Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
whiteee.exe

Overview

General Information

Sample name:whiteee.exe
Analysis ID:1465926
MD5:9a961cdb405219d714347c06a7a6a995
SHA1:2bf6f2e31d453c52685f8ffeaa52056aa727674d
SHA256:2cbc13099ee1ba4b8c671bfca525bb2c5c057c2fc13df105dec2852a8b672e50
Tags:exe
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Snake Keylogger
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • whiteee.exe (PID: 3852 cmdline: "C:\Users\user\Desktop\whiteee.exe" MD5: 9A961CDB405219D714347C06A7A6A995)
    • RegSvcs.exe (PID: 4420 cmdline: "C:\Users\user\Desktop\whiteee.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "mmcc1@cash4cars.nz", "Password": "TeZIDzFWyl7%", "Host": "mail.cash4cars.nz", "Port": "26"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.4608953854.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000002.00000002.4608953854.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000002.00000002.4608953854.0000000000402000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x147c0:$a1: get_encryptedPassword
      • 0x14aac:$a2: get_encryptedUsername
      • 0x145cc:$a3: get_timePasswordChanged
      • 0x146c7:$a4: get_passwordField
      • 0x147d6:$a5: set_encryptedPassword
      • 0x15dbd:$a7: get_logins
      • 0x15d20:$a10: KeyLoggerEventArgs
      • 0x159b9:$a11: KeyLoggerEventArgsEventHandler
      00000002.00000002.4608953854.0000000000402000.00000040.80000000.00040000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x18010:$x1: $%SMTPDV$
      • 0x18076:$x2: $#TheHashHere%&
      • 0x196ad:$x3: %FTPDV$
      • 0x19797:$x4: $%TelegramDv$
      • 0x159b9:$x5: KeyLoggerEventArgs
      • 0x15d20:$x5: KeyLoggerEventArgs
      • 0x196d1:$m2: Clipboard Logs ID
      • 0x198e7:$m2: Screenshot Logs ID
      • 0x199f7:$m2: keystroke Logs ID
      • 0x19cd1:$m3: SnakePW
      • 0x198bf:$m4: \SnakeKeylogger\
      00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 16 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.whiteee.exe.14b0000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0.2.whiteee.exe.14b0000.1.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            0.2.whiteee.exe.14b0000.1.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x12bc0:$a1: get_encryptedPassword
            • 0x12eac:$a2: get_encryptedUsername
            • 0x129cc:$a3: get_timePasswordChanged
            • 0x12ac7:$a4: get_passwordField
            • 0x12bd6:$a5: set_encryptedPassword
            • 0x141bd:$a7: get_logins
            • 0x14120:$a10: KeyLoggerEventArgs
            • 0x13db9:$a11: KeyLoggerEventArgsEventHandler
            0.2.whiteee.exe.14b0000.1.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x1a493:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x196c5:$a3: \Google\Chrome\User Data\Default\Login Data
            • 0x19af8:$a4: \Orbitum\User Data\Default\Login Data
            • 0x1ab37:$a5: \Kometa\User Data\Default\Login Data
            0.2.whiteee.exe.14b0000.1.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
            • 0x13731:$s1: UnHook
            • 0x13738:$s2: SetHook
            • 0x13740:$s3: CallNextHook
            • 0x1374d:$s4: _hook
            Click to see the 15 entries

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000002.00000002.4609772501.0000000002DC1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "mmcc1@cash4cars.nz", "Password": "TeZIDzFWyl7%", "Host": "mail.cash4cars.nz", "Port": "26"}
            Multi AV Scanner detection for submitted file
            Source: whiteee.exeReversingLabs: Detection: 36%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: whiteee.exeJoe Sandbox ML: detected

