cf3b2
                                                          • Opcode Fuzzy Hash: 9f732e74d15cd74c6a5dc1c8ca7b74b3e253f004fedcd62343a2a524719d2b2f
                                                          • Instruction Fuzzy Hash: 4231A075A006449FCB11DF6CD484AAA7BB4EF05305F148169E806CF393DB79DD82CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00763C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateMenu.USER32 ref: 00763C79
                                                          • SetMenu.USER32(?,00000000), ref: 00763C88
                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00763D10
                                                          • IsMenu.USER32(?), ref: 00763D24
                                                          • CreatePopupMenu.USER32 ref: 00763D2E
                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00763D5B
                                                          • DrawMenuBar.USER32 ref: 00763D63
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                          • String ID: 0$F
                                                          • API String ID: 161812096-3044882817
                                                          • Opcode ID: 549217a9828e82331cc62d4842b9258a51f048a7693b53ec5a57310431a70f22
                                                          • Instruction ID: 27af17df993fd9e34caa83d4de14066fea2ee4d35bbf643e0bfa4782297f9842
                                                          • Opcode Fuzzy Hash: 549217a9828e82331cc62d4842b9258a51f048a7693b53ec5a57310431a70f22
                                                          • Instruction Fuzzy Hash: B7415679A01209AFDB14CFA4DC84AAA7BB5FF49351F144029FD47A7360D778AA10CF98
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00763A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00763A9D
                                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00763AA0
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00763AC7
                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00763AEA
                                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00763B62
                                                          • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00763BAC
                                                          • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00763BC7
                                                          • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00763BE2
                                                          • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00763BF6
                                                          • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00763C13
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$LongWindow
                                                          • String ID:
                                                          • API String ID: 312131281-0
                                                          • Opcode ID: 06fecd392efad6acfc20318499c4c7634008b34adbf417c5e8e45a513dab8665
                                                          • Instruction ID: 585b4753c3fc8015170728b2b2a26f47687aceef2413ce54bc42cf5aedaaa587
                                                          • Opcode Fuzzy Hash: 06fecd392efad6acfc20318499c4c7634008b34adbf417c5e8e45a513dab8665
                                                          • Instruction Fuzzy Hash: 21618C75900248AFDB11DFA8CC81EEE77B8EF49700F104199FA16E72A1C778AE45DB64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00702C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 00702C94
                                                            • Part of subcall function 007029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000), ref: 007029DE
                                                            • Part of subcall function 007029C8: GetLastError.KERNEL32(00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000,00000000), ref: 007029F0
                                                          • _free.LIBCMT ref: 00702CA0
                                                          • _free.LIBCMT ref: 00702CAB
                                                          • _free.LIBCMT ref: 00702CB6
                                                          • _free.LIBCMT ref: 00702CC1
                                                          • _free.LIBCMT ref: 00702CCC
                                                          • _free.LIBCMT ref: 00702CD7
                                                          • _free.LIBCMT ref: 00702CE2
                                                          • _free.LIBCMT ref: 00702CED
                                                          • _free.LIBCMT ref: 00702CFB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 6935c87624f14a5b7efff48327b01aa265184bce4f8e246b693c8540741c1431
                                                          • Instruction ID: 43a0959efaac3c4b7e5f12627f2c72cc55203aa6845d242f33339e1b85032b3b
                                                          • Opcode Fuzzy Hash: 6935c87624f14a5b7efff48327b01aa265184bce4f8e246b693c8540741c1431
                                                          • Instruction Fuzzy Hash: 00119676110108EFCB02EF54D84ACDD3BA9FF05350F6146A5F9486B272D635FA519F90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 006D1459
                                                          • OleUninitialize.OLE32(?,00000000), ref: 006D14F8
                                                          • UnregisterHotKey.USER32(?), ref: 006D16DD
                                                          • DestroyWindow.USER32(?), ref: 007124B9
                                                          • FreeLibrary.KERNEL32(?), ref: 0071251E
                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0071254B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                          • String ID: close all
                                                          • API String ID: 469580280-3243417748
                                                          • Opcode ID: f8023f493b59dfed156aba84ac7d78b95ed47f13adcee9215d66654ff7f8af9c
                                                          • Instruction ID: c17395baa87b00ac904a9ad7e1a1b948bdfc85369b5e74a749bd6d1861ab054b
                                                          • Opcode Fuzzy Hash: f8023f493b59dfed156aba84ac7d78b95ed47f13adcee9215d66654ff7f8af9c
                                                          • Instruction Fuzzy Hash: 4FD16D31B01212DFCB19EF19C495A69F7A2BF05700F1441AEE84A6B3A2DB74AD63CF54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00747DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00747FAD
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00747FC1
                                                          • GetFileAttributesW.KERNEL32(?), ref: 00747FEB
                                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00748005
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00748017
                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00748060
                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007480B0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CurrentDirectory$AttributesFile
                                                          • String ID: *.*
                                                          • API String ID: 769691225-438819550
                                                          • Opcode ID: de616332944360a87375cce75d148429d260ea4fe46966c0e704702855175b5c
                                                          • Instruction ID: f83278e341b416f2564c520f03558f0fa2fe61f9545a79924b1ce55110d14b4d
                                                          • Opcode Fuzzy Hash: de616332944360a87375cce75d148429d260ea4fe46966c0e704702855175b5c
                                                          • Instruction Fuzzy Hash: 7181AF725082559BCB68EF14C8849AEB3E9BF88310F544D5EF885C7260EB39DD49CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowLongW.USER32(?,000000EB), ref: 006D5C7A
                                                            • Part of subcall function 006D5D0A: GetClientRect.USER32(?,?), ref: 006D5D30
                                                            • Part of subcall function 006D5D0A: GetWindowRect.USER32(?,?), ref: 006D5D71
                                                            • Part of subcall function 006D5D0A: ScreenToClient.USER32(?,?), ref: 006D5D99
                                                          • GetDC.USER32 ref: 007146F5
                                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00714708
                                                          • SelectObject.GDI32(00000000,00000000), ref: 00714716
                                                          • SelectObject.GDI32(00000000,00000000), ref: 0071472B
                                                          • ReleaseDC.USER32(?,00000000), ref: 00714733
                                                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007147C4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                          • String ID: U
                                                          • API String ID: 4009187628-3372436214
                                                          • Opcode ID: bd4fbbfd26edb954e1b415a4186b5d3f5323206b42ef5421f56b6b6277849dca
                                                          • Instruction ID: c93a29ae5c24e2397aebaa55694c1800c22f43e1d9e75eaa266f2639d9a167bf
                                                          • Opcode Fuzzy Hash: bd4fbbfd26edb954e1b415a4186b5d3f5323206b42ef5421f56b6b6277849dca
                                                          • Instruction Fuzzy Hash: A371E131900205DFCF218F68C984AFA3BB6FF4A365F14426AED565A2E6C7399C81DF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0074359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007435E4
                                                            • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                                          • LoadStringW.USER32(007A2390,?,00000FFF,?), ref: 0074360A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: LoadString$_wcslen
                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                          • API String ID: 4099089115-2391861430
                                                          • Opcode ID: ff30329075effff287e0f063cac1a140231ec31b7f70b66b10eaf0dfd9c83950
                                                          • Instruction ID: c37b5d2820cea2601d1c3ef607c6a45cb201f7257c41707420e4e929b4182f98
                                                          • Opcode Fuzzy Hash: ff30329075effff287e0f063cac1a140231ec31b7f70b66b10eaf0dfd9c83950
                                                          • Instruction Fuzzy Hash: C1517171D00259BADF15EBA0DC46EEDBB39AF04300F14412AF505722A1DB751B98DFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0074C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0074C272
                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0074C29A
                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0074C2CA
                                                          • GetLastError.KERNEL32 ref: 0074C322
                                                          • SetEvent.KERNEL32(?), ref: 0074C336
                                                          • InternetCloseHandle.WININET(00000000), ref: 0074C341
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                          • String ID:
                                                          • API String ID: 3113390036-3916222277
                                                          • Opcode ID: 0c5acad495dd7ddf09b2099c0a44ef209630204c09c445ec2434493035c1d27e
                                                          • Instruction ID: b6dc6416ff79f7a39856ffcb307c316dc0c164a0353473d73fd3f198d18aef88
                                                          • Opcode Fuzzy Hash: 0c5acad495dd7ddf09b2099c0a44ef209630204c09c445ec2434493035c1d27e
                                                          • Instruction Fuzzy Hash: 49317CB1601308AFD7629FA5CC88ABB7BFCEB49744F14851EF486D2210DB78DD049B65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00713AAF,?,?,Bad directive syntax error,0076CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007398BC
                                                          • LoadStringW.USER32(00000000,?,00713AAF,?), ref: 007398C3
                                                            • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                                          • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00739987
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: HandleLoadMessageModuleString_wcslen
                                                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                          • API String ID: 858772685-4153970271
                                                          • Opcode ID: a9e269a17ab2d6e4b35a7943a4fb53368661db7443857effa26837f5dc1a28be
                                                          • Instruction ID: 7928cdc2cf152a5156d6d48401b141ff6506439a16a4085b603d4843ce78d35e
                                                          • Opcode Fuzzy Hash: a9e269a17ab2d6e4b35a7943a4fb53368661db7443857effa26837f5dc1a28be
                                                          • Instruction Fuzzy Hash: D521B471D0025EEBDF15AF90CC06EED7736FF18300F04441AF515661A2DB79A628DB25
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetParent.USER32 ref: 007320AB
                                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 007320C0
                                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0073214D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameParentSend
                                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                          • API String ID: 1290815626-3381328864
                                                          • Opcode ID: f107ac6b18a28d8a41e2f7b7e177f5c65d3bf0f582e46efe92c045a524f06f60
                                                          • Instruction ID: 8dfd014febe5f36b1f5b6f436b1fbff5c0959fcdb5cac0f76a40a8e2bfdff386
                                                          • Opcode Fuzzy Hash: f107ac6b18a28d8a41e2f7b7e177f5c65d3bf0f582e46efe92c045a524f06f60
                                                          • Instruction Fuzzy Hash: 8A11E3B668871EB9FA022224ED06DB7379CCB04324F20015AFB05A50E7FEA969035618
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0070CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                          • String ID:
                                                          • API String ID: 1282221369-0
                                                          • Opcode ID: 98eaf1aa8db762972f091f95f26b90050fa767fb2b08d1bb0985a8c7704c0b8d
                                                          • Instruction ID: 2fc5c6819e06a99f8a3af5397176a69a7ca00f161ca8030ff2e4312c7df0eaa8
                                                          • Opcode Fuzzy Hash: 98eaf1aa8db762972f091f95f26b90050fa767fb2b08d1bb0985a8c7704c0b8d
                                                          • Instruction Fuzzy Hash: 78614973A04302EFDB22AFB4D88966E7BE5AF05310F14476DF945A72C2D63DAD018791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007650D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00765186
                                                          • ShowWindow.USER32(?,00000000), ref: 007651C7
                                                          • ShowWindow.USER32(?,00000005,?,00000000), ref: 007651CD
                                                          • SetFocus.USER32(?,?,00000005,?,00000000), ref: 007651D1
                                                            • Part of subcall function 00766FBA: DeleteObject.GDI32(00000000), ref: 00766FE6
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0076520D
                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0076521A
                                                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0076524D
                                                          • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00765287
                                                          • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00765296
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                          • String ID:
                                                          • API String ID: 3210457359-0
                                                          • Opcode ID: 623fea6e7e9f8b648037a5c459cf90159b9ed8ee681cd02ee3d60994a4558418
                                                          • Instruction ID: 8bdb8b99762e30df70c46ed8709839f7201a762aca9e505ea10b152bf054ec04
                                                          • Opcode Fuzzy Hash: 623fea6e7e9f8b648037a5c459cf90159b9ed8ee681cd02ee3d60994a4558418
                                                          • Instruction Fuzzy Hash: 0A519270A41A08FEEF249F28CC59BD93B65FB06321F148111FD17962E0C3BDA990EB55
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006E8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00726890
                                                          • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007268A9
                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007268B9
                                                          • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007268D1
                                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007268F2
                                                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,006E8874,00000000,00000000,00000000,000000FF,00000000), ref: 00726901
                                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0072691E
                                                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,006E8874,00000000,00000000,00000000,000000FF,00000000), ref: 0072692D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                          • String ID:
                                                          • API String ID: 1268354404-0
                                                          • Opcode ID: d6b9c59ff612a45e63d3e0f52d23b6f980a4598fa293e220072b0de570e12e60
                                                          • Instruction ID: a5536db9ac273d6ff36c92aff29d4a13d05fd7370b0bb7d3c9081560d95670b3
                                                          • Opcode Fuzzy Hash: d6b9c59ff612a45e63d3e0f52d23b6f980a4598fa293e220072b0de570e12e60
                                                          • Instruction Fuzzy Hash: BE51A870600349EFDB20CF25CC95BAA7BB6EF88350F108519F946972A0DBB8E991DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0074C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0074C182
                                                          • GetLastError.KERNEL32 ref: 0074C195
                                                          • SetEvent.KERNEL32(?), ref: 0074C1A9
                                                            • Part of subcall function 0074C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0074C272
                                                            • Part of subcall function 0074C253: GetLastError.KERNEL32 ref: 0074C322
                                                            • Part of subcall function 0074C253: SetEvent.KERNEL32(?), ref: 0074C336
                                                            • Part of subcall function 0074C253: InternetCloseHandle.WININET(00000000), ref: 0074C341
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                          • String ID:
                                                          • API String ID: 337547030-0
                                                          • Opcode ID: 0680e363e104d739e0b94aee18874776dc03688f1318fa73f1858981511b0b0e
                                                          • Instruction ID: 98ef851e4a431c5ce2d4ef5473934a91c362f7f8047d6e0182cb193791330184
                                                          • Opcode Fuzzy Hash: 0680e363e104d739e0b94aee18874776dc03688f1318fa73f1858981511b0b0e
                                                          • Instruction Fuzzy Hash: DD31AF71202745EFDB629FB5DC04A76BBF8FF18300B04842DF99686620D7B9E8149B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007325A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00733A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00733A57
                                                            • Part of subcall function 00733A3D: GetCurrentThreadId.KERNEL32 ref: 00733A5E
                                                            • Part of subcall function 00733A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007325B3), ref: 00733A65
                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 007325BD
                                                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007325DB
                                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007325DF
                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 007325E9
                                                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00732601
                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00732605
                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 0073260F
                                                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00732623
                                                          • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00732627
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                          • String ID:
                                                          • API String ID: 2014098862-0
                                                          • Opcode ID: e9c4d3b46787181fda0e4f9fc104202ad761656a1e39a24fe3e88b9f6e2d7599
                                                          • Instruction ID: 58749824395ef0a3cd213885e9637fcb0f503eef39c5a056950e5e8f64cbda7a
                                                          • Opcode Fuzzy Hash: e9c4d3b46787181fda0e4f9fc104202ad761656a1e39a24fe3e88b9f6e2d7599
                                                          • Instruction Fuzzy Hash: 0901B170390314BBFB206768DC8FF693E59DB4AB12F104041F359AE0E2C9EA28458A6D
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00731803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00731449,?,?,00000000), ref: 0073180C
                                                          • HeapAlloc.KERNEL32(00000000,?,00731449,?,?,00000000), ref: 00731813
                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00731449,?,?,00000000), ref: 00731828
                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,00731449,?,?,00000000), ref: 00731830
                                                          • DuplicateHandle.KERNEL32(00000000,?,00731449,?,?,00000000), ref: 00731833
                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00731449,?,?,00000000), ref: 00731843
                                                          • GetCurrentProcess.KERNEL32(00731449,00000000,?,00731449,?,?,00000000), ref: 0073184B
                                                          • DuplicateHandle.KERNEL32(00000000,?,00731449,?,?,00000000), ref: 0073184E
                                                          • CreateThread.KERNEL32(00000000,00000000,00731874,00000000,00000000,00000000), ref: 00731868
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                          • String ID:
                                                          • API String ID: 1957940570-0
                                                          • Opcode ID: bba34851ef44c44349ff529f565cf02bcadf1eb55fc13f5368194b4992b6db62
                                                          • Instruction ID: 7af4586682d79fdd02922e4202f9aea89e0a75d119d406d5ee64f6d68ef4e480
                                                          • Opcode Fuzzy Hash: bba34851ef44c44349ff529f565cf02bcadf1eb55fc13f5368194b4992b6db62
                                                          • Instruction Fuzzy Hash: DE01BFB5240348BFE711AB65DC4EF673B6CEB8AB11F418411FA45DB191C6B59C00CB34
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0075A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0073D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0073D501
                                                            • Part of subcall function 0073D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0073D50F
                                                            • Part of subcall function 0073D4DC: CloseHandle.KERNEL32(00000000), ref: 0073D5DC
                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0075A16D
                                                          • GetLastError.KERNEL32 ref: 0075A180
                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0075A1B3
                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 0075A268
                                                          • GetLastError.KERNEL32(00000000), ref: 0075A273
                                                          • CloseHandle.KERNEL32(00000000), ref: 0075A2C4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                          • String ID: SeDebugPrivilege
                                                          • API String ID: 2533919879-2896544425
                                                          • Opcode ID: a113764b83badd6d8d7ccc8dffd7bd66d3a5f4dd373e8a4efb2b348a3950ccb6
                                                          • Instruction ID: 2d5076510f2ac23343b7d3232febcbdc6b508e1886fbf137faa63d9ed84abe1f
                                                          • Opcode Fuzzy Hash: a113764b83badd6d8d7ccc8dffd7bd66d3a5f4dd373e8a4efb2b348a3950ccb6
                                                          • Instruction Fuzzy Hash: E761B171204242AFD710DF19C495F65BBE1BF84318F14859CE8568B7A3C7BAEC49CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00763886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00763925
                                                          • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0076393A
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00763954
                                                          • _wcslen.LIBCMT ref: 00763999
                                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 007639C6
                                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 007639F4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$Window_wcslen
                                                          • String ID: SysListView32
                                                          • API String ID: 2147712094-78025650
                                                          • Opcode ID: 5c7dcfc4952fdc0402e8fbca96f5d5dd2ce03124b1360d96417510374086a4bd
                                                          • Instruction ID: b19383b339d33875891d6c9d52597726938d4ef7b59656340d169247639685a7
                                                          • Opcode Fuzzy Hash: 5c7dcfc4952fdc0402e8fbca96f5d5dd2ce03124b1360d96417510374086a4bd
                                                          • Instruction Fuzzy Hash: 6441D871A00319ABEF219F64CC49FEA77A9EF08354F10016AF955E7281D7B99D80CB94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0073BCFD
                                                          • IsMenu.USER32(00000000), ref: 0073BD1D
                                                          • CreatePopupMenu.USER32 ref: 0073BD53
                                                          • GetMenuItemCount.USER32(015C6BC0), ref: 0073BDA4
                                                          • InsertMenuItemW.USER32(015C6BC0,?,00000001,00000030), ref: 0073BDCC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                          • String ID: 0$2
                                                          • API String ID: 93392585-3793063076
                                                          • Opcode ID: 0323591d10505c7d26d13da446df9f309b7e2fbf9c4bc6e12816507217e2b0c8
                                                          • Instruction ID: 4e9dfb1b1616064414aab30670b2a3bad5e1b172d9c8b18e9ec3d228bc5b5a39
                                                          • Opcode Fuzzy Hash: 0323591d10505c7d26d13da446df9f309b7e2fbf9c4bc6e12816507217e2b0c8
                                                          • Instruction Fuzzy Hash: EA51D270B10309DBEF11DFA8D888BAEBBF4BF45314F248119E642D7292D778A940CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006F2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _ValidateLocalCookies.LIBCMT ref: 006F2D4B
                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 006F2D53
                                                          • _ValidateLocalCookies.LIBCMT ref: 006F2DE1
                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 006F2E0C
                                                          • _ValidateLocalCookies.LIBCMT ref: 006F2E61
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                          • String ID: &Ho$csm
                                                          • API String ID: 1170836740-2077702024
                                                          • Opcode ID: f6a94c6f19235291afb56e7521eb9cc2da098255eacefc04e7aa7ffc6c5fd22d
                                                          • Instruction ID: f703c9eea8bb3f9fb39bf99ab3fd6a378596394a0355c0b63e31ddac373f0123
                                                          • Opcode Fuzzy Hash: f6a94c6f19235291afb56e7521eb9cc2da098255eacefc04e7aa7ffc6c5fd22d
                                                          • Instruction Fuzzy Hash: F141A434A0021EABCF10DF68C855AEEBBB6BF45354F148155EA14AB392D7359A11CFD0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadIconW.USER32(00000000,00007F03), ref: 0073C913
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: IconLoad
                                                          • String ID: blank$info$question$stop$warning
                                                          • API String ID: 2457776203-404129466
                                                          • Opcode ID: 08e135b5ef8f20f1f7049caa3c0956f4cb09f55a839453ff335c4f3606bd45b9
                                                          • Instruction ID: 7719464671d4327051e223bf23474e459e5ed616b19606c50cd7e6a43706e579
                                                          • Opcode Fuzzy Hash: 08e135b5ef8f20f1f7049caa3c0956f4cb09f55a839453ff335c4f3606bd45b9
                                                          • Instruction Fuzzy Hash: D511EB3268930ABEBB029B55AC82DAB779CDF15754F11006EF500B6183EBAD7F005368
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$LocalTime
                                                          • String ID:
                                                          • API String ID: 952045576-0
                                                          • Opcode ID: e4b8644315091cb30925ac25193e0e5a6c09641022a926cd9cf728660350de70
                                                          • Instruction ID: 953233d71ce4e2f53a67f8cd337d2b747e19839fe56707d770a17ad22f643e5b
                                                          • Opcode Fuzzy Hash: e4b8644315091cb30925ac25193e0e5a6c09641022a926cd9cf728660350de70
                                                          • Instruction Fuzzy Hash: 9D41B065D1021C75DB51EBB4C88A9DFB3AAAF45700F40846AF618E3162FB38E345C3E9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006EF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0072682C,00000004,00000000,00000000), ref: 006EF953
                                                          • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0072682C,00000004,00000000,00000000), ref: 0072F3D1
                                                          • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0072682C,00000004,00000000,00000000), ref: 0072F454
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ShowWindow
                                                          • String ID:
                                                          • API String ID: 1268545403-0
                                                          • Opcode ID: 184ced469cb754abed815b45902d6965275a994cd9434f4cb57d7512b3803563
                                                          • Instruction ID: 062bb6544e084ecf765a34ef74093c6220656b5b4e65e697ae4fde4e97b97505
                                                          • Opcode Fuzzy Hash: 184ced469cb754abed815b45902d6965275a994cd9434f4cb57d7512b3803563
                                                          • Instruction Fuzzy Hash: 8F412A302197C0BBC7399B2AD88877A7BA3AB46310F15843DF0C757663C679A881CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00762D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DeleteObject.GDI32(00000000), ref: 00762D1B
                                                          • GetDC.USER32(00000000), ref: 00762D23
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00762D2E
                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00762D3A
                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00762D76
                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00762D87
                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00765A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00762DC2
                                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00762DE1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                          • String ID:
                                                          • API String ID: 3864802216-0
                                                          • Opcode ID: 2eca772ffb24327bd19ee26f9e20a0da3daa88bd3f8c08ae26a0a95bf0d7b13c
                                                          • Instruction ID: e59e62a9a3103ee56d2bdecc53e4818e11792e9de70ddbf83036de619ca0352e
                                                          • Opcode Fuzzy Hash: 2eca772ffb24327bd19ee26f9e20a0da3daa88bd3f8c08ae26a0a95bf0d7b13c
                                                          • Instruction Fuzzy Hash: F5319172201614BFEB154F50CC49FFB3BADEF09715F044055FE499A192C6B99C41CBA8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00735622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _memcmp
                                                          • String ID:
                                                          • API String ID: 2931989736-0
                                                          • Opcode ID: f8a383b01382925de88b3a6bec6e558427d412a982814cdc32fd625fbda12b39
                                                          • Instruction ID: a3821fdb972465b6239d3089ef810889410c7ee1e6a05f45d263ee81356c419d
                                                          • Opcode Fuzzy Hash: f8a383b01382925de88b3a6bec6e558427d412a982814cdc32fd625fbda12b39
                                                          • Instruction Fuzzy Hash: C92195F2644A19F7F21456209D93FBA235EAF217C4F840024FE059A586FB28ED10C2E9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00754FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: NULL Pointer assignment$Not an Object type
                                                          • API String ID: 0-572801152
                                                          • Opcode ID: 1ac967cb8125c39fa490fd6e91bd019d607088124ff5c9b5a6d286be9bef4192
                                                          • Instruction ID: c35b2652cbaf4d0dc1c6a0f84f1a077113bc1f6baf5f659c0d7a13d13f336851
                                                          • Opcode Fuzzy Hash: 1ac967cb8125c39fa490fd6e91bd019d607088124ff5c9b5a6d286be9bef4192
                                                          • Instruction Fuzzy Hash: 7ED1D671A0060A9FDF10CFA8C891BEEB7B5BF48354F148069ED15AB281E7B4DD49CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00711522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,007117FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 007115CE
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00711651
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,007117FB,?,007117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007116E4
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007116FB
                                                            • Part of subcall function 00703820: RtlAllocateHeap.NTDLL(00000000,?,007A1444,?,006EFDF5,?,?,006DA976,00000010,007A1440,006D13FC,?,006D13C6,?,006D1129), ref: 00703852
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,007117FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00711777
                                                          • __freea.LIBCMT ref: 007117A2
                                                          • __freea.LIBCMT ref: 007117AE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                          • String ID:
                                                          • API String ID: 2829977744-0
                                                          • Opcode ID: aab147aaecb947bb0a71e2b8c7b8681f88a8f495e400caf70a91402220c61039
                                                          • Instruction ID: d2d2d582cccc64d57dd6f074ab0d7af80b43fb83db76196ec2c143f09337c0c8
                                                          • Opcode Fuzzy Hash: aab147aaecb947bb0a71e2b8c7b8681f88a8f495e400caf70a91402220c61039
                                                          • Instruction Fuzzy Hash: 6191A571E102169ADB218E78CC45AEE7BB69F49710F984659EA01EF2C1DB3DDD80C760
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00754523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearInit
                                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                          • API String ID: 2610073882-625585964
                                                          • Opcode ID: dbc7b1ddb6a78b93f7b62fc69db7702a34d65500c4f250de9eb86af2eea5d0c3
                                                          • Instruction ID: 4312fbc68a478a746e81e2f87e755001f8efa236fbb38830d26e8f835f4e9a57
                                                          • Opcode Fuzzy Hash: dbc7b1ddb6a78b93f7b62fc69db7702a34d65500c4f250de9eb86af2eea5d0c3
                                                          • Instruction Fuzzy Hash: EE91A471A00219ABDF24CFA5CC44FEE7BB8EF45715F108559F905AB280D7B89989CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00741187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0074125C
                                                          • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00741284
                                                          • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007412A8
                                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007412D8
                                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0074135F
                                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007413C4
                                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00741430
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                          • String ID:
                                                          • API String ID: 2550207440-0
                                                          • Opcode ID: 6574b68f10876c1e48cb1dd31a85b3af0d2b2be96a3f76e1d94924ba27f77129
                                                          • Instruction ID: a2317020f907cf3f7b95684436d4509797e82e16ea7a1fde8206d1cb2cd6df47
                                                          • Opcode Fuzzy Hash: 6574b68f10876c1e48cb1dd31a85b3af0d2b2be96a3f76e1d94924ba27f77129
                                                          • Instruction Fuzzy Hash: D391F475A00219DFDB01EF98C884BBE77B5FF44324F548029EA51EB291D7BCA981CB94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006E948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ObjectSelect$BeginCreatePath
                                                          • String ID:
                                                          • API String ID: 3225163088-0
                                                          • Opcode ID: 16c06dcb0ebd52a45c32db97c2e5b955270900eabe12ec971a41447f058989b0
                                                          • Instruction ID: 19f580b0c245ad83f8e8d802c037397c12a892cf10e1bf49b0ef69849a9c9685
                                                          • Opcode Fuzzy Hash: 16c06dcb0ebd52a45c32db97c2e5b955270900eabe12ec971a41447f058989b0
                                                          • Instruction Fuzzy Hash: AA914671D01259EFCB15CFAACC84AEEBBB9FF48320F148049E516B7251D378A942CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00753947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VariantInit.OLEAUT32(?), ref: 0075396B
                                                          • CharUpperBuffW.USER32(?,?), ref: 00753A7A
                                                          • _wcslen.LIBCMT ref: 00753A8A
                                                          • VariantClear.OLEAUT32(?), ref: 00753C1F
                                                            • Part of subcall function 00740CDF: VariantInit.OLEAUT32(00000000), ref: 00740D1F
                                                            • Part of subcall function 00740CDF: VariantCopy.OLEAUT32(?,?), ref: 00740D28
                                                            • Part of subcall function 00740CDF: VariantClear.OLEAUT32(?), ref: 00740D34
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                          • API String ID: 4137639002-1221869570
                                                          • Opcode ID: a7cbad24f4df9ae44887431e5a47fd727101c57ee977313d44e3ca3931166d54
                                                          • Instruction ID: 5d284730851b6570eed9cfbeeef0dfbfff5b826238345ecd082dbe18555951bd
                                                          • Opcode Fuzzy Hash: a7cbad24f4df9ae44887431e5a47fd727101c57ee977313d44e3ca3931166d54
                                                          • Instruction Fuzzy Hash: B491AE746083059FC704DF24C48086AB7E5FF88355F04892EF8899B361DB75EE09CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00754BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0073000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?,?,?,0073035E), ref: 0073002B
                                                            • Part of subcall function 0073000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?,?), ref: 00730046
                                                            • Part of subcall function 0073000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?,?), ref: 00730054
                                                            • Part of subcall function 0073000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?), ref: 00730064
                                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00754C51
                                                          • _wcslen.LIBCMT ref: 00754D59
                                                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00754DCF
                                                          • CoTaskMemFree.OLE32(?), ref: 00754DDA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                          • String ID: NULL Pointer assignment
                                                          • API String ID: 614568839-2785691316
                                                          • Opcode ID: 7f878ffe02e4f9e84c74592824c7a9a93292b1a935157c3de5f30665637ff0c5
                                                          • Instruction ID: d78b41c4609d6784e53fbdf8502645fcea7b105df21da408e2e9b59d9c0b5954
                                                          • Opcode Fuzzy Hash: 7f878ffe02e4f9e84c74592824c7a9a93292b1a935157c3de5f30665637ff0c5
                                                          • Instruction Fuzzy Hash: F1912671D0021DEFDF14DFA4D891AEEB7B9BF08314F10856AE915A7241DB749A48CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007620FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetMenu.USER32(?), ref: 00762183
                                                          • GetMenuItemCount.USER32(00000000), ref: 007621B5
                                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007621DD
                                                          • _wcslen.LIBCMT ref: 00762213
                                                          • GetMenuItemID.USER32(?,?), ref: 0076224D
                                                          • GetSubMenu.USER32(?,?), ref: 0076225B
                                                            • Part of subcall function 00733A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00733A57
                                                            • Part of subcall function 00733A3D: GetCurrentThreadId.KERNEL32 ref: 00733A5E
                                                            • Part of subcall function 00733A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007325B3), ref: 00733A65
                                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007622E3
                                                            • Part of subcall function 0073E97B: Sleep.KERNEL32 ref: 0073E9F3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                          • String ID:
                                                          • API String ID: 4196846111-0
                                                          • Opcode ID: 3fe6e7773eefb7cd3391db606cf61227cf9cd7ddc67c54420ce9d47e4bc49f3c
                                                          • Instruction ID: efdd7c7be3d1e1bba6bee4cdc73c57dc5c410da23ee467c2bff943000afaf806
                                                          • Opcode Fuzzy Hash: 3fe6e7773eefb7cd3391db606cf61227cf9cd7ddc67c54420ce9d47e4bc49f3c
                                                          • Instruction Fuzzy Hash: 02719F35E00605AFCB54DF64C845AAEB7F6FF88320F158459E817EB352DB78AD428B90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetParent.USER32(?), ref: 0073AEF9
                                                          • GetKeyboardState.USER32(?), ref: 0073AF0E
                                                          • SetKeyboardState.USER32(?), ref: 0073AF6F
                                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 0073AF9D
                                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 0073AFBC
                                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 0073AFFD
                                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0073B020
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessagePost$KeyboardState$Parent
                                                          • String ID:
                                                          • API String ID: 87235514-0
                                                          • Opcode ID: c6b0677d31a133b0d5b3dc77feeb8cfc124040251a42e2102a794be778532668
                                                          • Instruction ID: 16a6b96ed0d673094e6aa13202e88f6780cdc55d6e41ce18a1dd90e1f356f48a
                                                          • Opcode Fuzzy Hash: c6b0677d31a133b0d5b3dc77feeb8cfc124040251a42e2102a794be778532668
                                                          • Instruction Fuzzy Hash: 9E5182A06047D63DFB364234C84ABBBBEA95B06304F088589E2D9594D3D3DDEDC8D751
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetParent.USER32(00000000), ref: 0073AD19
                                                          • GetKeyboardState.USER32(?), ref: 0073AD2E
                                                          • SetKeyboardState.USER32(?), ref: 0073AD8F
                                                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0073ADBB
                                                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0073ADD8
                                                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0073AE17
                                                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0073AE38
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessagePost$KeyboardState$Parent
                                                          • String ID:
                                                          • API String ID: 87235514-0
                                                          • Opcode ID: af5ae70e6b4cd819382befcc31a51b298cd98d25e86410dd415f496c1cd5ffad
                                                          • Instruction ID: 0447e52ab97c429342cdcf0af972e4bdb83a60a4f4b22822ef6659b011641b9f
                                                          • Opcode Fuzzy Hash: af5ae70e6b4cd819382befcc31a51b298cd98d25e86410dd415f496c1cd5ffad
                                                          • Instruction Fuzzy Hash: 5551D2A1A547D53DFB378334CC57B7ABEA86B46300F088588E1D54A8C3D29CEC88D762
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0070542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetConsoleCP.KERNEL32(00713CD6,?,?,?,?,?,?,?,?,00705BA3,?,?,00713CD6,?,?), ref: 00705470
                                                          • __fassign.LIBCMT ref: 007054EB
                                                          • __fassign.LIBCMT ref: 00705506
                                                          • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00713CD6,00000005,00000000,00000000), ref: 0070552C
                                                          • WriteFile.KERNEL32(?,00713CD6,00000000,00705BA3,00000000,?,?,?,?,?,?,?,?,?,00705BA3,?), ref: 0070554B
                                                          • WriteFile.KERNEL32(?,?,00000001,00705BA3,00000000,?,?,?,?,?,?,?,?,?,00705BA3,?), ref: 00705584
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                          • String ID:
                                                          • API String ID: 1324828854-0
                                                          • Opcode ID: 72148edba0950030cd261861e038906098e80c9f425ffcf3c2ccfba6e8bb0a1d
                                                          • Instruction ID: 93e5faad942c77b0f136366034d5f8c680b91afc7a060824a6dc58f200d304ff
                                                          • Opcode Fuzzy Hash: 72148edba0950030cd261861e038906098e80c9f425ffcf3c2ccfba6e8bb0a1d
                                                          • Instruction Fuzzy Hash: 3351D1B0A00648DFDB11CFA8DC45AEEBBFAEF09300F14421AF546E3291E6349A51CF64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007510B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0075304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0075307A
                                                            • Part of subcall function 0075304E: _wcslen.LIBCMT ref: 0075309B
                                                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00751112
                                                          • WSAGetLastError.WSOCK32 ref: 00751121
                                                          • WSAGetLastError.WSOCK32 ref: 007511C9
                                                          • closesocket.WSOCK32(00000000), ref: 007511F9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                          • String ID:
                                                          • API String ID: 2675159561-0
                                                          • Opcode ID: cc31d782b140be486cd05b6e0f5af7f5728540ecf732877cb0a390cfa3051aa6
                                                          • Instruction ID: feb7fcc3ecfa8e6373ac689c27c791dc93df588096a601cf97eda304a8dc937c
                                                          • Opcode Fuzzy Hash: cc31d782b140be486cd05b6e0f5af7f5728540ecf732877cb0a390cfa3051aa6
                                                          • Instruction Fuzzy Hash: 73412731600608AFDB109F24C884BE9B7EAEF44326F148099FD469B291C7B8ED45CBE5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0073DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0073CF22,?), ref: 0073DDFD
                                                            • Part of subcall function 0073DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0073CF22,?), ref: 0073DE16
                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0073CF45
                                                          • MoveFileW.KERNEL32(?,?), ref: 0073CF7F
                                                          • _wcslen.LIBCMT ref: 0073D005
                                                          • _wcslen.LIBCMT ref: 0073D01B
                                                          • SHFileOperationW.SHELL32(?), ref: 0073D061
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                          • String ID: \*.*
                                                          • API String ID: 3164238972-1173974218
                                                          • Opcode ID: 373d02fcb99c48e86bf8d21b40618f4b2438aaaa9cbbe721821abaf7dd37aecd
                                                          • Instruction ID: 9601f03266f9bd683ce9cf6b0f7c8f76a9196e5331cd82915d131985145e2991
                                                          • Opcode Fuzzy Hash: 373d02fcb99c48e86bf8d21b40618f4b2438aaaa9cbbe721821abaf7dd37aecd
                                                          • Instruction Fuzzy Hash: 06414672D0521D9EEF16EBA4D985AEE77B9AF08340F0000E6E545EB142EB38AA44CF54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00762DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00762E1C
                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00762E4F
                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00762E84
                                                          • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00762EB6
                                                          • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00762EE0
                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00762EF1
                                                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00762F0B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: LongWindow$MessageSend
                                                          • String ID:
                                                          • API String ID: 2178440468-0
                                                          • Opcode ID: 7a5ad5d8c28bb9b865106da4adab3ab8c8fc295b98a752fb29028662771842c9
                                                          • Instruction ID: b9434c6ee2478be88427f775a08e3c143a25a46c4fd52119f2fb3df546c61c9b
                                                          • Opcode Fuzzy Hash: 7a5ad5d8c28bb9b865106da4adab3ab8c8fc295b98a752fb29028662771842c9
                                                          • Instruction Fuzzy Hash: C23139306446409FEB61CF58DC88F6537E0FB9A710F1541A5F9529F2B2CBBAAC41DB09
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00737726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00737769
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0073778F
                                                          • SysAllocString.OLEAUT32(00000000), ref: 00737792
                                                          • SysAllocString.OLEAUT32(?), ref: 007377B0
                                                          • SysFreeString.OLEAUT32(?), ref: 007377B9
                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 007377DE
                                                          • SysAllocString.OLEAUT32(?), ref: 007377EC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                          • String ID:
                                                          • API String ID: 3761583154-0
                                                          • Opcode ID: bbee886bc1201473723df13575450ecd2ae27f144eb46fb41041cd64c617f75c
                                                          • Instruction ID: 905302cf645ea7bf19f148562bf9405b07415cf1316ca88ab69910b5868b256d
                                                          • Opcode Fuzzy Hash: bbee886bc1201473723df13575450ecd2ae27f144eb46fb41041cd64c617f75c
                                                          • Instruction Fuzzy Hash: 4721C4B6609219AFEF24DFA9CC88CBB77ACEB09364B008025F905DB151DAB8DC41C764
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007377FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00737842
                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00737868
                                                          • SysAllocString.OLEAUT32(00000000), ref: 0073786B
                                                          • SysAllocString.OLEAUT32 ref: 0073788C
                                                          • SysFreeString.OLEAUT32 ref: 00737895
                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 007378AF
                                                          • SysAllocString.OLEAUT32(?), ref: 007378BD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                          • String ID:
                                                          • API String ID: 3761583154-0
                                                          • Opcode ID: 5d48b144ddeacd98e9265a6c0794f6036c1ec03c5df8591cbd294b8bda0f6a2a
                                                          • Instruction ID: e8c4cc6ed81ea05ec160518e5ebf34c4d69a3caa67b58542d631519cc673d62e
                                                          • Opcode Fuzzy Hash: 5d48b144ddeacd98e9265a6c0794f6036c1ec03c5df8591cbd294b8bda0f6a2a
                                                          • Instruction Fuzzy Hash: 3921C771605305BFEB249FA9CC88DBA77ECEB09360B108025F955DB1A1DA78DC41CB68
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007404D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(0000000C), ref: 007404F2
                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0074052E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CreateHandlePipe
                                                          • String ID: nul
                                                          • API String ID: 1424370930-2873401336
                                                          • Opcode ID: a3b9fd20309b675d013962801efb4031f8a59f66ce1eaac0174a8aa3c32314d0
                                                          • Instruction ID: 1ed6b0ae9746cf76329a977088bf188d6789a4ecf8eb0a35fe2322b87cdec4d2
                                                          • Opcode Fuzzy Hash: a3b9fd20309b675d013962801efb4031f8a59f66ce1eaac0174a8aa3c32314d0
                                                          • Instruction Fuzzy Hash: D72162755003059FDF209F29DC44E5AB7A4FF45724F204A19F9A1E72E0D7749960CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007405A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetStdHandle.KERNEL32(000000F6), ref: 007405C6
                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00740601
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CreateHandlePipe
                                                          • String ID: nul
                                                          • API String ID: 1424370930-2873401336
                                                          • Opcode ID: bcd0efed980d3023c39921f52fa58164d8d19dbd06c047e5e0b18597057b5c57
                                                          • Instruction ID: b03be76a21f565ee09cbc3a2660e6efd93a7f04d0da6d579e47c2e76eeaef315
                                                          • Opcode Fuzzy Hash: bcd0efed980d3023c39921f52fa58164d8d19dbd06c047e5e0b18597057b5c57
                                                          • Instruction Fuzzy Hash: 7421A3755003059FDB209F698C08A6A77E4BF85720F204A19FEA2E72D0D7B49860CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007640AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006D604C
                                                            • Part of subcall function 006D600E: GetStockObject.GDI32(00000011), ref: 006D6060
                                                            • Part of subcall function 006D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006D606A
                                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00764112
                                                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0076411F
                                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0076412A
                                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00764139
                                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00764145
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$CreateObjectStockWindow
                                                          • String ID: Msctls_Progress32
                                                          • API String ID: 1025951953-3636473452
                                                          • Opcode ID: 3ecfc59030ac7d15fad0aa5f2d1c86abb04ce2bb1f493cc7eba3eb5208b7fe63
                                                          • Instruction ID: 93e9be30a6fade97cbfa1dfe121dc6c79434937424a38b0d17747306aba4796b
                                                          • Opcode Fuzzy Hash: 3ecfc59030ac7d15fad0aa5f2d1c86abb04ce2bb1f493cc7eba3eb5208b7fe63
                                                          • Instruction Fuzzy Hash: 2811B2B215021DBEEF119F64CC85EE77F9DEF09798F008111FB18A2150C6769C61DBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0070D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0070D7A3: _free.LIBCMT ref: 0070D7CC
                                                          • _free.LIBCMT ref: 0070D82D
                                                            • Part of subcall function 007029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000), ref: 007029DE
                                                            • Part of subcall function 007029C8: GetLastError.KERNEL32(00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000,00000000), ref: 007029F0
                                                          • _free.LIBCMT ref: 0070D838
                                                          • _free.LIBCMT ref: 0070D843
                                                          • _free.LIBCMT ref: 0070D897
                                                          • _free.LIBCMT ref: 0070D8A2
                                                          • _free.LIBCMT ref: 0070D8AD
                                                          • _free.LIBCMT ref: 0070D8B8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                          • Instruction ID: 024ac15da0b9ead7d85a1111eb4275f0f5704047666e8745ef4d7d909c2409d9
                                                          • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                          • Instruction Fuzzy Hash: 4D111F72540B04EAD531BFF4CC4FFCB7BDC6F44700F405A25B299A64E3DA69B9064A50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0073DA74
                                                          • LoadStringW.USER32(00000000), ref: 0073DA7B
                                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0073DA91
                                                          • LoadStringW.USER32(00000000), ref: 0073DA98
                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0073DADC
                                                          Strings
                                                          • %s (%d) : ==> %s: %s %s, xrefs: 0073DAB9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: HandleLoadModuleString$Message
                                                          • String ID: %s (%d) : ==> %s: %s %s
                                                          • API String ID: 4072794657-3128320259
                                                          • Opcode ID: f647ab84417c0893590261e75d3c1f7d0b3d07478031c99ad41f574c072ce597
                                                          • Instruction ID: 0058098c906b0a97d094fa9ce3aede9b8d9f6a5691325e5b7c5e842c360f8389
                                                          • Opcode Fuzzy Hash: f647ab84417c0893590261e75d3c1f7d0b3d07478031c99ad41f574c072ce597
                                                          • Instruction Fuzzy Hash: 8501FFF6500308BBF7129BA49D89EF6766CE708701F408596F786E2042E6B89E844B78
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0074096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(015BE408,015BE408), ref: 0074097B
                                                          • EnterCriticalSection.KERNEL32(015BE3E8,00000000), ref: 0074098D
                                                          • TerminateThread.KERNEL32(00000000,000001F6), ref: 0074099B
                                                          • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 007409A9
                                                          • CloseHandle.KERNEL32(00000000), ref: 007409B8
                                                          • InterlockedExchange.KERNEL32(015BE408,000001F6), ref: 007409C8
                                                          • LeaveCriticalSection.KERNEL32(015BE3E8), ref: 007409CF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                          • String ID:
                                                          • API String ID: 3495660284-0
                                                          • Opcode ID: 29e0ea2f7e5493783159cc9e6b0c0d07287a7c6a370f32ca219b43f5a54b5196
                                                          • Instruction ID: 85db687b73f16f64aa41c217686148b59ab7c0e1b06ea22aaf8513662847196b
                                                          • Opcode Fuzzy Hash: 29e0ea2f7e5493783159cc9e6b0c0d07287a7c6a370f32ca219b43f5a54b5196
                                                          • Instruction Fuzzy Hash: 24F03131442602BFD7425FA5EE9DBE67B35FF01702F405015F242608A0C7B9A465CFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00751C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00751DC0
                                                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00751DE1
                                                          • WSAGetLastError.WSOCK32 ref: 00751DF2
                                                          • htons.WSOCK32(?,?,?,?,?), ref: 00751EDB
                                                          • inet_ntoa.WSOCK32(?), ref: 00751E8C
                                                            • Part of subcall function 007339E8: _strlen.LIBCMT ref: 007339F2
                                                            • Part of subcall function 00753224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0074EC0C), ref: 00753240