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: whiteee.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49712 version: TLS 1.0
            Source: Binary string: wntdll.pdbUGP source: whiteee.exe, 00000000.00000003.2155459145.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, whiteee.exe, 00000000.00000003.2156364586.0000000003D40000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: whiteee.exe, 00000000.00000003.2155459145.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, whiteee.exe, 00000000.00000003.2156364586.0000000003D40000.00000004.00001000.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F8DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00F8DBBE
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F5C2A2 FindFirstFileExW,0_2_00F5C2A2
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F968EE FindFirstFileW,FindClose,0_2_00F968EE
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F9698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00F9698F
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F8D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F8D076
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F8D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F8D3A9
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F99642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F99642
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F9979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F9979D
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F99B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00F99B2B
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F95C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00F95C97
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 014AF1F6h2_2_014AF007
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 014AFB80h2_2_014AF007
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_014AE528
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_014AEB5B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h2_2_014AED3C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05401A38h2_2_05401620
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05401471h2_2_054011C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 054002F1h2_2_05400040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05401011h2_2_05400D60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0540F009h2_2_0540ED60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0540C041h2_2_0540BD98
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0540DEA9h2_2_0540DC00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0540B791h2_2_0540B4E8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05400751h2_2_054004A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0540E759h2_2_0540E4B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0540DA51h2_2_0540D7A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0540C8F1h2_2_0540C648
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0540F8B9h2_2_0540F610
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05401A38h2_2_05401610
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0540D1A1h2_2_0540CEF8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0540BBE9h2_2_0540B940
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05401A38h2_2_05401966
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05400BB1h2_2_05400900
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0540EBB1h2_2_0540E908
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0540C499h2_2_0540C1F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0540F461h2_2_0540F1B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0540E301h2_2_0540E058
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0540D5F9h2_2_0540D350
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0540FD11h2_2_0540FA68
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0540CD49h2_2_0540CAA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 067C8945h2_2_067C8608
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 067C5D19h2_2_067C5A70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 067C58C1h2_2_067C5618
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 067C6171h2_2_067C5EC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 067C6A21h2_2_067C6778
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 067C65C9h2_2_067C6320
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 067C6E79h2_2_067C6BD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]2_2_067C33B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]2_2_067C33A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 067C72FAh2_2_067C7050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 067C02E9h2_2_067C0040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 067C0B99h2_2_067C08F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 067C7751h2_2_067C74A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 067C0741h2_2_067C0498
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 067C8001h2_2_067C7D58
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 067C0FF1h2_2_067C0D48
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 067C7BA9h2_2_067C7900
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 067C8459h2_2_067C81B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 067C5441h2_2_067C5198

            Networking

            barindex
            Yara detected Generic Downloader
            Source: Yara matchFile source: 0.2.whiteee.exe.14b0000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
            Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49712 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F9CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00F9CE44
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: RegSvcs.exe, 00000002.00000002.4609772501.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: RegSvcs.exe, 00000002.00000002.4609772501.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002ECB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: RegSvcs.exe, 00000002.00000002.4609772501.0000000002DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: whiteee.exe, 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4608953854.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
            Source: RegSvcs.exe, 00000002.00000002.4609772501.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: RegSvcs.exe, 00000002.00000002.4609772501.0000000002DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: RegSvcs.exe, 00000002.00000002.4609772501.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002ECB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: whiteee.exe, 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4608953854.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002E88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: RegSvcs.exe, 00000002.00000002.4609772501.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
            Source: RegSvcs.exe, 00000002.00000002.4609772501.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002ECB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33$
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F9EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00F9EAFF
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F9ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00F9ED6A
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F9EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00F9EAFF
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F8AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00F8AA57
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00FB9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00FB9576