                                                          • _strlen.LIBCMT ref: 00751F35
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                          • String ID:
                                                          • API String ID: 3203458085-0
                                                          • Opcode ID: 04e2c90ffad47352b7aa839a69768a504bf406d3c02da006cc9409f46c8555f6
                                                          • Instruction ID: 1de4affccaffc7d261ae86323e0dea41cfb4fc672c44a56443b080907fa203ed
                                                          • Opcode Fuzzy Hash: 04e2c90ffad47352b7aa839a69768a504bf406d3c02da006cc9409f46c8555f6
                                                          • Instruction Fuzzy Hash: 89B1D030604340AFD324DF24C885F6A77E6AF84319F94894CF8565B2E2DBB5ED46CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetClientRect.USER32(?,?), ref: 006D5D30
                                                          • GetWindowRect.USER32(?,?), ref: 006D5D71
                                                          • ScreenToClient.USER32(?,?), ref: 006D5D99
                                                          • GetClientRect.USER32(?,?), ref: 006D5ED7
                                                          • GetWindowRect.USER32(?,?), ref: 006D5EF8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Rect$Client$Window$Screen
                                                          • String ID:
                                                          • API String ID: 1296646539-0
                                                          • Opcode ID: d3800465b3f7920259353dffe9251212d64265f9d6896ad315226f14f4b12853
                                                          • Instruction ID: d26d6dae8906151cc31e128eb10724c17de96b92b6bd2bec4a994c9578a27b11
                                                          • Opcode Fuzzy Hash: d3800465b3f7920259353dffe9251212d64265f9d6896ad315226f14f4b12853
                                                          • Instruction Fuzzy Hash: 1EB16A34A0074ADBDB10DFA9C4407EEB7F2FF58310F14851AE8AAD7690DB34AA91DB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007001B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __allrem.LIBCMT ref: 007000BA
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007000D6
                                                          • __allrem.LIBCMT ref: 007000ED
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0070010B
                                                          • __allrem.LIBCMT ref: 00700122
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00700140
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                          • String ID:
                                                          • API String ID: 1992179935-0
                                                          • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                          • Instruction ID: f49cd91cffde22e3993c3d97fd14a2f106fb5a77b9949b683dd6bac3631d9c37
                                                          • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                          • Instruction Fuzzy Hash: 2E810872A01B0ADBE7209F68CC45BAE73EAAF41734F24463EF651D62C1E778D9408790
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007061FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006F82D9,006F82D9,?,?,?,0070644F,00000001,00000001,8BE85006), ref: 00706258
                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0070644F,00000001,00000001,8BE85006,?,?,?), ref: 007062DE
                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007063D8
                                                          • __freea.LIBCMT ref: 007063E5
                                                            • Part of subcall function 00703820: RtlAllocateHeap.NTDLL(00000000,?,007A1444,?,006EFDF5,?,?,006DA976,00000010,007A1440,006D13FC,?,006D13C6,?,006D1129), ref: 00703852
                                                          • __freea.LIBCMT ref: 007063EE
                                                          • __freea.LIBCMT ref: 00706413
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1414292761-0
                                                          • Opcode ID: af83f7516c0654e0fecd1d957314104961cf34eb2aa30535d4abe13ed594feda
                                                          • Instruction ID: 8b64dd50df4397370da4e6f25fc985e084d4730df93016cf20860a7b9b143cdd
                                                          • Opcode Fuzzy Hash: af83f7516c0654e0fecd1d957314104961cf34eb2aa30535d4abe13ed594feda
                                                          • Instruction Fuzzy Hash: EC51AF72600216EBEB258F64CC95EBFB6E9EB44754F144729F905D61C1DB38DC60C6A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0075BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                                            • Part of subcall function 0075C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0075B6AE,?,?), ref: 0075C9B5
                                                            • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075C9F1
                                                            • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075CA68
                                                            • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075CA9E
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0075BCCA
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0075BD25
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0075BD6A
                                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0075BD99
                                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0075BDF3
                                                          • RegCloseKey.ADVAPI32(?), ref: 0075BDFF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                          • String ID:
                                                          • API String ID: 1120388591-0
                                                          • Opcode ID: 7567ad5930ce32df04395b6759ba4935ac3db005a3e56b53cd1efa08914053fa
                                                          • Instruction ID: d2654c93a04d55d8f3bc9f8b90b4b1613de51ef239718020df0784aef7d00bc5
                                                          • Opcode Fuzzy Hash: 7567ad5930ce32df04395b6759ba4935ac3db005a3e56b53cd1efa08914053fa
                                                          • Instruction Fuzzy Hash: 34818C30208341AFD715DF24C895E6ABBE5FF84308F14895DF8964B2A2DB75ED09CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0072F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VariantInit.OLEAUT32(00000035), ref: 0072F7B9
                                                          • SysAllocString.OLEAUT32(00000001), ref: 0072F860
                                                          • VariantCopy.OLEAUT32(0072FA64,00000000), ref: 0072F889
                                                          • VariantClear.OLEAUT32(0072FA64), ref: 0072F8AD
                                                          • VariantCopy.OLEAUT32(0072FA64,00000000), ref: 0072F8B1
                                                          • VariantClear.OLEAUT32(?), ref: 0072F8BB
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearCopy$AllocInitString
                                                          • String ID:
                                                          • API String ID: 3859894641-0
                                                          • Opcode ID: cfb57628a9fb640819e94aa3dd7481cb340a5377d92fa589116c5c90239ff6bc
                                                          • Instruction ID: 3fa2ff2b4617be4cf224a4d7478e514ae739d5d5904191b57e8f6754f3a75f48
                                                          • Opcode Fuzzy Hash: cfb57628a9fb640819e94aa3dd7481cb340a5377d92fa589116c5c90239ff6bc
                                                          • Instruction Fuzzy Hash: BB51D631501320FBCF10AB65E895B39B7B5EF45310B20947BE846DF295DB789C80CB6A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0074910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D7620: _wcslen.LIBCMT ref: 006D7625
                                                            • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
                                                          • GetOpenFileNameW.COMDLG32(00000058), ref: 007494E5
                                                          • _wcslen.LIBCMT ref: 00749506
                                                          • _wcslen.LIBCMT ref: 0074952D
                                                          • GetSaveFileNameW.COMDLG32(00000058), ref: 00749585
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$FileName$OpenSave
                                                          • String ID: X
                                                          • API String ID: 83654149-3081909835
                                                          • Opcode ID: e4498fdccb8eef497c068f8f1c7e5b0aab4f918d534c868fe676c27c1c88557a
                                                          • Instruction ID: 850dce11c78de4b7de1c64a23cf7f15604053cf3f47aa04a0c535898a727285d
                                                          • Opcode Fuzzy Hash: e4498fdccb8eef497c068f8f1c7e5b0aab4f918d534c868fe676c27c1c88557a
                                                          • Instruction Fuzzy Hash: CDE1AE31A083409FC764DF24C881A6BB7E1BF85314F14896DF9899B3A2EB35DD05CB96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006E920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
                                                          • BeginPaint.USER32(?,?,?), ref: 006E9241
                                                          • GetWindowRect.USER32(?,?), ref: 006E92A5
                                                          • ScreenToClient.USER32(?,?), ref: 006E92C2
                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 006E92D3
                                                          • EndPaint.USER32(?,?,?,?,?), ref: 006E9321
                                                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007271EA
                                                            • Part of subcall function 006E9339: BeginPath.GDI32(00000000), ref: 006E9357
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                          • String ID:
                                                          • API String ID: 3050599898-0
                                                          • Opcode ID: 38ea0b68587e41847d58a21dbd254755bf241000b0f46e1f5c7ee1a16015cdea
                                                          • Instruction ID: 406f56c88ab487128e234f3c1157ec71c64a1cf9239508a59b34d8c4eb5b0573
                                                          • Opcode Fuzzy Hash: 38ea0b68587e41847d58a21dbd254755bf241000b0f46e1f5c7ee1a16015cdea
                                                          • Instruction Fuzzy Hash: 7941E030105340AFE711DF25DC84FBB7BA9EF86320F104229FAA5872E1C774A845DB66
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007407EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 0074080C
                                                          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00740847
                                                          • EnterCriticalSection.KERNEL32(?), ref: 00740863
                                                          • LeaveCriticalSection.KERNEL32(?), ref: 007408DC
                                                          • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007408F3
                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00740921
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                          • String ID:
                                                          • API String ID: 3368777196-0
                                                          • Opcode ID: 1af9cc5f6559b8fd1685641086149a329bf502f71b01aa0adddb8685a01fe495
                                                          • Instruction ID: 176038c1395d604e9a5befa5a508e98b62bc0755d1b71423d633178c50660099
                                                          • Opcode Fuzzy Hash: 1af9cc5f6559b8fd1685641086149a329bf502f71b01aa0adddb8685a01fe495
                                                          • Instruction Fuzzy Hash: 28419C71900205EFEF05AF54DC85A6A7779FF04300F1080A9EE00AA297DB74EE65DBA8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007681DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0072F3AB,00000000,?,?,00000000,?,0072682C,00000004,00000000,00000000), ref: 0076824C
                                                          • EnableWindow.USER32(00000000,00000000), ref: 00768272
                                                          • ShowWindow.USER32(FFFFFFFF,00000000), ref: 007682D1
                                                          • ShowWindow.USER32(00000000,00000004), ref: 007682E5
                                                          • EnableWindow.USER32(00000000,00000001), ref: 0076830B
                                                          • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0076832F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Window$Show$Enable$MessageSend
                                                          • String ID:
                                                          • API String ID: 642888154-0
                                                          • Opcode ID: 2ac1a5c29f5fe90d9aac1d4f4f798fbe6ce6075ddb300de8d99bb6ea6498d3be
                                                          • Instruction ID: 496c3847ef0e472e8fc63a7f21895a7a5a06340e9cf15d6852dc64cdd15b8fdd
                                                          • Opcode Fuzzy Hash: 2ac1a5c29f5fe90d9aac1d4f4f798fbe6ce6075ddb300de8d99bb6ea6498d3be
                                                          • Instruction Fuzzy Hash: 7241E830601640EFDB56CF15C8A9BE87BE0FB46714F1843A9E94A4F272CB39A841CB46
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00734C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindowVisible.USER32(?), ref: 00734C95
                                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00734CB2
                                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00734CEA
                                                          • _wcslen.LIBCMT ref: 00734D08
                                                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00734D10
                                                          • _wcsstr.LIBVCRUNTIME ref: 00734D1A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                          • String ID:
                                                          • API String ID: 72514467-0
                                                          • Opcode ID: cf7ab9a263a14f81e6901db5c862dfa4a9c21a712c2d6c8a17b1be01a5b67906
                                                          • Instruction ID: 652acf3116213d61dedf365a65aee826ed49ec27f3cca9cf57ff2e2045c466d2
                                                          • Opcode Fuzzy Hash: cf7ab9a263a14f81e6901db5c862dfa4a9c21a712c2d6c8a17b1be01a5b67906
                                                          • Instruction Fuzzy Hash: B2212932305304BBFB195B35EC09E7B7B9DDF45750F10806DF905CA192EEA9EC0086A4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0074581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006D3A97,?,?,006D2E7F,?,?,?,00000000), ref: 006D3AC2
                                                          • _wcslen.LIBCMT ref: 0074587B
                                                          • CoInitialize.OLE32(00000000), ref: 00745995
                                                          • CoCreateInstance.OLE32(0076FCF8,00000000,00000001,0076FB68,?), ref: 007459AE
                                                          • CoUninitialize.OLE32 ref: 007459CC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                          • String ID: .lnk
                                                          • API String ID: 3172280962-24824748
                                                          • Opcode ID: c94bdcb5356e88c5c068ab8dba1a093f5b7c3958d45d01a1fe4b443b555559cf
                                                          • Instruction ID: 34272237e39419d327b684f75dea15cc4c646b881185779a39875e0e21873e5a
                                                          • Opcode Fuzzy Hash: c94bdcb5356e88c5c068ab8dba1a093f5b7c3958d45d01a1fe4b443b555559cf
                                                          • Instruction Fuzzy Hash: 7ED143B1A08701DFC714DF24C48492ABBE6EF89710F14895DF88A9B362DB35EC45CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00730FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00730FCA
                                                            • Part of subcall function 00730FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00730FD6
                                                            • Part of subcall function 00730FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00730FE5
                                                            • Part of subcall function 00730FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00730FEC
                                                            • Part of subcall function 00730FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00731002
                                                          • GetLengthSid.ADVAPI32(?,00000000,00731335), ref: 007317AE
                                                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 007317BA
                                                          • HeapAlloc.KERNEL32(00000000), ref: 007317C1
                                                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 007317DA
                                                          • GetProcessHeap.KERNEL32(00000000,00000000,00731335), ref: 007317EE
                                                          • HeapFree.KERNEL32(00000000), ref: 007317F5
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                          • String ID:
                                                          • API String ID: 3008561057-0
                                                          • Opcode ID: ef3157d1178847a0f2e254d23b2e48c8bef6dc1568ed7cfab561c10aea7ddfd2
                                                          • Instruction ID: ce9f4102562c6a17b14b863ccf99e89bef7022874a9e246e2233330f1cbae1e7
                                                          • Opcode Fuzzy Hash: ef3157d1178847a0f2e254d23b2e48c8bef6dc1568ed7cfab561c10aea7ddfd2
                                                          • Instruction Fuzzy Hash: FC11BE71500205FFEB259FA4CC49BBE7BA9EB42355F588018F48297212D77AAD44CB70
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007314CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007314FF
                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00731506
                                                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00731515
                                                          • CloseHandle.KERNEL32(00000004), ref: 00731520
                                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0073154F
                                                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 00731563
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                          • String ID:
                                                          • API String ID: 1413079979-0
                                                          • Opcode ID: 30ace8396ff4b67202ace4f4f5582e1ac98434b35af4cc632e69d70966ce7b31
                                                          • Instruction ID: 7752e96556bf7098752836b9a4189164ee6656ee30418db30c411410b39aff72
                                                          • Opcode Fuzzy Hash: 30ace8396ff4b67202ace4f4f5582e1ac98434b35af4cc632e69d70966ce7b31
                                                          • Instruction Fuzzy Hash: E9116A7250024DEBEF128F98DD49FEE7BA9EF48744F048015FA06A2160C3B9CE60DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006F3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,006F3379,006F2FE5), ref: 006F3390
                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006F339E
                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006F33B7
                                                          • SetLastError.KERNEL32(00000000,?,006F3379,006F2FE5), ref: 006F3409
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastValue___vcrt_
                                                          • String ID:
                                                          • API String ID: 3852720340-0
                                                          • Opcode ID: 5e8d5aa230d56d240fcb7788c7ad66c8a91b4fbc19379eb3681a03ceac465f8e
                                                          • Instruction ID: 9529aa9e34b84ad00dae042c4f8f1d4d761b0bd74a4551f670112d56e64e3996
                                                          • Opcode Fuzzy Hash: 5e8d5aa230d56d240fcb7788c7ad66c8a91b4fbc19379eb3681a03ceac465f8e
                                                          • Instruction Fuzzy Hash: 35012433208339BEAA2627787C85AB72A96EB15379B20422EF710C43F0EF554D12514C
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00702D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,00705686,00713CD6,?,00000000,?,00705B6A,?,?,?,?,?,006FE6D1,?,00798A48), ref: 00702D78
                                                          • _free.LIBCMT ref: 00702DAB
                                                          • _free.LIBCMT ref: 00702DD3
                                                          • SetLastError.KERNEL32(00000000,?,?,?,?,006FE6D1,?,00798A48,00000010,006D4F4A,?,?,00000000,00713CD6), ref: 00702DE0
                                                          • SetLastError.KERNEL32(00000000,?,?,?,?,006FE6D1,?,00798A48,00000010,006D4F4A,?,?,00000000,00713CD6), ref: 00702DEC
                                                          • _abort.LIBCMT ref: 00702DF2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$_free$_abort
                                                          • String ID:
                                                          • API String ID: 3160817290-0
                                                          • Opcode ID: 1bf2c61ca496c118ac84d8d4ab22444a04b3b128eba0b0ea8065ae74983b2727
                                                          • Instruction ID: 6cfdca0e940aa55a786ef650f56660886d82423e6a7976676cc39de376e08ec3
                                                          • Opcode Fuzzy Hash: 1bf2c61ca496c118ac84d8d4ab22444a04b3b128eba0b0ea8065ae74983b2727
                                                          • Instruction Fuzzy Hash: 40F0A477644600F7C6137735AC0EA2A26D9AFC27A5B358719F825922E3EE6C9C034165
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00768A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006E9693
                                                            • Part of subcall function 006E9639: SelectObject.GDI32(?,00000000), ref: 006E96A2
                                                            • Part of subcall function 006E9639: BeginPath.GDI32(?), ref: 006E96B9
                                                            • Part of subcall function 006E9639: SelectObject.GDI32(?,00000000), ref: 006E96E2
                                                          • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00768A4E
                                                          • LineTo.GDI32(?,00000003,00000000), ref: 00768A62
                                                          • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00768A70
                                                          • LineTo.GDI32(?,00000000,00000003), ref: 00768A80
                                                          • EndPath.GDI32(?), ref: 00768A90
                                                          • StrokePath.GDI32(?), ref: 00768AA0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                          • String ID:
                                                          • API String ID: 43455801-0
                                                          • Opcode ID: f550b3b9478693dd57922e8204f6d2f56b350bbdddb44621cd323f9a5b4d8501
                                                          • Instruction ID: 52592dd170973d18b7b48f2c46c376cab8ae405443b3a318e06d09a373665f71
                                                          • Opcode Fuzzy Hash: f550b3b9478693dd57922e8204f6d2f56b350bbdddb44621cd323f9a5b4d8501
                                                          • Instruction Fuzzy Hash: 6011FA7600024CFFEB129F94DC48EAA7F6DEB08350F00C012FA5699161C7759D55DBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007351FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDC.USER32(00000000), ref: 00735218
                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 00735229
                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00735230
                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00735238
                                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0073524F
                                                          • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00735261
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CapsDevice$Release
                                                          • String ID:
                                                          • API String ID: 1035833867-0
                                                          • Opcode ID: 76eabd7d5670af19740b4cf0828191f4f75e8da2679fba080eb5bd5d5bf2d6e3
                                                          • Instruction ID: 2e758272dbe18e8a85b09aafdbf5d1e91300496cf326e1cbe9440c3b58ecdc2d
                                                          • Opcode Fuzzy Hash: 76eabd7d5670af19740b4cf0828191f4f75e8da2679fba080eb5bd5d5bf2d6e3
                                                          • Instruction Fuzzy Hash: 65018FB5A00718BBEB119BA5DC49A5EBFB8FB48351F048066FA05A7281D6B49800CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 006D1BF4
                                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 006D1BFC
                                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 006D1C07
                                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 006D1C12
                                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 006D1C1A
                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 006D1C22
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Virtual
                                                          • String ID:
                                                          • API String ID: 4278518827-0
                                                          • Opcode ID: f8f573ff264a3accc1374b1108628eac8e54e81d8ab5dede308f89756a343562
                                                          • Instruction ID: 04f8397cd30ee4ca6652d0ca47f51ccfab23aec15ea65f99ff32b51637731597
                                                          • Opcode Fuzzy Hash: f8f573ff264a3accc1374b1108628eac8e54e81d8ab5dede308f89756a343562
                                                          • Instruction Fuzzy Hash: B50148B090275A7DE3008F5A8C85A52FEA8FF19354F00415B915C47941C7F5A864CBE5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0073EB30
                                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0073EB46
                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 0073EB55
                                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0073EB64
                                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0073EB6E
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0073EB75
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                          • String ID:
                                                          • API String ID: 839392675-0
                                                          • Opcode ID: 97f5b6ac5880c7a9c23156c82bb810a0581617701c6eb053d980895b06a0684a
                                                          • Instruction ID: e84d1ee2c240ca9e514bce230c3ac318a71878f39679f3d13464842d4fe44adc
                                                          • Opcode Fuzzy Hash: 97f5b6ac5880c7a9c23156c82bb810a0581617701c6eb053d980895b06a0684a
                                                          • Instruction Fuzzy Hash: BCF01DB2140258BBE6226752DC0EEBB7A7CEFCAB11F008158F642E119196E85A0186B9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00727439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetClientRect.USER32(?), ref: 00727452
                                                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 00727469
                                                          • GetWindowDC.USER32(?), ref: 00727475
                                                          • GetPixel.GDI32(00000000,?,?), ref: 00727484
                                                          • ReleaseDC.USER32(?,00000000), ref: 00727496
                                                          • GetSysColor.USER32(00000005), ref: 007274B0
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                          • String ID:
                                                          • API String ID: 272304278-0
                                                          • Opcode ID: 56e8d662c2ec022928b0fc2c3a009533f9be6e994307af506aef4df51e9a94cc
                                                          • Instruction ID: dcf92beec899307d520581f1c77654c3c05a388ef2c6bbd20112727ae290b071
                                                          • Opcode Fuzzy Hash: 56e8d662c2ec022928b0fc2c3a009533f9be6e994307af506aef4df51e9a94cc
                                                          • Instruction Fuzzy Hash: D801AD31400355EFEB126FA4EC08BBA7BB5FF04311F608060F956A21A1CB791E51EB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00731874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0073187F
                                                          • UnloadUserProfile.USERENV(?,?), ref: 0073188B
                                                          • CloseHandle.KERNEL32(?), ref: 00731894
                                                          • CloseHandle.KERNEL32(?), ref: 0073189C
                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 007318A5
                                                          • HeapFree.KERNEL32(00000000), ref: 007318AC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                          • String ID:
                                                          • API String ID: 146765662-0
                                                          • Opcode ID: c1923dbc58f787326767a73917f90bf901ac767ab05dcdeec0e15f16198bfdc0
                                                          • Instruction ID: 141c59215779c5d4788b32c57112b7e50769a73c984b7c135b9074fcd14691a2
                                                          • Opcode Fuzzy Hash: c1923dbc58f787326767a73917f90bf901ac767ab05dcdeec0e15f16198bfdc0
                                                          • Instruction Fuzzy Hash: D1E0ED76004205BBDB026FA2ED0C915BF39FF4A722710C221F26691170CBB65420DF64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006DBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 006DBEB3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Init_thread_footer
                                                          • String ID: D%z$D%z$D%z$D%zD%z
                                                          • API String ID: 1385522511-3299656855
                                                          • Opcode ID: 1820b6924b1cda8e42478be900116b557a273e6a701fc6d5d1c3541a110da116
                                                          • Instruction ID: 76cdcd034df3da95fbb41347c63be535bc09ddb897b6cc40f19f547912ba22df
                                                          • Opcode Fuzzy Hash: 1820b6924b1cda8e42478be900116b557a273e6a701fc6d5d1c3541a110da116
                                                          • Instruction Fuzzy Hash: 69913975E0020ACFCB18CF59C0906A9B7F2FF99310B25916ED945AB355E731E982CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00757B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006F0242: EnterCriticalSection.KERNEL32(007A070C,007A1884,?,?,006E198B,007A2518,?,?,?,006D12F9,00000000), ref: 006F024D
                                                            • Part of subcall function 006F0242: LeaveCriticalSection.KERNEL32(007A070C,?,006E198B,007A2518,?,?,?,006D12F9,00000000), ref: 006F028A
                                                            • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                                            • Part of subcall function 006F00A3: __onexit.LIBCMT ref: 006F00A9
                                                          • __Init_thread_footer.LIBCMT ref: 00757BFB
                                                            • Part of subcall function 006F01F8: EnterCriticalSection.KERNEL32(007A070C,?,?,006E8747,007A2514), ref: 006F0202
                                                            • Part of subcall function 006F01F8: LeaveCriticalSection.KERNEL32(007A070C,?,006E8747,007A2514), ref: 006F0235
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                          • String ID: +Tr$5$G$Variable must be of type 'Object'.