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.whiteee.exe.14b0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.whiteee.exe.14b0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.whiteee.exe.14b0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.whiteee.exe.14b0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.whiteee.exe.14b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.whiteee.exe.14b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.whiteee.exe.14b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.whiteee.exe.14b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000002.00000002.4608953854.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000002.00000002.4608953854.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: whiteee.exe PID: 3852, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: whiteee.exe PID: 3852, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: RegSvcs.exe PID: 4420, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: RegSvcs.exe PID: 4420, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Binary is likely a compiled AutoIt script file
            Source: whiteee.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: whiteee.exe, 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ff810c3c-1
            Source: whiteee.exe, 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_e086e2e8-b
            Source: whiteee.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_54bee833-8
            Source: whiteee.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_2d6e7159-4
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F8D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00F8D5EB
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F81201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00F81201
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F8E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00F8E8F6
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F280600_2_00F28060
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F920460_2_00F92046
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F882980_2_00F88298
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F5E4FF0_2_00F5E4FF
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F5676B0_2_00F5676B
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00FB48730_2_00FB4873
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F2CAF00_2_00F2CAF0
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F4CAA00_2_00F4CAA0
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F3CC390_2_00F3CC39
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F56DD90_2_00F56DD9
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F291C00_2_00F291C0
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F3B1190_2_00F3B119
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F413940_2_00F41394
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F4781B0_2_00F4781B
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F3997D0_2_00F3997D
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F279200_2_00F27920
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F47A4A0_2_00F47A4A
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F47CA70_2_00F47CA7
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F59EEE0_2_00F59EEE
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00FABE440_2_00FABE44
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00D736000_2_00D73600
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_014A61082_2_014A6108
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_014AC1902_2_014AC190
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_014AF0072_2_014AF007
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_014AB3282_2_014AB328
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_014AC4702_2_014AC470
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_014AC7532_2_014AC753
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_014A98582_2_014A9858
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_014A68802_2_014A6880
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_014ABBD32_2_014ABBD3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_014ACA332_2_014ACA33
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_014A4AD92_2_014A4AD9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_014ABEB02_2_014ABEB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_014A35732_2_014A3573
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_014AE5172_2_014AE517
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_014AE5282_2_014AE528
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_014AB4F32_2_014AB4F3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_054084602_2_05408460
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_054011C02_2_054011C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_054000402_2_05400040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_054038702_2_05403870
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05407B702_2_05407B70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540ED502_2_0540ED50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05400D512_2_05400D51
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05400D602_2_05400D60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540ED602_2_0540ED60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540BD882_2_0540BD88
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05407D902_2_05407D90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540BD982_2_0540BD98
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540DC002_2_0540DC00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540B4D72_2_0540B4D7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540B4E82_2_0540B4E8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_054004902_2_05400490
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_054004A02_2_054004A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540E4A02_2_0540E4A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540E4B02_2_0540E4B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540D7982_2_0540D798
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540D7A82_2_0540D7A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540C6482_2_0540C648
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540F6002_2_0540F600
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540F6102_2_0540F610
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540C6382_2_0540C638
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540CEEA2_2_0540CEEA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540CEF82_2_0540CEF8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540B9402_2_0540B940
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_054009002_2_05400900
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540E9082_2_0540E908
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540B9302_2_0540B930
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540C1E02_2_0540C1E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540C1F02_2_0540C1F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540F1A92_2_0540F1A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_054011B02_2_054011B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540F1B82_2_0540F1B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540E0492_2_0540E049
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540E0582_2_0540E058
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_054038602_2_05403860
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_054000062_2_05400006
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_054008F02_2_054008F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540E8F82_2_0540E8F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540D3402_2_0540D340
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540D3502_2_0540D350
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_054073E82_2_054073E8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540DBF12_2_0540DBF1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540FA592_2_0540FA59
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540FA682_2_0540FA68
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540CA902_2_0540CA90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0540CAA02_2_0540CAA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067CD6702_2_067CD670
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067CAA582_2_067CAA58
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C86082_2_067C8608
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067CB6E82_2_067CB6E8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C8B582_2_067C8B58
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067CC3882_2_067CC388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067CD0282_2_067CD028
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067CA4082_2_067CA408
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067CB0A02_2_067CB0A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067CBD382_2_067CBD38
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067CC9D82_2_067CC9D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C11A02_2_067C11A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C5A702_2_067C5A70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C5A602_2_067C5A60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067CD6612_2_067CD661
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067CAA482_2_067CAA48
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C56182_2_067C5618
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C560A2_2_067C560A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067CB6D92_2_067CB6D9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C5EC82_2_067C5EC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C5EB82_2_067C5EB8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C67782_2_067C6778
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067CC3782_2_067CC378
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C37302_2_067C3730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C63202_2_067C6320
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C63122_2_067C6312
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067CA3F82_2_067CA3F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C6BD02_2_067C6BD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C6BC12_2_067C6BC1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C33B82_2_067C33B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C33A82_2_067C33A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C70502_2_067C7050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C00402_2_067C0040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C70402_2_067C7040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C44302_2_067C4430
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C28182_2_067C2818
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067CD0182_2_067CD018
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C00072_2_067C0007
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C28072_2_067C2807
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C08F02_2_067C08F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C78F02_2_067C78F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C08E02_2_067C08E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C74A82_2_067C74A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C04982_2_067C0498
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C74972_2_067C7497
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067CB0902_2_067CB090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C04882_2_067C0488
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C7D582_2_067C7D58
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C0D482_2_067C0D48
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C7D482_2_067C7D48
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C0D392_2_067C0D39
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067CBD282_2_067CBD28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C79002_2_067C7900
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C85FC2_2_067C85FC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067CC9C82_2_067CC9C8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C81B02_2_067C81B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C81A02_2_067C81A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C51982_2_067C5198
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C11912_2_067C1191
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_067C518A2_2_067C518A
            Source: C:\Users\user\Desktop\whiteee.exeCode function: String function: 00F40A30 appears 46 times
            Source: C:\Users\user\Desktop\whiteee.exeCode function: String function: 00F29CB3 appears 31 times
            Source: C:\Users\user\Desktop\whiteee.exeCode function: String function: 00F3F9F2 appears 40 times
            Source: whiteee.exe, 00000000.00000003.2155204848.0000000003E6D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs whiteee.exe
            Source: whiteee.exe, 00000000.00000003.2155825249.0000000003CC3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs whiteee.exe
            Source: whiteee.exe, 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs whiteee.exe
            Source: whiteee.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 0.2.whiteee.exe.14b0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.whiteee.exe.14b0000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.whiteee.exe.14b0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.whiteee.exe.14b0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.whiteee.exe.14b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.whiteee.exe.14b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.whiteee.exe.14b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.whiteee.exe.14b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000002.00000002.4608953854.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000002.00000002.4608953854.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: whiteee.exe PID: 3852, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: whiteee.exe PID: 3852, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: RegSvcs.exe PID: 4420, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: RegSvcs.exe PID: 4420, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.whiteee.exe.14b0000.1.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.whiteee.exe.14b0000.1.raw.unpack, ----.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.whiteee.exe.14b0000.1.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.whiteee.exe.14b0000.1.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@2/2
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F937B5 GetLastError,FormatMessageW,0_2_00F937B5
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F810BF AdjustTokenPrivileges,CloseHandle,0_2_00F810BF
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F816C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00F816C3
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F951CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00F951CD
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00FAA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00FAA67C
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F9648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00F9648E
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F242A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00F242A2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
            Source: C:\Users\user\Desktop\whiteee.exeFile created: C:\Users\user\AppData\Local\Temp\autB66F.tmpJump to behavior
            Source: whiteee.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\whiteee.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: RegSvcs.exe, 00000002.00000002.4609772501.0000000003042000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.000000000300C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002FFC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.000000000304F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.000000000301A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4610577869.0000000003E4E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: whiteee.exeReversingLabs: Detection: 36%
            Source: unknownProcess created: C:\Users\user\Desktop\whiteee.exe "C:\Users\user\Desktop\whiteee.exe"
            Source: C:\Users\user\Desktop\whiteee.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\whiteee.exe"
            Source: C:\Users\user\Desktop\whiteee.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\whiteee.exe"Jump to behavior
            Source: C:\Users\user\Desktop\whiteee.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\whiteee.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\whiteee.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\whiteee.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\whiteee.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\whiteee.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\whiteee.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\whiteee.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\whiteee.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\whiteee.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\whiteee.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: whiteee.exeStatic file information: File size 1078272 > 1048576
            Source: whiteee.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: whiteee.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: whiteee.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: whiteee.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: whiteee.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: whiteee.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: whiteee.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: wntdll.pdbUGP source: whiteee.exe, 00000000.00000003.2155459145.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, whiteee.exe, 00000000.00000003.2156364586.0000000003D40000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: whiteee.exe, 00000000.00000003.2155459145.0000000003BA0000.00000004.00001000.00020000.00000000.sdmp, whiteee.exe, 00000000.00000003.2156364586.0000000003D40000.00000004.00001000.00020000.00000000.sdmp
            Source: whiteee.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: whiteee.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: whiteee.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: whiteee.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: whiteee.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F242DE
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F40A76 push ecx; ret 0_2_00F40A89
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05402E78 push esp; iretd 2_2_05402E79
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05402840 push esp; retf 2_2_05402AC9
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F3F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00F3F98E
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00FB1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00FB1C41
            Source: C:\Users\user\Desktop\whiteee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\whiteee.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Found API chain indicative of sandbox detection
            Source: C:\Users\user\Desktop\whiteee.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-98032
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\whiteee.exeAPI/Special instruction interceptor: Address: D73224
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599641Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599528Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599422Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599312Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599203Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599094Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598984Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598875Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598765Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598656Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598547Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598437Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598328Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598219Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598109Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598000Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597891Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597781Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597672Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597562Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597453Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597343Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597234Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597125Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597003Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596875Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596766Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596641Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596531Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596422Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596311Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596203Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596094Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595984Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595875Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595766Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595641Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595516Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595406Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595297Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595187Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595078Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594954Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594809Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594703Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594589Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594483Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7410Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2441Jump to behavior
            Source: C:\Users\user\Desktop\whiteee.exeAPI coverage: 3.9 %
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F8DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00F8DBBE
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F5C2A2 FindFirstFileExW,0_2_00F5C2A2
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F968EE FindFirstFileW,FindClose,0_2_00F968EE
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F9698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00F9698F
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F8D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F8D076
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F8D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F8D3A9
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F99642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F99642
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F9979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F9979D
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F99B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00F99B2B
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F95C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00F95C97
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F242DE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599641Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599528Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599422Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599312Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599203Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599094Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598984Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598875Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598765Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598656Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598547Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598437Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598328Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598219Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598109Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598000Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597891Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597781Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597672Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597562Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597453Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597343Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597234Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597125Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597003Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596875Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596766Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596641Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596531Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596422Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596311Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596203Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596094Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595984Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595875Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595766Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595641Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595516Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595406Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595297Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595187Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595078Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594954Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594809Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594703Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594589Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594483Jump to behavior
            Source: RegSvcs.exe, 00000002.00000002.4609119812.0000000001027000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllutral, PublicKeyToken=31bf3856ad364e35" />
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05407B70 LdrInitializeThunk,2_2_05407B70
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F9EAA2 BlockInput,0_2_00F9EAA2
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F52622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F52622
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F242DE
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F44CE8 mov eax, dword ptr fs:[00000030h]0_2_00F44CE8
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00D734F0 mov eax, dword ptr fs:[00000030h]0_2_00D734F0
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00D73490 mov eax, dword ptr fs:[00000030h]0_2_00D73490
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00D71E70 mov eax, dword ptr fs:[00000030h]0_2_00D71E70
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F80B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00F80B62
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F52622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F52622
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F4083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F4083F
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F409D5 SetUnhandledExceptionFilter,0_2_00F409D5
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F40C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00F40C21
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\whiteee.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\whiteee.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: CBC008Jump to behavior
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F81201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00F81201
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F62BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00F62BA5
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F8B226 SendInput,keybd_event,0_2_00F8B226
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00FA22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00FA22DA
            Source: C:\Users\user\Desktop\whiteee.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\whiteee.exe"Jump to behavior
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F80B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00F80B62
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F81663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00F81663
            Source: whiteee.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: whiteee.exeBinary or memory string: Shell_TrayWnd
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F40698 cpuid 0_2_00F40698
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F98195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00F98195
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F7D27A GetUserNameW,0_2_00F7D27A
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F5B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00F5B952
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00F242DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F242DE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0.2.whiteee.exe.14b0000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.whiteee.exe.14b0000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.4608953854.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4609772501.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4609772501.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: whiteee.exe PID: 3852, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4420, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: whiteee.exeBinary or memory string: WIN_81
            Source: whiteee.exeBinary or memory string: WIN_XP
            Source: whiteee.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: whiteee.exeBinary or memory string: WIN_XPe
            Source: whiteee.exeBinary or memory string: WIN_VISTA
            Source: whiteee.exeBinary or memory string: WIN_7
            Source: whiteee.exeBinary or memory string: WIN_8
            Source: Yara matchFile source: 0.2.whiteee.exe.14b0000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.whiteee.exe.14b0000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.4608953854.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: whiteee.exe PID: 3852, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4420, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0.2.whiteee.exe.14b0000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.whiteee.exe.14b0000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.4608953854.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4609772501.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4609772501.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: whiteee.exe PID: 3852, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4420, type: MEMORYSTR
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00FA1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00FA1204
            Source: C:\Users\user\Desktop\whiteee.exeCode function: 0_2_00FA1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00FA1806