                                                          • API String ID: 535116098-3922178991
                                                          • Opcode ID: 9504fb1c1ba25a93a05a2ad53e657a1a0c1ff828d86120a6eb47c798bb0a268b
                                                          • Instruction ID: 2206e359d11c50ddeb99546b003d16ca6d0b0d8ef8046fee7470b2ae0cee4b54
                                                          • Opcode Fuzzy Hash: 9504fb1c1ba25a93a05a2ad53e657a1a0c1ff828d86120a6eb47c798bb0a268b
                                                          • Instruction Fuzzy Hash: 33916E70A04209EFCB08EF54E8959FDB7B6BF45301F108059FC069B292DBB9AE49CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D7620: _wcslen.LIBCMT ref: 006D7625
                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0073C6EE
                                                          • _wcslen.LIBCMT ref: 0073C735
                                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0073C79C
                                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0073C7CA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ItemMenu$Info_wcslen$Default
                                                          • String ID: 0
                                                          • API String ID: 1227352736-4108050209
                                                          • Opcode ID: 5d70e1d65695d50c18411dbbeee3befb53ee495cff8ab877e8dc81ac0881062e
                                                          • Instruction ID: e5643bfa15046385d4a978f1d28c96324a376140dacba306339e2fa206df9a4f
                                                          • Opcode Fuzzy Hash: 5d70e1d65695d50c18411dbbeee3befb53ee495cff8ab877e8dc81ac0881062e
                                                          • Instruction Fuzzy Hash: 4751E2726043409BF7529F28C885B6B77E8AF89310F040A2DF996F31A2DB78DD04CB56
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0075AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ShellExecuteExW.SHELL32(0000003C), ref: 0075AEA3
                                                            • Part of subcall function 006D7620: _wcslen.LIBCMT ref: 006D7625
                                                          • GetProcessId.KERNEL32(00000000), ref: 0075AF38
                                                          • CloseHandle.KERNEL32(00000000), ref: 0075AF67
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CloseExecuteHandleProcessShell_wcslen
                                                          • String ID: <$@
                                                          • API String ID: 146682121-1426351568
                                                          • Opcode ID: 2445a8658ecbe9afcffa603a6db9e1e8e0460f1b8e9064e37721304d417b620d
                                                          • Instruction ID: b2ca69c7a6418ea6f542347675365c20de0372fe578b24fc5c439158ad828611
                                                          • Opcode Fuzzy Hash: 2445a8658ecbe9afcffa603a6db9e1e8e0460f1b8e9064e37721304d417b620d
                                                          • Instruction Fuzzy Hash: 18715971A00219DFCB14DF54D485A9EBBF1BF08310F0485AEE816AB392DB74ED45CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00737206
                                                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0073723C
                                                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0073724D
                                                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007372CF
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$AddressCreateInstanceProc
                                                          • String ID: DllGetClassObject
                                                          • API String ID: 753597075-1075368562
                                                          • Opcode ID: 8fae348152053146573f0432cfc1cf529a9a94566f8e5d63617a85e3d866545e
                                                          • Instruction ID: c411d1eb9db18e9f20f84f30a2d6589b7704a4370115330de7fa7a5e61e04184
                                                          • Opcode Fuzzy Hash: 8fae348152053146573f0432cfc1cf529a9a94566f8e5d63617a85e3d866545e
                                                          • Instruction Fuzzy Hash: E5411DF2604205DFEB29CF54C884A9B7BB9FF49310F1580A9BD059F20AD7B9D944DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00763D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00763E35
                                                          • IsMenu.USER32(?), ref: 00763E4A
                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00763E92
                                                          • DrawMenuBar.USER32 ref: 00763EA5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Menu$Item$DrawInfoInsert
                                                          • String ID: 0
                                                          • API String ID: 3076010158-4108050209
                                                          • Opcode ID: c26ca9e4dd11e2fddd3b6d695ea88e53da2c680bf7815008ee79ea95f14475bb
                                                          • Instruction ID: 1444509be4a0fe0ca9abc126282856dbd0383d0e7686fb6e3f6dbb8da29a59d9
                                                          • Opcode Fuzzy Hash: c26ca9e4dd11e2fddd3b6d695ea88e53da2c680bf7815008ee79ea95f14475bb
                                                          • Instruction Fuzzy Hash: F0414775A01209AFDB10DF60D884AAABBF9FF49350F04812AFD16A7250D739AE54CF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00731DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                                            • Part of subcall function 00733CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00733CCA
                                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00731E66
                                                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00731E79
                                                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 00731EA9
                                                            • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$_wcslen$ClassName
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 2081771294-1403004172
                                                          • Opcode ID: 73c96d24ecd8a96e80fdaa666f7fde8fab3e8775b9ee59b43129ff166938986b
                                                          • Instruction ID: 144f17d4fb896703ed7f25c9df1c823161e03310a372a7ded0a9646644ca9ddc
                                                          • Opcode Fuzzy Hash: 73c96d24ecd8a96e80fdaa666f7fde8fab3e8775b9ee59b43129ff166938986b
                                                          • Instruction Fuzzy Hash: AB2123B2A40204BEEB14AB60DC45CFFB7B9DF41350F54451EF822A32E2DB7D4D098624
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00762F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00762F8D
                                                          • LoadLibraryW.KERNEL32(?), ref: 00762F94
                                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00762FA9
                                                          • DestroyWindow.USER32(?), ref: 00762FB1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$DestroyLibraryLoadWindow
                                                          • String ID: SysAnimate32
                                                          • API String ID: 3529120543-1011021900
                                                          • Opcode ID: 0eebaf71a50527c5f26ccc9d03f3d60966a4ab20ceea4e55203df512bd9c4897
                                                          • Instruction ID: adec3db30a13d66e342eb2a37a270546e534539d3a460560a75e3227ef2b74ea
                                                          • Opcode Fuzzy Hash: 0eebaf71a50527c5f26ccc9d03f3d60966a4ab20ceea4e55203df512bd9c4897
                                                          • Instruction Fuzzy Hash: 7621DE71204605ABEB514FA4DC80EFB37B9EF59364F108618FE52D61A1C7B9DC429B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006F4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,006F4D1E,007028E9,?,006F4CBE,007028E9,007988B8,0000000C,006F4E15,007028E9,00000002), ref: 006F4D8D
                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006F4DA0
                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,006F4D1E,007028E9,?,006F4CBE,007028E9,007988B8,0000000C,006F4E15,007028E9,00000002,00000000), ref: 006F4DC3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                          • String ID: CorExitProcess$mscoree.dll
                                                          • API String ID: 4061214504-1276376045
                                                          • Opcode ID: a049f690f4cbf51a17be44465992fd00fb22dc04e0f73f63edc27ef81d521838
                                                          • Instruction ID: 258562cd605416a438d072dd977abc58dd594bffcc21d92d8f0b54901819460e
                                                          • Opcode Fuzzy Hash: a049f690f4cbf51a17be44465992fd00fb22dc04e0f73f63edc27ef81d521838
                                                          • Instruction Fuzzy Hash: 71F0813050020CABDB159B94DC09BFEBBA5EF44751F004095E90AA2650DB745D40CAD4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0072D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32 ref: 0072D3AD
                                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0072D3BF
                                                          • FreeLibrary.KERNEL32(00000000), ref: 0072D3E5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Library$AddressFreeLoadProc
                                                          • String ID: GetSystemWow64DirectoryW$X64
                                                          • API String ID: 145871493-2590602151
                                                          • Opcode ID: 82e93b54213b02991a579f62d4f93873eb9722f67e68129a711be70db5532b82
                                                          • Instruction ID: f08101681890dacfcaccd71e2aff04959e5da7f0330e2420a7c3307487db59af
                                                          • Opcode Fuzzy Hash: 82e93b54213b02991a579f62d4f93873eb9722f67e68129a711be70db5532b82
                                                          • Instruction Fuzzy Hash: A1F055B0802730CBE736AB11EC189BD7351BF02701F68C196F843E1002DB6CCE408687
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?,006D4EDD,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4E9C
                                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006D4EAE
                                                          • FreeLibrary.KERNEL32(00000000,?,?,006D4EDD,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4EC0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Library$AddressFreeLoadProc
                                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                          • API String ID: 145871493-3689287502
                                                          • Opcode ID: 9d5ce33633201b8f879a8db36e3ca157817e20daa987039bf88cb54275b40043
                                                          • Instruction ID: 0f5f9f2ec540540f642a2e679f1964a5c1bae3f48832e1a6788cdcc52f817ce8
                                                          • Opcode Fuzzy Hash: 9d5ce33633201b8f879a8db36e3ca157817e20daa987039bf88cb54275b40043
                                                          • Instruction Fuzzy Hash: 18E0CD75E017226BD23317257C18BBF7755AF82F627094116FC46D2300DFB8CD0140A4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00713CDE,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4E62
                                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006D4E74
                                                          • FreeLibrary.KERNEL32(00000000,?,?,00713CDE,?,007A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006D4E87
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Library$AddressFreeLoadProc
                                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                          • API String ID: 145871493-1355242751
                                                          • Opcode ID: 659d644e2e34fd384737fe50803d7a64dc8530789483f8d4ce3e1997e85353df
                                                          • Instruction ID: 1e287c962f316968d2365e3f51110a7c30c07a87d38941802b722ec1666283b7
                                                          • Opcode Fuzzy Hash: 659d644e2e34fd384737fe50803d7a64dc8530789483f8d4ce3e1997e85353df
                                                          • Instruction Fuzzy Hash: 92D0C271902761674A231B24BC08DEB3B1AAFC6B513054212F846A2310CFB8CD0181D4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0075A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcessId.KERNEL32 ref: 0075A427
                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0075A435
                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0075A468
                                                          • CloseHandle.KERNEL32(?), ref: 0075A63D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Process$CloseCountersCurrentHandleOpen
                                                          • String ID:
                                                          • API String ID: 3488606520-0
                                                          • Opcode ID: 49fb00e88d3e66cb24ea3d85d9bedd10df30d1bc6a6037cd988eb96f26e84563
                                                          • Instruction ID: 5b76c2fdd5220a04bbe4d7147e2f0f6785f7009a9cc21663cc82b71276b17e58
                                                          • Opcode Fuzzy Hash: 49fb00e88d3e66cb24ea3d85d9bedd10df30d1bc6a6037cd988eb96f26e84563
                                                          • Instruction Fuzzy Hash: C8A1B071604301AFD760DF24C882F6AB7E6AF84714F14891DF99A9B392D7B4EC44CB86
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0070BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00773700), ref: 0070BB91
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,007A121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0070BC09
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,007A1270,000000FF,?,0000003F,00000000,?), ref: 0070BC36
                                                          • _free.LIBCMT ref: 0070BB7F
                                                            • Part of subcall function 007029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000), ref: 007029DE
                                                            • Part of subcall function 007029C8: GetLastError.KERNEL32(00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000,00000000), ref: 007029F0
                                                          • _free.LIBCMT ref: 0070BD4B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                          • String ID:
                                                          • API String ID: 1286116820-0
                                                          • Opcode ID: 7c7d7ddf5236eaf70b0799f9a9f70dbe2c4ac6f29027a869e3926a9fad197ab8
                                                          • Instruction ID: 872fe7b4f56e26affa0f48dd98180a6c4461752e70c652df0ef9cc4b7f8ad31a
                                                          • Opcode Fuzzy Hash: 7c7d7ddf5236eaf70b0799f9a9f70dbe2c4ac6f29027a869e3926a9fad197ab8
                                                          • Instruction Fuzzy Hash: 79510571900209EFEB10EF659C85AAAB7F8FF81350F50436AE450D72E1EB789F418B64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0073DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0073CF22,?), ref: 0073DDFD
                                                            • Part of subcall function 0073DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0073CF22,?), ref: 0073DE16
                                                            • Part of subcall function 0073E199: GetFileAttributesW.KERNEL32(?,0073CF95), ref: 0073E19A
                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0073E473
                                                          • MoveFileW.KERNEL32(?,?), ref: 0073E4AC
                                                          • _wcslen.LIBCMT ref: 0073E5EB
                                                          • _wcslen.LIBCMT ref: 0073E603
                                                          • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0073E650
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                          • String ID:
                                                          • API String ID: 3183298772-0
                                                          • Opcode ID: 2d7df6fed0f53378a84d9ff7156ea17c4e90b5152516c5bc573669ba4461a812
                                                          • Instruction ID: 02cbf1f3057567ad04ac310bbafe162ade73db8a0de28b8cde86948f88b225c5
                                                          • Opcode Fuzzy Hash: 2d7df6fed0f53378a84d9ff7156ea17c4e90b5152516c5bc573669ba4461a812
                                                          • Instruction Fuzzy Hash: 655185B25083859BD764DB90DC819DF77ED9F84340F00491EF6C9D3192EF78A588876A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0075B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                                            • Part of subcall function 0075C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0075B6AE,?,?), ref: 0075C9B5
                                                            • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075C9F1
                                                            • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075CA68
                                                            • Part of subcall function 0075C998: _wcslen.LIBCMT ref: 0075CA9E
                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0075BAA5
                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0075BB00
                                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0075BB63
                                                          • RegCloseKey.ADVAPI32(?,?), ref: 0075BBA6
                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0075BBB3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                          • String ID:
                                                          • API String ID: 826366716-0
                                                          • Opcode ID: 6d018a37206ca4c63a0d61ce5841cd133cadbff730644fd2756a29846960f23b
                                                          • Instruction ID: 600d2c260b09e32b27a6b7555b8650f2cceb2eacb3074690977f666e6f2dee4a
                                                          • Opcode Fuzzy Hash: 6d018a37206ca4c63a0d61ce5841cd133cadbff730644fd2756a29846960f23b
                                                          • Instruction Fuzzy Hash: E861C271208241AFD314DF14C890E7ABBE5FF84308F14855DF8994B2A2DB75ED49CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00738BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VariantInit.OLEAUT32(?), ref: 00738BCD
                                                          • VariantClear.OLEAUT32 ref: 00738C3E
                                                          • VariantClear.OLEAUT32 ref: 00738C9D
                                                          • VariantClear.OLEAUT32(?), ref: 00738D10
                                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00738D3B
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Variant$Clear$ChangeInitType
                                                          • String ID:
                                                          • API String ID: 4136290138-0
                                                          • Opcode ID: 25e429a72c5b7b9c90e7bd36870cba5aaca216c79db604f05e0c12ef6b1927c7
                                                          • Instruction ID: be83457bb7a87ba22a21e248b5ec7bf40c83c5ef64bd65d69e4e20c4e7dab463
                                                          • Opcode Fuzzy Hash: 25e429a72c5b7b9c90e7bd36870cba5aaca216c79db604f05e0c12ef6b1927c7
                                                          • Instruction Fuzzy Hash: 4A5148B5A00219AFDB10CF68C884AAABBF4FF8D310F158559F915DB350EB34E911CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00748AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00748BAE
                                                          • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00748BDA
                                                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00748C32
                                                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00748C57
                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00748C5F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: PrivateProfile$SectionWrite$String
                                                          • String ID:
                                                          • API String ID: 2832842796-0
                                                          • Opcode ID: 6876967741b0308d5d7cac0305199b160719023714f504489d8c9a71429e40da
                                                          • Instruction ID: 9635f52530465e3d0e3cafd6b59a35548ab925787677d3e6ba7d22bbe5ff217a
                                                          • Opcode Fuzzy Hash: 6876967741b0308d5d7cac0305199b160719023714f504489d8c9a71429e40da
                                                          • Instruction Fuzzy Hash: 67515D35A002199FCB45DF65C880E6DBBF6FF48314F088499E849AB362DB35ED41CBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00758EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00758F40
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00758FD0
                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00758FEC
                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00759032
                                                          • FreeLibrary.KERNEL32(00000000), ref: 00759052
                                                            • Part of subcall function 006EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00741043,?,7644E610), ref: 006EF6E6
                                                            • Part of subcall function 006EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0072FA64,00000000,00000000,?,?,00741043,?,7644E610,?,0072FA64), ref: 006EF70D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                          • String ID:
                                                          • API String ID: 666041331-0
                                                          • Opcode ID: 57a9ecce90e01b5e1216616bdd9693d8e421d65a591892b48d37a04d96ba8fe1
                                                          • Instruction ID: a8a04b439705a8663272b93bcaafbaf0d1b033a4d8add5ab4e450daeb78476a7
                                                          • Opcode Fuzzy Hash: 57a9ecce90e01b5e1216616bdd9693d8e421d65a591892b48d37a04d96ba8fe1
                                                          • Instruction Fuzzy Hash: CA514A35A00205DFC745DF54C4948ADBBB1FF49315F088099ED0AAB3A2DB75ED89CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00766B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00766C33
                                                          • SetWindowLongW.USER32(?,000000EC,?), ref: 00766C4A
                                                          • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00766C73
                                                          • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0074AB79,00000000,00000000), ref: 00766C98
                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00766CC7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Window$Long$MessageSendShow
                                                          • String ID:
                                                          • API String ID: 3688381893-0
                                                          • Opcode ID: 2ae6c83b692c4fab29c30d2e5702685eb0ebae28efb1b318aec5671e1f4f9a1c
                                                          • Instruction ID: 8e2a43304c3b4aca464fda7e4930e3718abd7d3debbe045aa26bf52c66b0b581
                                                          • Opcode Fuzzy Hash: 2ae6c83b692c4fab29c30d2e5702685eb0ebae28efb1b318aec5671e1f4f9a1c
                                                          • Instruction Fuzzy Hash: E141E235600504AFD725CF28CC48FA57BA5EB09350F954268EC9AA72A0C379BD40CA64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00702051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: 6c0e1822d327b044fbdbf4d48a394b482efa80c14e2a0fb46491e7511a580de6
                                                          • Instruction ID: 717a3d38f3b0a76fd539a1934feb05e6fd1f8bc575b02f3d5dfe20c238920c3e
                                                          • Opcode Fuzzy Hash: 6c0e1822d327b044fbdbf4d48a394b482efa80c14e2a0fb46491e7511a580de6
                                                          • Instruction Fuzzy Hash: F5419333A00304DFCB24DF78C885A59B7E5EF89314F1546A9E615EB392DA35AD02CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006E912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCursorPos.USER32(?), ref: 006E9141
                                                          • ScreenToClient.USER32(00000000,?), ref: 006E915E
                                                          • GetAsyncKeyState.USER32(00000001), ref: 006E9183
                                                          • GetAsyncKeyState.USER32(00000002), ref: 006E919D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: AsyncState$ClientCursorScreen
                                                          • String ID:
                                                          • API String ID: 4210589936-0
                                                          • Opcode ID: 0eda5e36a253d7be3392cee5c6fe967064d7198722622a1ddbd248f0828bfc85
                                                          • Instruction ID: 97797849ca386c7e494e2613036b4a0810a48c0de4450d8f71e1b2f226d17847
                                                          • Opcode Fuzzy Hash: 0eda5e36a253d7be3392cee5c6fe967064d7198722622a1ddbd248f0828bfc85
                                                          • Instruction Fuzzy Hash: A7416E3190861AFBDF199F65D848BEEB775FF45320F208219E429A6290C7345D50CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00743874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetInputState.USER32 ref: 007438CB
                                                          • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00743922
                                                          • TranslateMessage.USER32(?), ref: 0074394B
                                                          • DispatchMessageW.USER32(?), ref: 00743955
                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00743966
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                          • String ID:
                                                          • API String ID: 2256411358-0
                                                          • Opcode ID: 0005dff570550ebaee44bd682dfb8308285f8a00ad567535cd06bb89597ac496
                                                          • Instruction ID: b0e53533a439444c0e536f4926ee93769234d1a33d9765992d95d730e36d990f
                                                          • Opcode Fuzzy Hash: 0005dff570550ebaee44bd682dfb8308285f8a00ad567535cd06bb89597ac496
                                                          • Instruction Fuzzy Hash: AF31D9709043419EFB35CB349C48BB777A8AB46308F54856DD4AAC20A0E3FCB685CB25
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0074CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0074CF38
                                                          • InternetReadFile.WININET(?,00000000,?,?), ref: 0074CF6F
                                                          • GetLastError.KERNEL32(?,00000000,?,?,?,0074C21E,00000000), ref: 0074CFB4
                                                          • SetEvent.KERNEL32(?,?,00000000,?,?,?,0074C21E,00000000), ref: 0074CFC8
                                                          • SetEvent.KERNEL32(?,?,00000000,?,?,?,0074C21E,00000000), ref: 0074CFF2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                          • String ID:
                                                          • API String ID: 3191363074-0
                                                          • Opcode ID: 86a74b9f96181028d45a6baad673d40cd274101def15536539f68ee46d64c1cc
                                                          • Instruction ID: 27fa84bd04711c806bc02e1d4ad49df109c0b73f08f2853845a498e5b947c5cb