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		11
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services11
            Archive Collected Data            		2
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            DLL Side-Loading            		11
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
            Valid Accounts            		3
            Obfuscated Files or Information            		Security Account Manager1
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
            Access Token Manipulation            		1
            DLL Side-Loading            		NTDS127
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
            Process Injection            		2
            Valid Accounts            		LSA Secrets221
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts111
            Virtualization/Sandbox Evasion            		Cached Domain Credentials111
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
            Access Token Manipulation            		DCSync2
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
            Process Injection            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
            System Network Configuration Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            whiteee.exe37%ReversingLabsWin32.Trojan.Strab
            whiteee.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://checkip.dyndns.com0%Avira URL Cloudsafe
            http://checkip.dyndns.org/0%Avira URL Cloudsafe
            https://reallyfreegeoip.org/xml/8.46.123.33$0%Avira URL Cloudsafe
            http://checkip.dyndns.org0%Avira URL Cloudsafe
            https://reallyfreegeoip.org0%Avira URL Cloudsafe
            https://reallyfreegeoip.org/xml/0%Avira URL Cloudsafe
            http://checkip.dyndns.org/q0%Avira URL Cloudsafe
            https://reallyfreegeoip.org/xml/8.46.123.330%Avira URL Cloudsafe
            http://reallyfreegeoip.org0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            reallyfreegeoip.org
            		188.114.96.3
            		truetrue
              		unknown
              checkip.dyndns.com
              		158.101.44.242
              		truefalse
                		unknown
                checkip.dyndns.org
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://checkip.dyndns.org/false
                  • Avira URL Cloud: safe
                  		unknown
                  https://reallyfreegeoip.org/xml/8.46.123.33false
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.4609772501.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002ECB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://checkip.dyndns.orgRegSvcs.exe, 00000002.00000002.4609772501.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002E7C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F50000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002ECB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://checkip.dyndns.comRegSvcs.exe, 00000002.00000002.4609772501.0000000002E88000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://reallyfreegeoip.org/xml/8.46.123.33$RegSvcs.exe, 00000002.00000002.4609772501.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002ECB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.4609772501.0000000002DC1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://checkip.dyndns.org/qwhiteee.exe, 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4608953854.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.4609772501.0000000002EA0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F1B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F70000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002F7F000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://reallyfreegeoip.org/xml/whiteee.exe, 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4608953854.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4609772501.0000000002E88000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  188.114.96.3
                  		reallyfreegeoip.orgEuropean Union
                  		13335CLOUDFLARENETUStrue
                  158.101.44.242
                  		checkip.dyndns.comUnited States
                  		31898ORACLE-BMC-31898USfalse