                                                          • Opcode Fuzzy Hash: 86a74b9f96181028d45a6baad673d40cd274101def15536539f68ee46d64c1cc
                                                          • Instruction Fuzzy Hash: 51317C72601305EFDB61DFA5C884AABBBF9EF14310B10842EF546D2101EB78AE459B60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00731901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowRect.USER32(?,?), ref: 00731915
                                                          • PostMessageW.USER32(00000001,00000201,00000001), ref: 007319C1
                                                          • Sleep.KERNEL32(00000000,?,?,?), ref: 007319C9
                                                          • PostMessageW.USER32(00000001,00000202,00000000), ref: 007319DA
                                                          • Sleep.KERNEL32(00000000,?,?,?,?), ref: 007319E2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessagePostSleep$RectWindow
                                                          • String ID:
                                                          • API String ID: 3382505437-0
                                                          • Opcode ID: cceb56a4551262e3719a040504c5f4dc050b1b1d3e4e0923e453078d42f7cb51
                                                          • Instruction ID: a5c205be8fb9ab9880f33f60ce73bd598c9f5e64d999ffce5ecbab432bc6bfd2
                                                          • Opcode Fuzzy Hash: cceb56a4551262e3719a040504c5f4dc050b1b1d3e4e0923e453078d42f7cb51
                                                          • Instruction Fuzzy Hash: 9631F471900259EFDB04CFA8CD99BEE3BB5EB04315F008225F962A72D1C7B4AD54CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00765706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00765745
                                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 0076579D
                                                          • _wcslen.LIBCMT ref: 007657AF
                                                          • _wcslen.LIBCMT ref: 007657BA
                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00765816
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$_wcslen
                                                          • String ID:
                                                          • API String ID: 763830540-0
                                                          • Opcode ID: c56fccd2390b1608f7fd3c59cf3d08263af5de9dd5debd94e180cbc6ee1856e3
                                                          • Instruction ID: e8bb39a81be21ff17bb14079e961dfb9db618231dd52df418a628665d0e57ac0
                                                          • Opcode Fuzzy Hash: c56fccd2390b1608f7fd3c59cf3d08263af5de9dd5debd94e180cbc6ee1856e3
                                                          • Instruction Fuzzy Hash: CF21B671904618DADB218F60CC84EEE7BB8FF04724F108256FD2AEB180DB789985DF54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00750930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • IsWindow.USER32(00000000), ref: 00750951
                                                          • GetForegroundWindow.USER32 ref: 00750968
                                                          • GetDC.USER32(00000000), ref: 007509A4
                                                          • GetPixel.GDI32(00000000,?,00000003), ref: 007509B0
                                                          • ReleaseDC.USER32(00000000,00000003), ref: 007509E8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Window$ForegroundPixelRelease
                                                          • String ID:
                                                          • API String ID: 4156661090-0
                                                          • Opcode ID: 70265cd338f37e37eddcc7679fc4e11f12472575aa2801272c9e6592f91a0fa0
                                                          • Instruction ID: 2fb4971eca20e1512e629438959a9b3dce577d6958720b4a98b43d46169058c9
                                                          • Opcode Fuzzy Hash: 70265cd338f37e37eddcc7679fc4e11f12472575aa2801272c9e6592f91a0fa0
                                                          • Instruction Fuzzy Hash: D1216F39A00214AFD704EF69D888AAEBBE5EF44701F04806DE84A97352DBB4AC44CB94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0070CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetEnvironmentStringsW.KERNEL32 ref: 0070CDC6
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0070CDE9
                                                            • Part of subcall function 00703820: RtlAllocateHeap.NTDLL(00000000,?,007A1444,?,006EFDF5,?,?,006DA976,00000010,007A1440,006D13FC,?,006D13C6,?,006D1129), ref: 00703852
                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0070CE0F
                                                          • _free.LIBCMT ref: 0070CE22
                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0070CE31
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                          • String ID:
                                                          • API String ID: 336800556-0
                                                          • Opcode ID: bc334f34cb0823fc2148986ec011a0f0ab30fc053e480e935293b7c0b2a16d41
                                                          • Instruction ID: 1d8b40084f448f41674e7b876d3f22ed77bb306853f5ff899252e2e348ffdd65
                                                          • Opcode Fuzzy Hash: bc334f34cb0823fc2148986ec011a0f0ab30fc053e480e935293b7c0b2a16d41
                                                          • Instruction Fuzzy Hash: 8701B1B2601215FFA32327B6EC8CC7B79ADDAC6BA1315432DFD05C6281EA688D0191B4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006E9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006E9693
                                                          • SelectObject.GDI32(?,00000000), ref: 006E96A2
                                                          • BeginPath.GDI32(?), ref: 006E96B9
                                                          • SelectObject.GDI32(?,00000000), ref: 006E96E2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ObjectSelect$BeginCreatePath
                                                          • String ID:
                                                          • API String ID: 3225163088-0
                                                          • Opcode ID: 46c29ee6f40aae3392edb36b7141924725b29e81600343922eb0383382c791a5
                                                          • Instruction ID: 6c299a65f9e98662d87077cd5ab1a609d993ca6e2346c04ad1c3d9eb647e117b
                                                          • Opcode Fuzzy Hash: 46c29ee6f40aae3392edb36b7141924725b29e81600343922eb0383382c791a5
                                                          • Instruction Fuzzy Hash: AD2183708023C5EBFB119F25EC147EA3B66BF82355F508216F411961B1D3786991CFA9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00735711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _memcmp
                                                          • String ID:
                                                          • API String ID: 2931989736-0
                                                          • Opcode ID: 3f2e4c3d88e27bb5e2191a8f1a103aad459d26c6ac221e37f1ba69efa9c3e274
                                                          • Instruction ID: 84c72cc5346b14f715b544cfe7a9be39fc60dda1a4d372a90a0027f9fc4f0163
                                                          • Opcode Fuzzy Hash: 3f2e4c3d88e27bb5e2191a8f1a103aad459d26c6ac221e37f1ba69efa9c3e274
                                                          • Instruction Fuzzy Hash: 5401B5A2645A09FBF2085520AD92FBB735E9B32394F414024FE099E242FB69ED10C2F4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00702DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,?,006FF2DE,00703863,007A1444,?,006EFDF5,?,?,006DA976,00000010,007A1440,006D13FC,?,006D13C6), ref: 00702DFD
                                                          • _free.LIBCMT ref: 00702E32
                                                          • _free.LIBCMT ref: 00702E59
                                                          • SetLastError.KERNEL32(00000000,006D1129), ref: 00702E66
                                                          • SetLastError.KERNEL32(00000000,006D1129), ref: 00702E6F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$_free
                                                          • String ID:
                                                          • API String ID: 3170660625-0
                                                          • Opcode ID: e4f7ef0963664a22b3dc2eb0b91ef8cd22e1c1fe56b1f2ea9e8c1035e29cb44f
                                                          • Instruction ID: 23a8940158230e5a544c661bef658b9bda3e0af1a0b4cbfbac2a79d429bece7a
                                                          • Opcode Fuzzy Hash: e4f7ef0963664a22b3dc2eb0b91ef8cd22e1c1fe56b1f2ea9e8c1035e29cb44f
                                                          • Instruction Fuzzy Hash: 9B01F977285600E7C6137735AC4ED2B26DDABD17A57214725F455A22E3EA6C8C034128
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?,?,?,0073035E), ref: 0073002B
                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?,?), ref: 00730046
                                                          • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?,?), ref: 00730054
                                                          • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?), ref: 00730064
                                                          • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0072FF41,80070057,?,?), ref: 00730070
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: From$Prog$FreeStringTasklstrcmpi
                                                          • String ID:
                                                          • API String ID: 3897988419-0
                                                          • Opcode ID: ad108b04b3712494612fabfd14a396811699769d10f30725add0bfaeb86995a9
                                                          • Instruction ID: b84704426ecc6dbb9d9d7129f51ee4371e21350b2523666cc00bd2b7fd2cb62b
                                                          • Opcode Fuzzy Hash: ad108b04b3712494612fabfd14a396811699769d10f30725add0bfaeb86995a9
                                                          • Instruction Fuzzy Hash: FA01DF76600309BFEB214F68DC48BBA7AADEB44751F108024F846D7211D7B8CD009BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 0073E997
                                                          • QueryPerformanceFrequency.KERNEL32(?), ref: 0073E9A5
                                                          • Sleep.KERNEL32(00000000), ref: 0073E9AD
                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 0073E9B7
                                                          • Sleep.KERNEL32 ref: 0073E9F3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                          • String ID:
                                                          • API String ID: 2833360925-0
                                                          • Opcode ID: a062e0d54be5c442c9925c6900f1223f570fe923241d70a759d714fcdf92453e
                                                          • Instruction ID: bc16ca5fbcbd681ea97c12ba5cb0701679c4cc1ded00a66a9ac2e129a9a9d960
                                                          • Opcode Fuzzy Hash: a062e0d54be5c442c9925c6900f1223f570fe923241d70a759d714fcdf92453e
                                                          • Instruction Fuzzy Hash: ED015B71C0162DDBDF04ABE4DC596EDBB78BB09301F004546E542B2282DB78A5518766
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007310F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00731114
                                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 00731120
                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 0073112F
                                                          • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00730B9B,?,?,?), ref: 00731136
                                                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0073114D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                          • String ID:
                                                          • API String ID: 842720411-0
                                                          • Opcode ID: c52cb0ed7f343c6512b2faf2172b676ec72e470ff92063741e0a04a29604aee3
                                                          • Instruction ID: 751f16a0af8128da62e7db3c9bcc28e4ff0baaa9f0ede3369ee2036e6d6e3743
                                                          • Opcode Fuzzy Hash: c52cb0ed7f343c6512b2faf2172b676ec72e470ff92063741e0a04a29604aee3
                                                          • Instruction Fuzzy Hash: F20181B5200309BFEB124F69DC49EAA3F6EEF85360F104414FA86C3350DB75DC008A60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00730FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00730FCA
                                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00730FD6
                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00730FE5
                                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00730FEC
                                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00731002
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                          • String ID:
                                                          • API String ID: 44706859-0
                                                          • Opcode ID: c0d5c37e8ee2e9bfba0e9ba87dbd487c5b454c2fe7ad603b557ca32c83a549b6
                                                          • Instruction ID: 08779c8ab0c7360a32ca40ba0f0f60029bda0de70560245c4b9f817a8ac8b736
                                                          • Opcode Fuzzy Hash: c0d5c37e8ee2e9bfba0e9ba87dbd487c5b454c2fe7ad603b557ca32c83a549b6
                                                          • Instruction Fuzzy Hash: 66F06275200305FBD7264FA5DC4DF663B6DEF8A761F508414F986D7251CAB9DC408A60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00731014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0073102A
                                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00731036
                                                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00731045
                                                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0073104C
                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00731062
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                          • String ID:
                                                          • API String ID: 44706859-0
                                                          • Opcode ID: 0f81a31bd8689fa68dc575c3425c8eeb05d34f62aca6fce8d24d84c54243a275
                                                          • Instruction ID: c09f3ef9309ede120a19be1d42a9c14f587dbe8ba1e0c1e8c06833329bc06974
                                                          • Opcode Fuzzy Hash: 0f81a31bd8689fa68dc575c3425c8eeb05d34f62aca6fce8d24d84c54243a275
                                                          • Instruction Fuzzy Hash: 2DF0CD75300305FBEB221FA5EC49F663BADEF8A761F104414FA86D7251CAB9DC408A60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0074030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CloseHandle.KERNEL32(?,?,?,?,0074017D,?,007432FC,?,00000001,00712592,?), ref: 00740324
                                                          • CloseHandle.KERNEL32(?,?,?,?,0074017D,?,007432FC,?,00000001,00712592,?), ref: 00740331
                                                          • CloseHandle.KERNEL32(?,?,?,?,0074017D,?,007432FC,?,00000001,00712592,?), ref: 0074033E
                                                          • CloseHandle.KERNEL32(?,?,?,?,0074017D,?,007432FC,?,00000001,00712592,?), ref: 0074034B
                                                          • CloseHandle.KERNEL32(?,?,?,?,0074017D,?,007432FC,?,00000001,00712592,?), ref: 00740358
                                                          • CloseHandle.KERNEL32(?,?,?,?,0074017D,?,007432FC,?,00000001,00712592,?), ref: 00740365
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle
                                                          • String ID:
                                                          • API String ID: 2962429428-0
                                                          • Opcode ID: dabc9760f0d1e328b93be0c955742ab23f928549967abec637c6dfb23f06a861
                                                          • Instruction ID: 3f6611560d59635a3a03326f2c90280cac5449067e5e6fd0d641e1f9ee46be24
                                                          • Opcode Fuzzy Hash: dabc9760f0d1e328b93be0c955742ab23f928549967abec637c6dfb23f06a861
                                                          • Instruction Fuzzy Hash: 6001AA72800B159FCB30AF66D890812FBF9BF603153168A3FD29652931C3B5A998CF80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0070D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 0070D752
                                                            • Part of subcall function 007029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000), ref: 007029DE
                                                            • Part of subcall function 007029C8: GetLastError.KERNEL32(00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000,00000000), ref: 007029F0
                                                          • _free.LIBCMT ref: 0070D764
                                                          • _free.LIBCMT ref: 0070D776
                                                          • _free.LIBCMT ref: 0070D788
                                                          • _free.LIBCMT ref: 0070D79A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: 05bd93dfe6b6ff00b926000bcb69be2d69dab3930f38094c9fab66d70934ceeb
                                                          • Instruction ID: 9dee420b74a19c28a0cf68e3014b8fe77ed44d2d56ce4267b9c84261ee963315
                                                          • Opcode Fuzzy Hash: 05bd93dfe6b6ff00b926000bcb69be2d69dab3930f38094c9fab66d70934ceeb
                                                          • Instruction Fuzzy Hash: 85F0FF33554304EBCA22EBA8F9CAC1677DDBB447107A55A06F048E7592C72CFC818AA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00735C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDlgItem.USER32(?,000003E9), ref: 00735C58
                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 00735C6F
                                                          • MessageBeep.USER32(00000000), ref: 00735C87
                                                          • KillTimer.USER32(?,0000040A), ref: 00735CA3
                                                          • EndDialog.USER32(?,00000001), ref: 00735CBD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                          • String ID:
                                                          • API String ID: 3741023627-0
                                                          • Opcode ID: 3bca7a120f5d52a3ae6df656f798748299138bd386e0c405c9b45de5af4e31ca
                                                          • Instruction ID: 08f66dd3112819e6fa22d479486e00b82cf4d3435c09aad6af2cb92688bce8b1
                                                          • Opcode Fuzzy Hash: 3bca7a120f5d52a3ae6df656f798748299138bd386e0c405c9b45de5af4e31ca
                                                          • Instruction Fuzzy Hash: CB018630500B05ABFB225B10DD4EFB677B8BB00B05F04655AF5C3A14E1DBF8A984CAA8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007022A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _free.LIBCMT ref: 007022BE
                                                            • Part of subcall function 007029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000), ref: 007029DE
                                                            • Part of subcall function 007029C8: GetLastError.KERNEL32(00000000,?,0070D7D1,00000000,00000000,00000000,00000000,?,0070D7F8,00000000,00000007,00000000,?,0070DBF5,00000000,00000000), ref: 007029F0
                                                          • _free.LIBCMT ref: 007022D0
                                                          • _free.LIBCMT ref: 007022E3
                                                          • _free.LIBCMT ref: 007022F4
                                                          • _free.LIBCMT ref: 00702305
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _free$ErrorFreeHeapLast
                                                          • String ID:
                                                          • API String ID: 776569668-0
                                                          • Opcode ID: fcda286688f572c2476941eec2ee46e91bee4a3a2c3b8cdbb08364ee3692b88e
                                                          • Instruction ID: 538939280bcdae49d0ffc4aac9c2f3564cc9ef2b9bbf295d0578a20915657fd0
                                                          • Opcode Fuzzy Hash: fcda286688f572c2476941eec2ee46e91bee4a3a2c3b8cdbb08364ee3692b88e
                                                          • Instruction Fuzzy Hash: A0F01D76520110CFCA12AF54BC099483AA4B75A750B918607F410E22F2C73C58129EEC
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006E95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • EndPath.GDI32(?), ref: 006E95D4
                                                          • StrokeAndFillPath.GDI32(?,?,007271F7,00000000,?,?,?), ref: 006E95F0
                                                          • SelectObject.GDI32(?,00000000), ref: 006E9603
                                                          • DeleteObject.GDI32 ref: 006E9616
                                                          • StrokePath.GDI32(?), ref: 006E9631
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                          • String ID:
                                                          • API String ID: 2625713937-0
                                                          • Opcode ID: 854d9afc285e5aeb5706be3b855f6f29f0a8b6c6dc84535a4e252d34981f427e
                                                          • Instruction ID: b5ce68a412ee71cd8e1b9f91f7f512db826cc82eeeb8c7a37272f2fdb649e6c5
                                                          • Opcode Fuzzy Hash: 854d9afc285e5aeb5706be3b855f6f29f0a8b6c6dc84535a4e252d34981f427e
                                                          • Instruction Fuzzy Hash: 07F08C30006388EBEB165F26EC1C7B63B62AB82322F40C215F466561F0C7789995CF29
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00700F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: __freea$_free
                                                          • String ID: a/p$am/pm
                                                          • API String ID: 3432400110-3206640213
                                                          • Opcode ID: 8f9228bec59e0be2e21d2c6cf12a834855b76cb223000d622c16db28d5693851
                                                          • Instruction ID: f59501ca3bff1eb1902d25173fea9d3145c05ce0c0111ec3d89762ef91c33f08
                                                          • Opcode Fuzzy Hash: 8f9228bec59e0be2e21d2c6cf12a834855b76cb223000d622c16db28d5693851
                                                          • Instruction Fuzzy Hash: 28D1E231A00206DADB289F68C895BFAB7F5FF06300FA44359E9419BAD1D77D9D80CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007561D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006F0242: EnterCriticalSection.KERNEL32(007A070C,007A1884,?,?,006E198B,007A2518,?,?,?,006D12F9,00000000), ref: 006F024D
                                                            • Part of subcall function 006F0242: LeaveCriticalSection.KERNEL32(007A070C,?,006E198B,007A2518,?,?,?,006D12F9,00000000), ref: 006F028A
                                                            • Part of subcall function 006F00A3: __onexit.LIBCMT ref: 006F00A9
                                                          • __Init_thread_footer.LIBCMT ref: 00756238
                                                            • Part of subcall function 006F01F8: EnterCriticalSection.KERNEL32(007A070C,?,?,006E8747,007A2514), ref: 006F0202
                                                            • Part of subcall function 006F01F8: LeaveCriticalSection.KERNEL32(007A070C,?,006E8747,007A2514), ref: 006F0235
                                                            • Part of subcall function 0074359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007435E4
                                                            • Part of subcall function 0074359C: LoadStringW.USER32(007A2390,?,00000FFF,?), ref: 0074360A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
                                                          • String ID: x#z$x#z$x#z
                                                          • API String ID: 1072379062-95117334
                                                          • Opcode ID: e599d20d3db0da438bbca0e31b3eed9d6651b00e4b9490ef5cf7aaf867ea96f0
                                                          • Instruction ID: 8b1edf8fdd13303a947bf98e78c5fdfb1ed04b986ba59170ab6b6999fc18f95c
                                                          • Opcode Fuzzy Hash: e599d20d3db0da438bbca0e31b3eed9d6651b00e4b9490ef5cf7aaf867ea96f0
                                                          • Instruction Fuzzy Hash: 03C17C71A00209ABDB14DF58C890EFEB7BAFF49310F508069F9059B251DBB9ED59CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00708A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00708B6E
                                                          • GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00708B7A
                                                          • __dosmaperr.LIBCMT ref: 00708B81
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ByteCharErrorLastMultiWide__dosmaperr
                                                          • String ID: .o
                                                          • API String ID: 2434981716-1957372423
                                                          • Opcode ID: 27bc20ebc43ff8967df9d345e5f475be9bad67234389b4f5184bf7201c28b367
                                                          • Instruction ID: 4b8cc92f4234fc1a2cf0ba61a188741f996c605d07aa566b67c6004a077d3e88
                                                          • Opcode Fuzzy Hash: 27bc20ebc43ff8967df9d345e5f475be9bad67234389b4f5184bf7201c28b367
                                                          • Instruction Fuzzy Hash: AF418CF0604155EFCB659F64C880A7D7FE6DF86304B2887A9F4C587682DE398C028795
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00732716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0073B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007321D0,?,?,00000034,00000800,?,00000034), ref: 0073B42D
                                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00732760
                                                            • Part of subcall function 0073B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007321FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0073B3F8
                                                            • Part of subcall function 0073B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0073B355
                                                            • Part of subcall function 0073B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00732194,00000034,?,?,00001004,00000000,00000000), ref: 0073B365
                                                            • Part of subcall function 0073B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00732194,00000034,?,?,00001004,00000000,00000000), ref: 0073B37B
                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007327CD
                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0073281A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                          • String ID: @
                                                          • API String ID: 4150878124-2766056989
                                                          • Opcode ID: eac3997c4ef64c4269b5cdeff22c686b0cda9324d02086de95a1065d277f8673
                                                          • Instruction ID: 0a9c8692b59d17b0ea48739fd9bb4e5d2040e7ad31b27f652f0bceb64923a82b
                                                          • Opcode Fuzzy Hash: eac3997c4ef64c4269b5cdeff22c686b0cda9324d02086de95a1065d277f8673
                                                          • Instruction Fuzzy Hash: 19412E76901218BFEB10DFA4CD45AEEBBB8EF09700F104099FA55B7182DB746E45CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0070172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exe,00000104), ref: 00701769
                                                          • _free.LIBCMT ref: 00701834
                                                          • _free.LIBCMT ref: 0070183E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _free$FileModuleName
                                                          • String ID: C:\Users\user\Desktop\FAR.N#U00b02430-24000993.exe
                                                          • API String ID: 2506810119-1276354553
                                                          • Opcode ID: 8f219d75a4ff58c022a9be24b0c004762cd65d40b0b89a7f3044198a0faba532
                                                          • Instruction ID: 6a91dd4f0997c32a4051d17be47ffe5fb5802b1ed42516ec18b0040fd737edcd
                                                          • Opcode Fuzzy Hash: 8f219d75a4ff58c022a9be24b0c004762cd65d40b0b89a7f3044198a0faba532
                                                          • Instruction Fuzzy Hash: 93318F75A00218EFDB21DF999885D9EBBFCEB85320F948266F50497291D6B88E40CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0073C306
                                                          • DeleteMenu.USER32(?,00000007,00000000), ref: 0073C34C
                                                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007A1990,015C6BC0), ref: 0073C395
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Menu$Delete$InfoItem
                                                          • String ID: 0
                                                          • API String ID: 135850232-4108050209
                                                          • Opcode ID: 0aed95ff483f9672e61020b49c67e7d57b4b147433279959c10424b1bdf85d69
                                                          • Instruction ID: 52404b56cc1800c8b4f3a20fb988fd5bce5d133b8ad8112c27d4d6a937269518
                                                          • Opcode Fuzzy Hash: 0aed95ff483f9672e61020b49c67e7d57b4b147433279959c10424b1bdf85d69
                                                          • Instruction Fuzzy Hash: 6A41B1312043019FE721DF24D885B2ABBE4AF85310F10861DF9A6A72D2D778E904CB63
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00764416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0076CC08,00000000,?,?,?,?), ref: 007644AA
                                                          • GetWindowLongW.USER32 ref: 007644C7
                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 007644D7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Window$Long
                                                          • String ID: SysTreeView32
                                                          • API String ID: 847901565-1698111956
                                                          • Opcode ID: 7708319bc41d90098ebf21d0d9d63f8a695fc6c4473551456fb7d89b8a62e06e
                                                          • Instruction ID: bbcbfaec3b4b626f7807ba028c04e00a1d52810532d0e072372c81a13214ff0f
                                                          • Opcode Fuzzy Hash: 7708319bc41d90098ebf21d0d9d63f8a695fc6c4473551456fb7d89b8a62e06e
                                                          • Instruction Fuzzy Hash: 5231B031210245AFDF218E38DC46BEA7BA9EB09334F204319FD76A21D1DB78EC609B54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00736E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SysReAllocString.OLEAUT32(?,?), ref: 00736EED
                                                          • VariantCopyInd.OLEAUT32(?,?), ref: 00736F08
                                                          • VariantClear.OLEAUT32(?), ref: 00736F12
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Variant$AllocClearCopyString
                                                          • String ID: *js
                                                          • API String ID: 2173805711-2626009487
                                                          • Opcode ID: 0d75b4065e026734700bb5360326a6fc620bdca79412f94b3b0d024d0dbca17e
                                                          • Instruction ID: 48b268d46495c9335c4d7145dbfba7f0ec4550f085271a6b035fd0b0a9ba48e8
                                                          • Opcode Fuzzy Hash: 0d75b4065e026734700bb5360326a6fc620bdca79412f94b3b0d024d0dbca17e
                                                          • Instruction Fuzzy Hash: AE31D371A04246EFDB05AF64E8509BD3776FF40700F108499F8065B3A2CB389911DBD8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0075304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0075335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00753077,?,?), ref: 00753378
                                                          • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0075307A
                                                          • _wcslen.LIBCMT ref: 0075309B
                                                          • htons.WSOCK32(00000000,?,?,00000000), ref: 00753106
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                          • String ID: 255.255.255.255
                                                          • API String ID: 946324512-2422070025
                                                          • Opcode ID: cfd413a5f80bfbf8e6e48fe0957819c9fc4c5206f30d1741d1fc8c6a4cbcaa3b
                                                          • Instruction ID: 8bae0f3703246e86e44192611dcd425c063d6304dd19da8dd8a0a0903365b90a
                                                          • Opcode Fuzzy Hash: cfd413a5f80bfbf8e6e48fe0957819c9fc4c5206f30d1741d1fc8c6a4cbcaa3b
                                                          • Instruction Fuzzy Hash: 5231D2356007099FCB20CF28C485EAA77E1EF14395F248059EC198B3A2DBBADE49C760
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00764653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00764705
                                                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00764713
                                                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0076471A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$DestroyWindow
                                                          • String ID: msctls_updown32
                                                          • API String ID: 4014797782-2298589950
                                                          • Opcode ID: d10cfbd617b68d94fc6a4d53ba685a82c9c26ccafe010753bbbc337ba23c418a
                                                          • Instruction ID: 40424fa5bee75a807e35ada9b944006c78102cbdb22b627ac0217f90d27794e9
                                                          • Opcode Fuzzy Hash: d10cfbd617b68d94fc6a4d53ba685a82c9c26ccafe010753bbbc337ba23c418a
                                                          • Instruction Fuzzy Hash: 35216DB5600209AFEB11DF68DCD1DB737ADEF9A3A4B044059FA019B3A1CB74EC51CA64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007395AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _wcslen
                                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                          • API String ID: 176396367-2734436370
                                                          • Opcode ID: 458baf49792f4e40c3bb1b0b3af463a518df9fbc4286d66df2102fe7904b3fdb
                                                          • Instruction ID: bacd86d3e858ff6217c0d82db2bb9a88c992e1bca43e5efbfd00c3a4e5fc0e14
                                                          • Opcode Fuzzy Hash: 458baf49792f4e40c3bb1b0b3af463a518df9fbc4286d66df2102fe7904b3fdb
                                                          • Instruction Fuzzy Hash: 1A215BB2205610A6E331AB249C03FB773D99F51300F50402AFB4A97183FBD9AD95C2E9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007637B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00763840
                                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00763850
                                                          • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00763876
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessageSend$MoveWindow
                                                          • String ID: Listbox
                                                          • API String ID: 3315199576-2633736733
                                                          • Opcode ID: b004571a43074dd32b4e269973127eea57797e16da87a1466730505667b9d28c
                                                          • Instruction ID: fe75e9871b3483d1eb68118384b131939731943502bf08d5ebff0116ac817b3f
                                                          • Opcode Fuzzy Hash: b004571a43074dd32b4e269973127eea57797e16da87a1466730505667b9d28c
                                                          • Instruction Fuzzy Hash: 2421BE72610219BBEF218F54DC85EBB376AEF89760F108124F9069B190C6B9DC52CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007449F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNEL32(00000001), ref: 00744A08
                                                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00744A5C
                                                          • SetErrorMode.KERNEL32(00000000,?,?,0076CC08), ref: 00744AD0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ErrorMode$InformationVolume
                                                          • String ID: %lu
                                                          • API String ID: 2507767853-685833217
                                                          • Opcode ID: 88736f01990f067338aa17dcad6507fa95d52dec8dbb1bdd453ad98407896521
                                                          • Instruction ID: 1d7f42c9a69ce4f66b0bef81adf5ff38ef5defd6926affee26270bb8a5724b4b
                                                          • Opcode Fuzzy Hash: 88736f01990f067338aa17dcad6507fa95d52dec8dbb1bdd453ad98407896521
                                                          • Instruction Fuzzy Hash: 80318571A00208AFDB51DF54C885EAA77F9EF05304F148099F905DB352DB75ED45CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007641EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0076424F
                                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00764264
                                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00764271
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: msctls_trackbar32
                                                          • API String ID: 3850602802-1010561917
                                                          • Opcode ID: 9fe7f0ae9ccfb68a6981fc619dc13063b80447185b742a9ec04703c2eb000e94
                                                          • Instruction ID: 7bbe609f8ab5cf53e598c2bb5e16c284671f850ee0946b5a394f54dbaeea9766
                                                          • Opcode Fuzzy Hash: 9fe7f0ae9ccfb68a6981fc619dc13063b80447185b742a9ec04703c2eb000e94
                                                          • Instruction Fuzzy Hash: 1F110631240208BEEF205F29CC46FAB3BACFF85B64F110114FE56E2090D2B5DC519B14
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00732F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
                                                            • Part of subcall function 00732DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00732DC5
                                                            • Part of subcall function 00732DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00732DD6
                                                            • Part of subcall function 00732DA7: GetCurrentThreadId.KERNEL32 ref: 00732DDD
                                                            • Part of subcall function 00732DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00732DE4
                                                          • GetFocus.USER32 ref: 00732F78
                                                            • Part of subcall function 00732DEE: GetParent.USER32(00000000), ref: 00732DF9
                                                          • GetClassNameW.USER32(?,?,00000100), ref: 00732FC3
                                                          • EnumChildWindows.USER32(?,0073303B), ref: 00732FEB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                          • String ID: %s%d
                                                          • API String ID: 1272988791-1110647743
                                                          • Opcode ID: e0d4445714e65765eae1686e579efbb935125b4d1a08040e2304c7c25f187dfe
                                                          • Instruction ID: 887d09f186c8bce824e969f4d3c776e8500d7e885fe8050e7939366c038ca45e
                                                          • Opcode Fuzzy Hash: e0d4445714e65765eae1686e579efbb935125b4d1a08040e2304c7c25f187dfe
                                                          • Instruction Fuzzy Hash: AD11A271700205ABEF557F60CC89EFD376AAF84304F04807AF9099B253DE7999468B74
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00765882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007658C1
                                                          • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007658EE
                                                          • DrawMenuBar.USER32(?), ref: 007658FD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Menu$InfoItem$Draw
                                                          • String ID: 0
                                                          • API String ID: 3227129158-4108050209
                                                          • Opcode ID: 9628610c3a24bb72dc700e5a10fe55dccdf5a66ae2ea6d5947f543f48661a880
                                                          • Instruction ID: bb8d798c7b42eb1189047f17ec5f305e0f0b15b759f413a5ea120edbeda8dd64
                                                          • Opcode Fuzzy Hash: 9628610c3a24bb72dc700e5a10fe55dccdf5a66ae2ea6d5947f543f48661a880
                                                          • Instruction Fuzzy Hash: 02018B31500348EFDB219F11DC44BAEBBB5FB45360F108099E88AD6151DB74AA94EF24
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8253753b864a3daf44eb555188ef87f633ac7682bed257e6c910e5f3f7479465
                                                          • Instruction ID: cdca53d831ec80b7a9a20f072e284b40d4f6bed1f333797430e0f4dfafa3a108
                                                          • Opcode Fuzzy Hash: 8253753b864a3daf44eb555188ef87f633ac7682bed257e6c910e5f3f7479465
                                                          • Instruction Fuzzy Hash: 93C17C75A0020AEFEB14CFA4C8A8EAEB7B5FF48714F108598E505EB252D735ED41DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0075342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Variant$ClearInitInitializeUninitialize
                                                          • String ID:
                                                          • API String ID: 1998397398-0
                                                          • Opcode ID: 3c797e3134306c09a8fe332146ff964e4a4719a0df5244d677baa0b12027594a
                                                          • Instruction ID: ab110ab4ba726a20137004dbefb56dde8aaae6da419b3913df00796c443cd1d3
                                                          • Opcode Fuzzy Hash: 3c797e3134306c09a8fe332146ff964e4a4719a0df5244d677baa0b12027594a
                                                          • Instruction Fuzzy Hash: 32A156756042009FC700DF28C485A6AB7E6EF88351F04895DFD8A9B362EB74EE05CB96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00730436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0076FC08,?), ref: 007305F0
                                                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0076FC08,?), ref: 00730608
                                                          • CLSIDFromProgID.OLE32(?,?,00000000,0076CC40,000000FF,?,00000000,00000800,00000000,?,0076FC08,?), ref: 0073062D
                                                          • _memcmp.LIBVCRUNTIME ref: 0073064E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: FromProg$FreeTask_memcmp
                                                          • String ID:
                                                          • API String ID: 314563124-0
                                                          • Opcode ID: 51b789e23a84144422b5f9bab7c606f772b1a5cbeae1182c56737177ce12baba
                                                          • Instruction ID: 14643ad8cec9f014846410a42d0494bb1c4970297969af7c41aacff3403e02b6
                                                          • Opcode Fuzzy Hash: 51b789e23a84144422b5f9bab7c606f772b1a5cbeae1182c56737177ce12baba
                                                          • Instruction Fuzzy Hash: 7B815C71A00109EFDB04DF94C994EEEB7B9FF89315F204198F506AB251DB75AE06CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00711391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _free
                                                          • String ID:
                                                          • API String ID: 269201875-0
                                                          • Opcode ID: ac7449862de37793cccf28df96c29ee6b0aad95c3aecc1afc115ba5fd4e0f20b
                                                          • Instruction ID: 9ded31d98f96b9f742e07b3129599e4eab34caeb44a677261bc3a00c9c359610
                                                          • Opcode Fuzzy Hash: ac7449862de37793cccf28df96c29ee6b0aad95c3aecc1afc115ba5fd4e0f20b
                                                          • Instruction Fuzzy Hash: 56415C31600144EBDB216BFC8C4AAFE3AE6EF41770F544225FF19DA1D2E63C89819762
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00766278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowRect.USER32(015D07A8,?), ref: 007662E2
                                                          • ScreenToClient.USER32(?,?), ref: 00766315
                                                          • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00766382
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Window$ClientMoveRectScreen
                                                          • String ID:
                                                          • API String ID: 3880355969-0
                                                          • Opcode ID: f6bf5943e4a54002916e905dc0ee04c00ab54ede5f30f7929b8415f10dcb7526
                                                          • Instruction ID: 64facde40cee0d18254da372a64f90f244da86788e41b0d8d4ce4715fa12eab9
                                                          • Opcode Fuzzy Hash: f6bf5943e4a54002916e905dc0ee04c00ab54ede5f30f7929b8415f10dcb7526
                                                          • Instruction Fuzzy Hash: 6D513A74A00249EFDF10DF69D8809AE7BB6FF85360F50815AF9169B290D734ED81CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00751AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • socket.WSOCK32(00000002,00000002,00000011), ref: 00751AFD
                                                          • WSAGetLastError.WSOCK32 ref: 00751B0B
                                                          • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00751B8A
                                                          • WSAGetLastError.WSOCK32 ref: 00751B94
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast$socket
                                                          • String ID:
                                                          • API String ID: 1881357543-0
                                                          • Opcode ID: 06044fb20646011e0848ede7b7c3d8aa8eec689f2672c9a4f63f733b90acee7c
                                                          • Instruction ID: 974422cc96980774a948dfe48d44aac70c5fddf3f9d891e5f38b70e175fb0813
                                                          • Opcode Fuzzy Hash: 06044fb20646011e0848ede7b7c3d8aa8eec689f2672c9a4f63f733b90acee7c
                                                          • Instruction Fuzzy Hash: 8A41B074600300AFE720AF24C886F6977E6AB44719F94844CF95A9F3D2D7B6DD41CB94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0070B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a75bd3f182b5957677229351e99e0d151c9eae01ddabc56e3d296ac9727fda2b
                                                          • Instruction ID: 17a4a0bf45e9cb12e9dbdb3e74fc3dfbb8614981e19d07e14129025cefb7a297
                                                          • Opcode Fuzzy Hash: a75bd3f182b5957677229351e99e0d151c9eae01ddabc56e3d296ac9727fda2b
                                                          • Instruction Fuzzy Hash: 3241E672A00344EFD7249F78CC45BAABBE9EF88710F10466AF145DB2C2D779AB418780
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007456D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00745783
                                                          • GetLastError.KERNEL32(?,00000000), ref: 007457A9
                                                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007457CE
                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007457FA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                                          • String ID:
                                                          • API String ID: 3321077145-0
                                                          • Opcode ID: e4db08bf0b2bc42a7938af6c4ff62fc4d237c67751838d6469f675acbbfd2f1d
                                                          • Instruction ID: 19d179772c79151587568ab2db40ac119efc8d2c874f9c7610a2558297df6b0c
                                                          • Opcode Fuzzy Hash: e4db08bf0b2bc42a7938af6c4ff62fc4d237c67751838d6469f675acbbfd2f1d
                                                          • Instruction Fuzzy Hash: 1F413B39600611DFCB11EF15C444A5EBBE2EF89720B19C489EC4AAB362DB34FD00CB96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0070D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,006F6D71,00000000,00000000,006F82D9,?,006F82D9,?,00000001,006F6D71,?,00000001,006F82D9,006F82D9), ref: 0070D910
                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0070D999
                                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0070D9AB
                                                          • __freea.LIBCMT ref: 0070D9B4
                                                            • Part of subcall function 00703820: RtlAllocateHeap.NTDLL(00000000,?,007A1444,?,006EFDF5,?,?,006DA976,00000010,007A1440,006D13FC,?,006D13C6,?,006D1129), ref: 00703852
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                          • String ID:
                                                          • API String ID: 2652629310-0
                                                          • Opcode ID: b476851f3a4df5968cb5d86068522fa21d12f590d995bad01b374c44a84a9b51
                                                          • Instruction ID: c1b40e17bcf029e3c4a033e22c42b00e08f0d2232240b6c3c6f0f950d9e275fc
                                                          • Opcode Fuzzy Hash: b476851f3a4df5968cb5d86068522fa21d12f590d995bad01b374c44a84a9b51
                                                          • Instruction Fuzzy Hash: 9931AB72A1020AEBDF25DFA5DC45EAE7BE5EB41310B054268FC05D6291EB39ED50CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007652C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 00765352
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00765375
                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00765382
                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007653A8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: LongWindow$InvalidateMessageRectSend
                                                          • String ID:
                                                          • API String ID: 3340791633-0
                                                          • Opcode ID: c830634590ab639b2e6a12a51eafe71ae96d4850040d1802024a1102fca038ce
                                                          • Instruction ID: 74a88d587b45ce700f330a99fcbc8322841d25d23700ca04147ccd12ebafb0dd
                                                          • Opcode Fuzzy Hash: c830634590ab639b2e6a12a51eafe71ae96d4850040d1802024a1102fca038ce
                                                          • Instruction Fuzzy Hash: ED31D234A55A08EFEB309E16CC05BE93761AB05B98F584102FE13963E1C7BC9D40FB45
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 0073ABF1
                                                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 0073AC0D
                                                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 0073AC74
                                                          • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 0073ACC6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: KeyboardState$InputMessagePostSend
                                                          • String ID:
                                                          • API String ID: 432972143-0
                                                          • Opcode ID: b12347610f4bfd827f86380e5de31e703913f6a021e043e15321e306ae1e54c6
                                                          • Instruction ID: 4b7b3b1ac9315c5ddcbe1a6d3e6fb4fa1a44309f0cfef13c5712f65b20f4a8fd
                                                          • Opcode Fuzzy Hash: b12347610f4bfd827f86380e5de31e703913f6a021e043e15321e306ae1e54c6
                                                          • Instruction Fuzzy Hash: EF311631A44318BFFB258B65CC0A7FABBA5AB45310F08621AE4C1521D2C37D8D818776
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00767674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ClientToScreen.USER32(?,?), ref: 0076769A
                                                          • GetWindowRect.USER32(?,?), ref: 00767710
                                                          • PtInRect.USER32(?,?,00768B89), ref: 00767720
                                                          • MessageBeep.USER32(00000000), ref: 0076778C
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                          • String ID:
                                                          • API String ID: 1352109105-0
                                                          • Opcode ID: a71a00106a43d1d5bf74f2ca9466bbef521f587560e85d651f8a231fb5b32f29
                                                          • Instruction ID: a162db6af1d08b6b5ce15c8300c3bf2b3e68ffba855fc64720179607831c32cf
                                                          • Opcode Fuzzy Hash: a71a00106a43d1d5bf74f2ca9466bbef521f587560e85d651f8a231fb5b32f29
                                                          • Instruction Fuzzy Hash: A441BF34605254DFDB09CF58C894EA977F4FF49398F5580A8E8169B261D738E941CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007616DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetForegroundWindow.USER32 ref: 007616EB
                                                            • Part of subcall function 00733A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00733A57
                                                            • Part of subcall function 00733A3D: GetCurrentThreadId.KERNEL32 ref: 00733A5E
                                                            • Part of subcall function 00733A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007325B3), ref: 00733A65
                                                          • GetCaretPos.USER32(?), ref: 007616FF
                                                          • ClientToScreen.USER32(00000000,?), ref: 0076174C
                                                          • GetForegroundWindow.USER32 ref: 00761752
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                          • String ID:
                                                          • API String ID: 2759813231-0
                                                          • Opcode ID: 3708eba034757c44ff94988e3667f076601aa2e5a7953d5bec0c509cc885c0c4
                                                          • Instruction ID: daa5d4ddb4cd0e98bb9d438c3849bb0efcdea4d948975f3828bb52b710f76e9b
                                                          • Opcode Fuzzy Hash: 3708eba034757c44ff94988e3667f076601aa2e5a7953d5bec0c509cc885c0c4
                                                          • Instruction Fuzzy Hash: 50314371D00249AFD700DFA9C885CAEBBF9EF48314B5480AAE456E7312D7359E45CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 0073D501
                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0073D50F
                                                          • Process32NextW.KERNEL32(00000000,?), ref: 0073D52F