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1465926
                  Start date and time:2024-07-02 08:38:00 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 8m 1s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:5
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:whiteee.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@3/4@2/2
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 99%
                  • Number of executed functions: 50
                  • Number of non-executed functions: 301
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • VT rate limit hit for: whiteee.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  02:38:57API Interceptor12321513x Sleep call for process: RegSvcs.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  188.114.96.3Vg46FzGtNo.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                  • 000366cm.nyashka.top/phpflowergenerator.php
                  QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • filetransfer.io/data-package/mHgyHEv5/download
                  file.exeGet hashmaliciousFormBookBrowse
                  • www.cavetta.org.mt/yhnb/
                  http://johnlewisfr.comGet hashmaliciousUnknownBrowse
                  • johnlewisfr.com/
                  cL7A9wGE3w.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                  • 445798cm.nyashka.top/ProviderEternalLinephpRequestSecurePacketprocessauthwordpress.php
                  http://www.youkonew.anakembok.de/Get hashmaliciousHTMLPhisherBrowse
                  • www.youkonew.anakembok.de/cdn-cgi/challenge-platform/h/g/jsd/r/89b98144d9c843b7
                  hnCn8gE6NH.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                  • yenot.top/providerlowAuthApibigloadprotectflower.php
                  288292021 ABB.exeGet hashmaliciousFormBookBrowse
                  • www.oc7o0.top/2zff/?Hp=4L8xoD0W4Zo4sy87CvwWXXlmZfhaBYNiZZOBxyE5jHDJEgkxN8cq+PG6NIXzy1XRCqQIvL5VyJCknvUNNLKk6zzmBcbZOQR3Nr9VCMayuUBptQdoGcq8y485hKv0f5POEUdLprTAYpXY&5H=CtUlKhgP42a
                  eiqj38BeRo.rtfGet hashmaliciousFormBookBrowse
                  • www.liposuctionclinics2.today/btrd/?OR-TJfQ=g2Awi9g0RhXmDXdNu5BlCrpPGRTrEfCXfESYZTVa1wMirmNXITW5szlP5E4EhRYb22U+Mw==&2dc=kvXd-rKHCF
                  Purchase Order -JJ023639-PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • filetransfer.io/data-package/9a4iHwft/download
                  158.101.44.242Bank Slip 2.docGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  MT_80362_72605XLS.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • checkip.dyndns.org/
                  JgRVqrgNs4.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  f3c462280fd1964d68c76ff6889bd3c766fa7140c07962dda32c0cb488188695_payload.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  new order.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  MT Marine Tiger.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  IMG_2007_520073.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • checkip.dyndns.org/
                  PRODUCTS LIST.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  Official PO.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/
                  Cargo details.exeGet hashmaliciousSnake KeyloggerBrowse
                  • checkip.dyndns.org/