                                                          • CloseHandle.KERNEL32(00000000), ref: 0073D5DC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                          • String ID:
                                                          • API String ID: 420147892-0
                                                          • Opcode ID: 43102ead6edb843ac6589a8d48497081928a2c77253a653b4f6baefeb229450a
                                                          • Instruction ID: a6705e946702535b3b589dc34347f29cdf0d0865955024380f33c3964bd5147c
                                                          • Opcode Fuzzy Hash: 43102ead6edb843ac6589a8d48497081928a2c77253a653b4f6baefeb229450a
                                                          • Instruction Fuzzy Hash: BF31E4721083009FD315EF50D881ABFBBF8EF99344F04082DF582872A2EB719944CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00768FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
                                                          • GetCursorPos.USER32(?), ref: 00769001
                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00727711,?,?,?,?,?), ref: 00769016
                                                          • GetCursorPos.USER32(?), ref: 0076905E
                                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00727711,?,?,?), ref: 00769094
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                          • String ID:
                                                          • API String ID: 2864067406-0
                                                          • Opcode ID: 89452f109dace545edf0aaaf14b86acc4c653e3f025a7b6f1fbeb5b78be43775
                                                          • Instruction ID: 42322d9f4060f75f7cb753a9703aad57fee122301175975b43085c22a8a33ad6
                                                          • Opcode Fuzzy Hash: 89452f109dace545edf0aaaf14b86acc4c653e3f025a7b6f1fbeb5b78be43775
                                                          • Instruction Fuzzy Hash: 0221A135601118EFDF268F94CC58EFA7BB9EF8A360F148069FA0647261C379AD50DB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetFileAttributesW.KERNEL32(?,0076CB68), ref: 0073D2FB
                                                          • GetLastError.KERNEL32 ref: 0073D30A
                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 0073D319
                                                          • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0076CB68), ref: 0073D376
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CreateDirectory$AttributesErrorFileLast
                                                          • String ID:
                                                          • API String ID: 2267087916-0
                                                          • Opcode ID: 225abcbbdc2030aa6ddf257f7428573f7ff43848e0b58b3e25f34a44932552f1
                                                          • Instruction ID: 878eefa10e6a3ecdeadd05a7361d48b38d0ccacd56b901c7cf7f31ca1995fcde
                                                          • Opcode Fuzzy Hash: 225abcbbdc2030aa6ddf257f7428573f7ff43848e0b58b3e25f34a44932552f1
                                                          • Instruction Fuzzy Hash: 7D21A370509301DF9320DF24E88186A77E4FE56724F104A1EF499C32A2D735DD49CB97
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00731571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00731014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0073102A
                                                            • Part of subcall function 00731014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00731036
                                                            • Part of subcall function 00731014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00731045
                                                            • Part of subcall function 00731014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0073104C
                                                            • Part of subcall function 00731014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00731062
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007315BE
                                                          • _memcmp.LIBVCRUNTIME ref: 007315E1
                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00731617
                                                          • HeapFree.KERNEL32(00000000), ref: 0073161E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                          • String ID:
                                                          • API String ID: 1592001646-0
                                                          • Opcode ID: e39eb74af27895508a79b03d8b62a272bf241ba2e86824a1694ca0fc9aca2741
                                                          • Instruction ID: b04a88705c8f971b707be0a36532bd669d936042aafd38777e25c0660ca693b4
                                                          • Opcode Fuzzy Hash: e39eb74af27895508a79b03d8b62a272bf241ba2e86824a1694ca0fc9aca2741
                                                          • Instruction Fuzzy Hash: A421A171E00209EFEF04DFA5C945BEEB7B8EF44344F498459E441AB242EB78AE05CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00762782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0076280A
                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00762824
                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00762832
                                                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00762840
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Window$Long$AttributesLayered
                                                          • String ID:
                                                          • API String ID: 2169480361-0
                                                          • Opcode ID: 56c906802462b6fc6c0a39bab4936461358fe5584d4644612c3152981bad7d65
                                                          • Instruction ID: 512d26a49b99b3d5c2c09ffc3dcf6a11aaee83edc54614cd0a3f339f6907a3eb
                                                          • Opcode Fuzzy Hash: 56c906802462b6fc6c0a39bab4936461358fe5584d4644612c3152981bad7d65
                                                          • Instruction Fuzzy Hash: 8D21F131204A12AFD7549B24CC44FAA7B95AF85324F248159F8278B6E3CBB9FC42C7D0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007378F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00738D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0073790A,?,000000FF,?,00738754,00000000,?,0000001C,?,?), ref: 00738D8C
                                                            • Part of subcall function 00738D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00738DB2
                                                            • Part of subcall function 00738D7D: lstrcmpiW.KERNEL32(00000000,?,0073790A,?,000000FF,?,00738754,00000000,?,0000001C,?,?), ref: 00738DE3
                                                          • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00738754,00000000,?,0000001C,?,?,00000000), ref: 00737923
                                                          • lstrcpyW.KERNEL32(00000000,?), ref: 00737949
                                                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,00738754,00000000,?,0000001C,?,?,00000000), ref: 00737984
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: lstrcmpilstrcpylstrlen
                                                          • String ID: cdecl
                                                          • API String ID: 4031866154-3896280584
                                                          • Opcode ID: 70ce809d8ea501be28673684260441b6c67b2b1414118449a347409a9ab1f7d3
                                                          • Instruction ID: 14a86e7195db0197063286ea3d7b59390e413b2559c596c719f51e4e03714405
                                                          • Opcode Fuzzy Hash: 70ce809d8ea501be28673684260441b6c67b2b1414118449a347409a9ab1f7d3
                                                          • Instruction Fuzzy Hash: 8011297A200341ABDB295F35D844E7A77A9FF45350F00812AF842C7265EF79E801C755
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00767CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00767D0B
                                                          • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00767D2A
                                                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00767D42
                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0074B7AD,00000000), ref: 00767D6B
                                                            • Part of subcall function 006E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006E9BB2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Window$Long
                                                          • String ID:
                                                          • API String ID: 847901565-0
                                                          • Opcode ID: ac9b4bd899e38768e1691f57cd78cf1cbb4e28e4d743d6ba9ec7fe543e57dd47
                                                          • Instruction ID: 261c1e267edd317134de87e0b99674c1aa77635d2860fc5a22cfe87e1a4bc467
                                                          • Opcode Fuzzy Hash: ac9b4bd899e38768e1691f57cd78cf1cbb4e28e4d743d6ba9ec7fe543e57dd47
                                                          • Instruction Fuzzy Hash: B811D231204654AFDB149F28CC04A7A3BA5AF863A4F218B24FC37CB2F0E7389950DB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00765660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00001060,?,00000004), ref: 007656BB
                                                          • _wcslen.LIBCMT ref: 007656CD
                                                          • _wcslen.LIBCMT ref: 007656D8
                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00765816
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessageSend_wcslen
                                                          • String ID:
                                                          • API String ID: 455545452-0
                                                          • Opcode ID: 5e22cd5e624771397ea6e71fd5f6cc09b6199d8e32833313fc1122a338951d44
                                                          • Instruction ID: 153c91954f252fac200f35e40e8631235ed6b0233978e00d847452b50e385052
                                                          • Opcode Fuzzy Hash: 5e22cd5e624771397ea6e71fd5f6cc09b6199d8e32833313fc1122a338951d44
                                                          • Instruction Fuzzy Hash: 5211E17160060996DB209F61CC85AFE3BACAF01764F10806AFD17D6081EBB89A84DB64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00701D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0cc2edf4f7271ff5e7bb50742b493c83394c855627dc66169b62980443ade911
                                                          • Instruction ID: d88cb72d209d3ef0a21ec0470585e83705fb429ebd4da045ff2e255131fe7694
                                                          • Opcode Fuzzy Hash: 0cc2edf4f7271ff5e7bb50742b493c83394c855627dc66169b62980443ade911
                                                          • Instruction Fuzzy Hash: 8E01D1F230961AFEF62166B86CC4F27669CEF823B8F750325F521A11D2EB689C005270
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00731A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00731A47
                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00731A59
                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00731A6F
                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00731A8A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID:
                                                          • API String ID: 3850602802-0
                                                          • Opcode ID: 0db5bc7ef365c4fad75e4cb9fd8c47b971479fc893a3b5432b5674b07656fa5d
                                                          • Instruction ID: d050dc0bcc666ff71ba6bbf5a2e7fcef58be7df571c5bca149093995f2db31e4
                                                          • Opcode Fuzzy Hash: 0db5bc7ef365c4fad75e4cb9fd8c47b971479fc893a3b5432b5674b07656fa5d
                                                          • Instruction Fuzzy Hash: 4E11393AD01219FFEB11DBA4CD85FADBB78EB08750F204091EA00B7290D6716E50DB94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentThreadId.KERNEL32 ref: 0073E1FD
                                                          • MessageBoxW.USER32(?,?,?,?), ref: 0073E230
                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0073E246
                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0073E24D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                          • String ID:
                                                          • API String ID: 2880819207-0
                                                          • Opcode ID: 3cdd76d3918cf4967e0559cc67001307065ecfb3bfe60055ff384b841d1ed345
                                                          • Instruction ID: 19fcc23b3707f97169b35283579863d0f19f3a942641416533e8f0b128019990
                                                          • Opcode Fuzzy Hash: 3cdd76d3918cf4967e0559cc67001307065ecfb3bfe60055ff384b841d1ed345
                                                          • Instruction Fuzzy Hash: 78112BB2904358BBEB019FA89C05AAF7FADAB86310F008215F915E32D1D2B8DD0087A4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006FD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateThread.KERNEL32(00000000,?,006FCFF9,00000000,00000004,00000000), ref: 006FD218
                                                          • GetLastError.KERNEL32 ref: 006FD224
                                                          • __dosmaperr.LIBCMT ref: 006FD22B
                                                          • ResumeThread.KERNEL32(00000000), ref: 006FD249
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                          • String ID:
                                                          • API String ID: 173952441-0
                                                          • Opcode ID: 18c29ec41e2b1c2b9558a353b4b7d650681d0864a2681444ed1ce36b993396d3
                                                          • Instruction ID: 89abd207151a9ce25d1bdd8af35620376d0c5e7fa719c8a31b5a77eac05ba926
                                                          • Opcode Fuzzy Hash: 18c29ec41e2b1c2b9558a353b4b7d650681d0864a2681444ed1ce36b993396d3
                                                          • Instruction Fuzzy Hash: 4501D63640520CBBDB125BA5DC09BBE7A6BEF82331F104219FB25922D0CB719A01C6E1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006D600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006D604C
                                                          • GetStockObject.GDI32(00000011), ref: 006D6060
                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 006D606A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CreateMessageObjectSendStockWindow
                                                          • String ID:
                                                          • API String ID: 3970641297-0
                                                          • Opcode ID: 2691cad14fcc98602785e7ca5b2b84be93d426f270ea6095a6835f482d173d9e
                                                          • Instruction ID: 311bf313fd1fbb70a29bc3158dc5b6c022eb23ce523022bc88addb69fbcd9bf0
                                                          • Opcode Fuzzy Hash: 2691cad14fcc98602785e7ca5b2b84be93d426f270ea6095a6835f482d173d9e
                                                          • Instruction Fuzzy Hash: CE11C472901608BFEF125F94CD44EFA7B6AFF09354F004102FA1552210C776DC60DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006F3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 006F3B56
                                                            • Part of subcall function 006F3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 006F3AD2
                                                            • Part of subcall function 006F3AA3: ___AdjustPointer.LIBCMT ref: 006F3AED
                                                          • _UnwindNestedFrames.LIBCMT ref: 006F3B6B
                                                          • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 006F3B7C
                                                          • CallCatchBlock.LIBVCRUNTIME ref: 006F3BA4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                          • String ID:
                                                          • API String ID: 737400349-0
                                                          • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                          • Instruction ID: 1f596bf0503ba011754e39673dc30443a8c496877176a61627e2c481316bb0f5
                                                          • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                          • Instruction Fuzzy Hash: EF01293210014DBBDF125E95CC42EFB3B6AEF99754F044019FF5866221CB32E961DBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00703073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,006D13C6,00000000,00000000,?,0070301A,006D13C6,00000000,00000000,00000000,?,0070328B,00000006,FlsSetValue), ref: 007030A5
                                                          • GetLastError.KERNEL32(?,0070301A,006D13C6,00000000,00000000,00000000,?,0070328B,00000006,FlsSetValue,00772290,FlsSetValue,00000000,00000364,?,00702E46), ref: 007030B1
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0070301A,006D13C6,00000000,00000000,00000000,?,0070328B,00000006,FlsSetValue,00772290,FlsSetValue,00000000), ref: 007030BF
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad$ErrorLast
                                                          • String ID:
                                                          • API String ID: 3177248105-0
                                                          • Opcode ID: aad9eb118b77bf40716785dee58b8cb55596121608d2526cf6530c027459d107
                                                          • Instruction ID: 2b42031dc542b7c6846ea2d4c28435796d8e55af83550e18ab474f641d35d76e
                                                          • Opcode Fuzzy Hash: aad9eb118b77bf40716785dee58b8cb55596121608d2526cf6530c027459d107
                                                          • Instruction Fuzzy Hash: 8B01F732312326EBCB324B799C459677BDEAF45BA1B108720F94AE31C0D729D901C6E4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00737464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0073747F
                                                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00737497
                                                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007374AC
                                                          • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007374CA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Type$Register$FileLoadModuleNameUser
                                                          • String ID:
                                                          • API String ID: 1352324309-0
                                                          • Opcode ID: c1934e0217c948e4999e4b9768f26eec37a66062bb1d9a9e2959997a72cdaae6
                                                          • Instruction ID: 0df0b1a4cbc62c3d0eaf68b4a8e7a94822fa9f27aa2c58e5d4e4e60e8b35620c
                                                          • Opcode Fuzzy Hash: c1934e0217c948e4999e4b9768f26eec37a66062bb1d9a9e2959997a72cdaae6
                                                          • Instruction Fuzzy Hash: 8D117CF12053949BF7348F54EC08BA27FF8EB00B10F108569A656D6552D7B8F904DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0073ACD3,?,00008000), ref: 0073B0C4
                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0073ACD3,?,00008000), ref: 0073B0E9
                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0073ACD3,?,00008000), ref: 0073B0F3
                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0073ACD3,?,00008000), ref: 0073B126
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CounterPerformanceQuerySleep
                                                          • String ID:
                                                          • API String ID: 2875609808-0
                                                          • Opcode ID: 3d15ceefd3109e122ef3687befabfb1fe61d184c39182a819dba6e2a2adf8496
                                                          • Instruction ID: 2f319ecfdd969ad27f082ba8a7f9ea8a07068a593a9cf16dd9c20f6db508d642
                                                          • Opcode Fuzzy Hash: 3d15ceefd3109e122ef3687befabfb1fe61d184c39182a819dba6e2a2adf8496
                                                          • Instruction Fuzzy Hash: BC116171C0161CD7DF04AFE4D9596FEBB78FF0A711F108089DA81B6146CB7895508B55
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00732DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00732DC5
                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00732DD6
                                                          • GetCurrentThreadId.KERNEL32 ref: 00732DDD
                                                          • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00732DE4
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                          • String ID:
                                                          • API String ID: 2710830443-0
                                                          • Opcode ID: b993afd267a88bedeba8cca67a3d790eca0ed482edef7e4405f90724afe940d8
                                                          • Instruction ID: b45706a92af35b061271b0568ed4a8dac37550603f0354d57cce51ab442cff39
                                                          • Opcode Fuzzy Hash: b993afd267a88bedeba8cca67a3d790eca0ed482edef7e4405f90724afe940d8
                                                          • Instruction Fuzzy Hash: DAE06D722013247AEB212B62DC0EEFB7E6CEF42BA1F004015F107D10829AE98841C6B5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00768863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006E9693
                                                            • Part of subcall function 006E9639: SelectObject.GDI32(?,00000000), ref: 006E96A2
                                                            • Part of subcall function 006E9639: BeginPath.GDI32(?), ref: 006E96B9
                                                            • Part of subcall function 006E9639: SelectObject.GDI32(?,00000000), ref: 006E96E2
                                                          • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00768887
                                                          • LineTo.GDI32(?,?,?), ref: 00768894
                                                          • EndPath.GDI32(?), ref: 007688A4
                                                          • StrokePath.GDI32(?), ref: 007688B2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                          • String ID:
                                                          • API String ID: 1539411459-0
                                                          • Opcode ID: 959e9c5038c6a7227cecffa0efc5bc3393c7c477a74b4fd4e36d47a36259dd4b
                                                          • Instruction ID: 2cc1c18390d1a5f86a6780f14cf707a2d8e2c9bd0bd4d9128a5efd4c13719e00
                                                          • Opcode Fuzzy Hash: 959e9c5038c6a7227cecffa0efc5bc3393c7c477a74b4fd4e36d47a36259dd4b
                                                          • Instruction Fuzzy Hash: D6F03A36041259BAEB136F94AC09FDA3F59AF4A310F44C100FA52651E1C7B95511CFAA
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006E98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetSysColor.USER32(00000008), ref: 006E98CC
                                                          • SetTextColor.GDI32(?,?), ref: 006E98D6
                                                          • SetBkMode.GDI32(?,00000001), ref: 006E98E9
                                                          • GetStockObject.GDI32(00000005), ref: 006E98F1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Color$ModeObjectStockText
                                                          • String ID:
                                                          • API String ID: 4037423528-0
                                                          • Opcode ID: ffa1bd225921eef9bd2fc7271c5113f43289d53a282c626531e10fc8aaf937f0
                                                          • Instruction ID: bf5f8d2a2da00ac26fa1ac98fa342632d882705ae41aa398280c76ccfd119ccd
                                                          • Opcode Fuzzy Hash: ffa1bd225921eef9bd2fc7271c5113f43289d53a282c626531e10fc8aaf937f0
                                                          • Instruction Fuzzy Hash: 01E06531244384AADB225B75FC09BE93F11AB12335F14C219F6FB540E1C3B94650DB11
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0073162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentThread.KERNEL32 ref: 00731634
                                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,007311D9), ref: 0073163B
                                                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007311D9), ref: 00731648
                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,007311D9), ref: 0073164F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CurrentOpenProcessThreadToken
                                                          • String ID:
                                                          • API String ID: 3974789173-0
                                                          • Opcode ID: e06761637a89cdd6dae6d644487237d8eedb1ed8b055ec0b8170b1c2b4863934
                                                          • Instruction ID: b47e7c0917eca463b06563f46de632ec65e75d4311e549d7f9321fe0fb387975
                                                          • Opcode Fuzzy Hash: e06761637a89cdd6dae6d644487237d8eedb1ed8b055ec0b8170b1c2b4863934
                                                          • Instruction Fuzzy Hash: EEE08671601311EBE7201FE19E0DB663B7CAF44791F14C808F686D9080DABC4440C758
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0072D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDesktopWindow.USER32 ref: 0072D858
                                                          • GetDC.USER32(00000000), ref: 0072D862
                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0072D882
                                                          • ReleaseDC.USER32(?), ref: 0072D8A3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                          • String ID:
                                                          • API String ID: 2889604237-0
                                                          • Opcode ID: 46fd10555ce78d5e5ca6f0be6f1f1b253eb038102eda950e347686c8d331e0d1
                                                          • Instruction ID: a1e015248ba213f0ff686f7f09f9ad729269b6c2fb46886580e93bc2a68491f4
                                                          • Opcode Fuzzy Hash: 46fd10555ce78d5e5ca6f0be6f1f1b253eb038102eda950e347686c8d331e0d1
                                                          • Instruction Fuzzy Hash: F3E01AB5800305DFCB429FA0D808A7DBBB2FB08310F14D009E88BE7250C7BC9941AF48
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0072D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetDesktopWindow.USER32 ref: 0072D86C
                                                          • GetDC.USER32(00000000), ref: 0072D876
                                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0072D882
                                                          • ReleaseDC.USER32(?), ref: 0072D8A3
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CapsDesktopDeviceReleaseWindow
                                                          • String ID:
                                                          • API String ID: 2889604237-0
                                                          • Opcode ID: 8c30af589b94cf18ec6c2596215f439f906e7d8749e10eccf5c2566d2759a9b5
                                                          • Instruction ID: b9fbc5aad1b9bdf5ef9f001c47bd890f516d206e9e9ccb70df9fd0237e653fe8
                                                          • Opcode Fuzzy Hash: 8c30af589b94cf18ec6c2596215f439f906e7d8749e10eccf5c2566d2759a9b5
                                                          • Instruction Fuzzy Hash: 02E01A70C00304DFCB429FA0D80866DBBB2FB08310B149009E98AE7250C7BC59019F48
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00744D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D7620: _wcslen.LIBCMT ref: 006D7625
                                                          • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00744ED4