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  reallyfreegeoip.orgDetails.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  PM114079-990528.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  Bank Slip 2.docGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  MT_80362_72605XLS.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • 188.114.97.3
                  JgRVqrgNs4.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.97.3
                  JgRVqrgNs4.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  H3fwQALXDX.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.97.3
                  oHchwlxMNG.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.97.3
                  zkB0qfWSJk.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.97.3
                  file.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  checkip.dyndns.comlista de cotizaciones.xlam.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.8.169
                  Details.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.8.169
                  PM114079-990528.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.6.168
                  Bank Slip 2.docGet hashmaliciousSnake KeyloggerBrowse
                  • 158.101.44.242
                  MT_80362_72605XLS.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • 158.101.44.242
                  JgRVqrgNs4.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 158.101.44.242
                  JgRVqrgNs4.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.6.168
                  H3fwQALXDX.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.6.168
                  oHchwlxMNG.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 132.226.247.73
                  zkB0qfWSJk.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.130.0

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  CLOUDFLARENETUScall_Playback_ball.com.htmlGet hashmaliciousHTMLPhisherBrowse
                  • 104.17.25.14
                  QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 188.114.97.3
                  6RVmzn1DzL.exeGet hashmaliciousLummaCBrowse
                  • 172.67.141.234
                  Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousGuLoaderBrowse
                  • 172.67.74.152
                  DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                  • 104.26.13.205
                  orden de compra.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                  • 188.114.96.3
                  https://128.165.205.92.host.secureserver.net/Get hashmaliciousHTMLPhisherBrowse
                  • 1.1.1.1
                  Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousGuLoaderBrowse
                  • 104.26.13.205
                  JDownloaderSetup.exeGet hashmaliciousUnknownBrowse
                  • 104.16.148.130
                  JDownloaderSetup.exeGet hashmaliciousUnknownBrowse
                  • 104.16.148.130
                  ORACLE-BMC-31898USmirai.mips.elfGet hashmaliciousMiraiBrowse
                  • 129.147.199.239
                  PM114079-990528.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.6.168
                  0wVYV60JHd.elfGet hashmaliciousMiraiBrowse
                  • 129.147.194.27
                  h1dNV0rAcX.elfGet hashmaliciousMiraiBrowse
                  • 193.122.239.131
                  Bank Slip 2.docGet hashmaliciousSnake KeyloggerBrowse
                  • 158.101.44.242
                  MT_80362_72605XLS.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • 158.101.44.242
                  JgRVqrgNs4.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 158.101.44.242
                  JgRVqrgNs4.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.6.168
                  H3fwQALXDX.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.6.168
                  zkB0qfWSJk.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 193.122.130.0