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Connection_wcslen
                                                          • String ID: *$LPT
                                                          • API String ID: 1725874428-3443410124
                                                          • Opcode ID: a0259067a6e9edf8d1c7586cb12e727afa582bb906799311179c97b3c833ea3e
                                                          • Instruction ID: ee6ea3af779c17143d1bd9e330c6f207bb9ee584a19bd1a47bffd699da79edb8
                                                          • Opcode Fuzzy Hash: a0259067a6e9edf8d1c7586cb12e727afa582bb906799311179c97b3c833ea3e
                                                          • Instruction Fuzzy Hash: 94914D75A002549FDB14DF58C484FAABBF1BF44304F198099E80A9F3A2D739EE85DB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00757771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharUpperBuffW.USER32(0072569E,00000000,?,0076CC08,?,00000000,00000000), ref: 007578DD
                                                            • Part of subcall function 006D6B57: _wcslen.LIBCMT ref: 006D6B6A
                                                          • CharUpperBuffW.USER32(0072569E,00000000,?,0076CC08,00000000,?,00000000,00000000), ref: 0075783B
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: BuffCharUpper$_wcslen
                                                          • String ID: <sy
                                                          • API String ID: 3544283678-4294649419
                                                          • Opcode ID: b719c47ea3b9386918f3f92e2ac2931e12ac817a08806469225c697afd9b9f7b
                                                          • Instruction ID: 9ffc1710135f06a075a9cf6980cd7a11bb6445158324f7e8b8c3132c5d0309ba
                                                          • Opcode Fuzzy Hash: b719c47ea3b9386918f3f92e2ac2931e12ac817a08806469225c697afd9b9f7b
                                                          • Instruction Fuzzy Hash: BB618371D141189BCF48EBE0DC91DFDB375BF14301B44452AF942A7291EF786A09DBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006EE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: #
                                                          • API String ID: 0-1885708031
                                                          • Opcode ID: 70851b8fa76224614c850ed6cc6ea9ad273b88fb738ee0a47d6ecad1fa6e5eeb
                                                          • Instruction ID: 5e8112ec98d61a462b2bdbb46215fc54cda045109d30ecbbd29a8a1ef2388a89
                                                          • Opcode Fuzzy Hash: 70851b8fa76224614c850ed6cc6ea9ad273b88fb738ee0a47d6ecad1fa6e5eeb
                                                          • Instruction Fuzzy Hash: 45514335A01396DFDB15DF69D0816FA7BAAEF15310F248059E8919B3C0DB399E43CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006EF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Sleep.KERNEL32(00000000), ref: 006EF2A2
                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 006EF2BB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: GlobalMemorySleepStatus
                                                          • String ID: @
                                                          • API String ID: 2783356886-2766056989
                                                          • Opcode ID: 9aa994e7cfe10a609439a920ce03e55d6472ace42a2e266f89344b50ffbaf49d
                                                          • Instruction ID: 195248a5a8836f5fa29b98a90af3299b0432ef810a9389e6e1e61dd40b97c019
                                                          • Opcode Fuzzy Hash: 9aa994e7cfe10a609439a920ce03e55d6472ace42a2e266f89344b50ffbaf49d
                                                          • Instruction Fuzzy Hash: 0B5158718087499BD360AF10DC86BABBBF9FF84310F91884DF1D981195EB709529CB6B
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00755745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007557E0
                                                          • _wcslen.LIBCMT ref: 007557EC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: BuffCharUpper_wcslen
                                                          • String ID: CALLARGARRAY
                                                          • API String ID: 157775604-1150593374
                                                          • Opcode ID: 2837c5cb3da8bed441e28c5cd2debedea87dc2016890a234462c0b7e272c4e66
                                                          • Instruction ID: fa7da8ce989b906a3eff5fcb515edae7df93156e5fd6fbbf7140e495702f836f
                                                          • Opcode Fuzzy Hash: 2837c5cb3da8bed441e28c5cd2debedea87dc2016890a234462c0b7e272c4e66
                                                          • Instruction Fuzzy Hash: D6419F31E00209DFCB14DFA9C8959FEBBB5EF59311F10402DE905A7251E7B9AD85CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0074D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _wcslen.LIBCMT ref: 0074D130
                                                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0074D13A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CrackInternet_wcslen
                                                          • String ID: |
                                                          • API String ID: 596671847-2343686810
                                                          • Opcode ID: aaba46a2a2a981acf6533f05ae04078857cdaca56686a3fa781004c55cedf351
                                                          • Instruction ID: e59fd2e0ac6a2cf8cec74010fba208d9631ebaecb1b8c1c259c371b053f00249
                                                          • Opcode Fuzzy Hash: aaba46a2a2a981acf6533f05ae04078857cdaca56686a3fa781004c55cedf351
                                                          • Instruction Fuzzy Hash: 4A313D75D00209ABCF55EFA4CC85AEE7FBAFF04304F00001EF915A6265EB35AA06DB64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0076356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DestroyWindow.USER32(?,?,?,?), ref: 00763621
                                                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0076365C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Window$DestroyMove
                                                          • String ID: static
                                                          • API String ID: 2139405536-2160076837
                                                          • Opcode ID: c8e6cfa3169c1c75736e33e52170659dcf13f0283030f38f5132c7439da916ff
                                                          • Instruction ID: 0b018369fd3b9a489186bb0b1438f142749cebde83e9bbb639f7de2853470b09
                                                          • Opcode Fuzzy Hash: c8e6cfa3169c1c75736e33e52170659dcf13f0283030f38f5132c7439da916ff
                                                          • Instruction Fuzzy Hash: D6318F71100204AAEB109F78DC40EFB73A9FF88724F00961DFDA697290DA78AD91C764
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00764537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 0076461F
                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00764634
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: '
                                                          • API String ID: 3850602802-1997036262
                                                          • Opcode ID: ab699a260db84c5bb369bb4190484bc0103a0ae4a289b47af5b896dcc71c7fd0
                                                          • Instruction ID: 72c942bbd99c6debff109d02880331025b851ce6089effceb8528f1a1fad5da1
                                                          • Opcode Fuzzy Hash: ab699a260db84c5bb369bb4190484bc0103a0ae4a289b47af5b896dcc71c7fd0
                                                          • Instruction Fuzzy Hash: 38312774A0120A9FDF14CFA9C980BDA7BB5FF49300F14406AED06AB342D774A951CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 007631EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0076327C
                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00763287
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: MessageSend
                                                          • String ID: Combobox
                                                          • API String ID: 3850602802-2096851135
                                                          • Opcode ID: 7af11ecf8bb60870da8cc17cd972c3026f2ddf3e5915b2f50e469d35d4754fc3
                                                          • Instruction ID: 997092defedd7166d6c326abea698cf3df1a7257746bfd621fad275c15de15f4
                                                          • Opcode Fuzzy Hash: 7af11ecf8bb60870da8cc17cd972c3026f2ddf3e5915b2f50e469d35d4754fc3
                                                          • Instruction Fuzzy Hash: 6D11E271300208BFFF25DE54DC90EBB37AAFB943A4F104128F91A97290D6799D51C760
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00763710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006D604C
                                                            • Part of subcall function 006D600E: GetStockObject.GDI32(00000011), ref: 006D6060
                                                            • Part of subcall function 006D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006D606A
                                                          • GetWindowRect.USER32(00000000,?), ref: 0076377A
                                                          • GetSysColor.USER32(00000012), ref: 00763794
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                          • String ID: static
                                                          • API String ID: 1983116058-2160076837
                                                          • Opcode ID: 03b58c3129f5cc7066945cc0bc8f5d78177e02a807bc320969db50b7de55f22b
                                                          • Instruction ID: 2c7ec7d799701aa0b904c0064bc4e49e8059ed111dbd1e3e19ce8f9e2161f1b1
                                                          • Opcode Fuzzy Hash: 03b58c3129f5cc7066945cc0bc8f5d78177e02a807bc320969db50b7de55f22b
                                                          • Instruction Fuzzy Hash: 301129B2610209AFDB01DFA8CC45AFA7BB8EB09354F004515FD56E2250D779E851DB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0074CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0074CD7D
                                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0074CDA6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Internet$OpenOption
                                                          • String ID: <local>
                                                          • API String ID: 942729171-4266983199
                                                          • Opcode ID: 34323b5b75b6ce3f73b590345d31a23327883da23e3e426dc5bc9ab067ad6a41
                                                          • Instruction ID: dbab2b53fac9e62d10b9ed610a221f4dba34d8bb70a7981863a5ebe6da7a048e
                                                          • Opcode Fuzzy Hash: 34323b5b75b6ce3f73b590345d31a23327883da23e3e426dc5bc9ab067ad6a41
                                                          • Instruction Fuzzy Hash: 4A11C671B066357AD77A4B668C45EF7BE6CEF127A4F004226B15983190D7789840DAF0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00763429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetWindowTextLengthW.USER32(00000000), ref: 007634AB
                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007634BA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: LengthMessageSendTextWindow
                                                          • String ID: edit
                                                          • API String ID: 2978978980-2167791130
                                                          • Opcode ID: 559d64c93edb163c6a708ed535b0a48eb677e41e237ca7eb311fac5ad25c8fe7
                                                          • Instruction ID: 9fb7c6079535bb392dd25087fbc61fb171528b6c80150ee07aec7863c1f1da1e
                                                          • Opcode Fuzzy Hash: 559d64c93edb163c6a708ed535b0a48eb677e41e237ca7eb311fac5ad25c8fe7
                                                          • Instruction Fuzzy Hash: 67118F71500248ABEB128E64DC44ABB7B6AEF05374F504324FD62931E0CB79DC55D754
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00736C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                                          • CharUpperBuffW.USER32(?,?,?), ref: 00736CB6
                                                          • _wcslen.LIBCMT ref: 00736CC2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _wcslen$BuffCharUpper
                                                          • String ID: STOP
                                                          • API String ID: 1256254125-2411985666
                                                          • Opcode ID: 3534ddd493c9639bf4845917164db8fc284de755b1b78ada218143f0c87bbd91
                                                          • Instruction ID: 88536fb71b3386e1935d9d56455dea9e4b6f74483a1bd23c55d658a4f7139fb9
                                                          • Opcode Fuzzy Hash: 3534ddd493c9639bf4845917164db8fc284de755b1b78ada218143f0c87bbd91
                                                          • Instruction Fuzzy Hash: 85010432B10526AADB21AFBDDC808BF77B5EA61714B004529E85296292EA39E800C760
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00731CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                                            • Part of subcall function 00733CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00733CCA
                                                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00731D4C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameSend_wcslen
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 624084870-1403004172
                                                          • Opcode ID: e8fb8b9d35726f66f1ac7e18016c512d6491218c14b497c3ed9fbec80f42a5cf
                                                          • Instruction ID: 8aa6dd330179ae27d6f8c229df31dc4b6ad9d7e2f2ed152511ab1a70497fd943
                                                          • Opcode Fuzzy Hash: e8fb8b9d35726f66f1ac7e18016c512d6491218c14b497c3ed9fbec80f42a5cf
                                                          • Instruction Fuzzy Hash: 5701D871B11224ABDB18EBA4DC55CFE7369EB57350F44091AF872573C2EA3859088770
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00731BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                                            • Part of subcall function 00733CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00733CCA
                                                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 00731C46
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameSend_wcslen
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 624084870-1403004172
                                                          • Opcode ID: 62033c9b61dabb5e675a745da89209886e9d980bb17c98cd766979a6c4651087
                                                          • Instruction ID: ce2ed5b33887f172cb3ee2702713faf09f5a97b6cbc0ff6224d0102d0443231d
                                                          • Opcode Fuzzy Hash: 62033c9b61dabb5e675a745da89209886e9d980bb17c98cd766979a6c4651087
                                                          • Instruction Fuzzy Hash: 0901F7B1B8010466DF18EBA0D951DFF73A89B11340F50141AB416632C2EA289E0887B5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00731C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                                            • Part of subcall function 00733CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00733CCA
                                                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 00731CC8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameSend_wcslen
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 624084870-1403004172
                                                          • Opcode ID: 685b09d952e9287b6ad801cd81d094061793d47cbf3546521dfaf670e73972f7
                                                          • Instruction ID: ff7234b53e942ca047fe0b027e1d3d14ec960da2d7611d14587aa980995eb484
                                                          • Opcode Fuzzy Hash: 685b09d952e9287b6ad801cd81d094061793d47cbf3546521dfaf670e73972f7
                                                          • Instruction Fuzzy Hash: FA01D6B2B8011867EF15EBA0DA01EFE73A89B11340F54141AB80273282EA689F08D775
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006EA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 006EA529
                                                            • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Init_thread_footer_wcslen
                                                          • String ID: ,%z$3yr
                                                          • API String ID: 2551934079-955863410
                                                          • Opcode ID: 2c4402e50c6b6e5617de2a358b820810c71575378733b799208fc222c24c016d
                                                          • Instruction ID: a7edfe76951cb832cd2e0e8b42d4ed51f45b5ad6cc231fccb0dd3219fdbcb2c3
                                                          • Opcode Fuzzy Hash: 2c4402e50c6b6e5617de2a358b820810c71575378733b799208fc222c24c016d
                                                          • Instruction Fuzzy Hash: 0401F231B017549BD604F7A9E85BAAD3366AB46710F50046DF612572C3EE14AD028AAF
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00731D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006D9CB3: _wcslen.LIBCMT ref: 006D9CBD
                                                            • Part of subcall function 00733CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00733CCA
                                                          • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00731DD3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ClassMessageNameSend_wcslen
                                                          • String ID: ComboBox$ListBox
                                                          • API String ID: 624084870-1403004172
                                                          • Opcode ID: a88e87eeae5510c05ed2f02422027e061257c22a4b4e3ca336f0dbbbc8d1e937
                                                          • Instruction ID: 4dae87d5ce3c8b8d04f6f7b60cbadb25790784b6e673f96c5ede2e5b86bd6c87
                                                          • Opcode Fuzzy Hash: a88e87eeae5510c05ed2f02422027e061257c22a4b4e3ca336f0dbbbc8d1e937
                                                          • Instruction Fuzzy Hash: 35F0A4B1F5121466EB18E7A4DC56EFE7778AF02750F440D1AB862633C2DA6859088274
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00768172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007A3018,007A305C), ref: 007681BF
                                                          • CloseHandle.KERNEL32 ref: 007681D1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CloseCreateHandleProcess
                                                          • String ID: \0z
                                                          • API String ID: 3712363035-4117864471
                                                          • Opcode ID: a61c4887d1ae87d44d9d30118545c56bac6687de06d588077019c85d9200f800
                                                          • Instruction ID: dcfd1650ff9f9dad5c39c1766fac693be47aafce6192e2c3c65a1f6bcf4a2800
                                                          • Opcode Fuzzy Hash: a61c4887d1ae87d44d9d30118545c56bac6687de06d588077019c85d9200f800
                                                          • Instruction Fuzzy Hash: 8FF05EF2640304BAF2206B61AC55FB77A5EEB46750F008425FB09D51A2D67E8A0086BD
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0075747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: _wcslen
                                                          • String ID: 3, 3, 16, 1
                                                          • API String ID: 176396367-3042988571
                                                          • Opcode ID: 668f778a576d829853c95fb52ae7cc8b47ad75ac4e95dc629c2aaf48cae7b939
                                                          • Instruction ID: 385c44522ca8449eb092b8a0874ad614c195783e724050bf3574240c502b062e
                                                          • Opcode Fuzzy Hash: 668f778a576d829853c95fb52ae7cc8b47ad75ac4e95dc629c2aaf48cae7b939
                                                          • Instruction Fuzzy Hash: CDE02B423142A01092791279BCC19BF578ACFC6751714182FFE85C2266EED88D91D3E4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00730B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00730B23
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Message
                                                          • String ID: AutoIt$Error allocating memory.
                                                          • API String ID: 2030045667-4017498283
                                                          • Opcode ID: 131052c1a3818fc4de7a040c59b1d7c23eacf3dbce4ed8f085bb07cc2c64a18f
                                                          • Instruction ID: db5bb6c375a93d2569122dcf9fc21b6f71fd352c79be6d3f560ff1877fbf2cc8
                                                          • Opcode Fuzzy Hash: 131052c1a3818fc4de7a040c59b1d7c23eacf3dbce4ed8f085bb07cc2c64a18f
                                                          • Instruction Fuzzy Hash: 3FE0DF722853583BE3513795BC03F997A858F05B20F10442EFB88A95C38AEA389046ED
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006F0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 006EF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,006F0D71,?,?,?,006D100A), ref: 006EF7CE
                                                          • IsDebuggerPresent.KERNEL32(?,?,?,006D100A), ref: 006F0D75
                                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,006D100A), ref: 006F0D84
                                                          Strings
                                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 006F0D7F
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                          • API String ID: 55579361-631824599
                                                          • Opcode ID: 08586736283a9378a41a567f06ac25862b2519157e89f1f7dd5278a938f7f14a
                                                          • Instruction ID: c89ad6e1c1728380409cfe396672cbd7fd08949ee8f91528d2ba984c61e2b0c2
                                                          • Opcode Fuzzy Hash: 08586736283a9378a41a567f06ac25862b2519157e89f1f7dd5278a938f7f14a
                                                          • Instruction Fuzzy Hash: 25E06D742003518FE7619FB9E8143667BE5BF04744F00892DE982C6656DBB9E4448B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 006EE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __Init_thread_footer.LIBCMT ref: 006EE3D5
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: Init_thread_footer
                                                          • String ID: 0%z$8%z
                                                          • API String ID: 1385522511-2349322819
                                                          • Opcode ID: 4190390cf1a6c48f1de5394a7e45111aae993ceb4ca50ec6c9f91f4c40954f51
                                                          • Instruction ID: 3744494fa0a67f3dfa4f14a2a431c119b8d081dbc42e476797605829c0a387a6
                                                          • Opcode Fuzzy Hash: 4190390cf1a6c48f1de5394a7e45111aae993ceb4ca50ec6c9f91f4c40954f51
                                                          • Instruction Fuzzy Hash: 69E02639C09B54CBCA0CD71DB874A983397BB86320B1042F9E102876D3DB3A28438A5C
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0072D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: LocalTime
                                                          • String ID: %.3d$X64
                                                          • API String ID: 481472006-1077770165
                                                          • Opcode ID: 1823d0bf07577613be6fc554173f19c25d3abedaa6638b6d60d2e2043f11883e
                                                          • Instruction ID: ee66dbbef33b84b311bd7062fc21563a31b46b20e366d64bca3fc53b704cf9fb
                                                          • Opcode Fuzzy Hash: 1823d0bf07577613be6fc554173f19c25d3abedaa6638b6d60d2e2043f11883e
                                                          • Instruction Fuzzy Hash: DDD012A1809268EACBA097E0EC498B9B3FCBB08301F608452F90692040D62CC908A761
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00762356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0076236C
                                                          • PostMessageW.USER32(00000000), ref: 00762373
                                                            • Part of subcall function 0073E97B: Sleep.KERNEL32 ref: 0073E9F3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: FindMessagePostSleepWindow
                                                          • String ID: Shell_TrayWnd
                                                          • API String ID: 529655941-2988720461
                                                          • Opcode ID: 5f749bf7df67a6de6ab2796c857d9412b6678a646be30653d4a4d9f1e0fb9096
                                                          • Instruction ID: 9eaab2e10343fe383bf4a067f1f56af5326f29a07584b892d261a9c81393eb2f
                                                          • Opcode Fuzzy Hash: 5f749bf7df67a6de6ab2796c857d9412b6678a646be30653d4a4d9f1e0fb9096
                                                          • Instruction Fuzzy Hash: 6BD0C972381310BAEA65B770EC0FFD67A149B04B10F108A56B687AA1D1C9E8B8018A58
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00762322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0076232C
                                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0076233F
                                                            • Part of subcall function 0073E97B: Sleep.KERNEL32 ref: 0073E9F3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: FindMessagePostSleepWindow
                                                          • String ID: Shell_TrayWnd
                                                          • API String ID: 529655941-2988720461
                                                          • Opcode ID: bf7602e66a36ccdc5d640188f58874fe06d0f56ff74ab4b7f44bd8ae54560674
                                                          • Instruction ID: ce25b423a7a44cd15642b3326b928e59ee0dfa6404ea332435358f6cfadc79ab
                                                          • Opcode Fuzzy Hash: bf7602e66a36ccdc5d640188f58874fe06d0f56ff74ab4b7f44bd8ae54560674
                                                          • Instruction Fuzzy Hash: EDD01276394310B7EA64B770EC0FFD67A149B04B10F108A56B787AA1D1C9F8B801CB58
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0070BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0070BE93
                                                          • GetLastError.KERNEL32 ref: 0070BEA1
                                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0070BEFC
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2100466612.00000000006D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006D0000, based on PE: true
                                                          • Associated: 00000000.00000002.2100442681.00000000006D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100526324.0000000000792000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100583266.000000000079C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                          • Associated: 00000000.00000002.2100607310.00000000007A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_6d0000_FAR.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$ErrorLast
                                                          • String ID:
                                                          • API String ID: 1717984340-0
                                                          • Opcode ID: da159769daa23ccd33682431b2788714aa268a4827e36adbc4999d64d31d6c2d
                                                          • Instruction ID: 76b2506a48a97cd92147102e5ac7220735100eef9fec7bd39bbc4dcd37e531ce
                                                          • Opcode Fuzzy Hash: da159769daa23ccd33682431b2788714aa268a4827e36adbc4999d64d31d6c2d
                                                          • Instruction Fuzzy Hash: B741B335604206EFCF258FA5CC84ABA7BE5AF42710F144269FA59972E1DB349F01CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%