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  54328bd36c14bd82ddaa0c04b25ed9adDetails.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  PM114079-990528.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  MT_80362_72605XLS.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                  • 188.114.96.3
                  bJLd0SUHfj.exeGet hashmaliciousUnknownBrowse
                  • 188.114.96.3
                  PGjIoaqfQY.exeGet hashmaliciousUnknownBrowse
                  • 188.114.96.3
                  JgRVqrgNs4.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  x6221haMsm.exeGet hashmaliciousUnknownBrowse
                  • 188.114.96.3
                  JgRVqrgNs4.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  H3fwQALXDX.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3
                  oHchwlxMNG.exeGet hashmaliciousSnake KeyloggerBrowse
                  • 188.114.96.3

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Temp\autB66F.tmp

                  Download File
                  Process:C:\Users\user\Desktop\whiteee.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):94302
                  Entropy (8bit):7.917642664391931
                  Encrypted:false
                  SSDEEP:1536:93QKWvqNhX1wt2JN7uYBIErjo51aDJwzLqQO7uS585KsZOE5omTbGb:JQKMqNhlwt2JNyeDJ4LqQO7uSaL5Tab
                  MD5:08E69F513E7135B7F341730C2EB9AE0C
                  SHA1:F1C465DB20849547B40408A3D10476D6FB7588B2
                  SHA-256:CB38FA0173C8D4328AE2D6B3ECAFF70EB2A370788768AA1C75F5E2900DDE0F3B
                  SHA-512:1916976DCBE1F93D647DD5737574AF05F2CE05892C47C9A958DAA32D0000F1ADD0FED98907C19F0D1AA2F274E48E1EBA65EBF0C7F9B7A386C0C09CA6BDD2B65A
                  Malicious:false
                  Reputation:low
                  Preview:EA06.....G.s...aX..f....iA..kU...sE..j@....X.......h`.....X.J0t.......'...b;&..2YD.cE.J,u).z.7..j..L./..&.....e.W..X.ViK..,f...M.J...U...5..*5...C.....`..7U..V.p..,...B.X..@..d.5.....kU.]:iC......T........(3.(.f*`...,.Z...;.../..P.O.B? .o..1....1.. ....f. .a..R..*..7....>..V.0.QiSy............Xi*....&.4.......9.......5..!.y....y..o`.....;.n....b.S..l.).[.0.N............./..Z....n.uY......L...z~.Y.8....,. ........... .A..!.@....XH.....a..,+............D.(.."T....P.Og6.m..0.T.4...=..f5..J.7......a[..f4.e:iK..kU...?E...SP...o...*<.A....}.e......~?I.G/s..B.|..h..%Ra0...sY.&..._.:\.sC..S..`..rh.....~..h......Qc....P..k..v7;..jSH.b'c..4.c..K.Sy...1.K.].m.k=.,*......j\.Y.%K. ..#uH.J.K..g3.mo.1../.`...n.L&...kG...Y..~..G...B11..isY.*g...j5.......&.)......&....x..<..2e..Nh3...{...j}.p........n..^...x.B{....YT..it..U.U*.....;..@R....+..#w:.J.J..hs[.ZaZ.....Tz.1..e.7.....L.rZ...h.N...E.o...fR...c....)E..z.MgS.H.A..N.[.."?A....9^....L.}@..%I.E.s)GZ.V..

                  C:\Users\user\AppData\Local\Temp\autB6BE.tmp

                  Download File
                  Process:C:\Users\user\Desktop\whiteee.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):9756
                  Entropy (8bit):7.59858423713064
                  Encrypted:false
                  SSDEEP:192:Zj4X4BSXRq4D63ILqnXTj9aiAjtFMw5V8vdjE6TH8XyMBMEuVV:l4oBSfD6YLCTEbjMwYvdkyJEI
                  MD5:E6437615E55D65F684E3B1225B1A154D
                  SHA1:6626CBA35D589C334597BEF3B683134A2B731529
                  SHA-256:14422302512F449ABD823C0E3AE8BFEACC008597714B8FA010DDFE1DB8BFC73A
                  SHA-512:FC315B301BFEB27C8070D793F2224F146F42222EEA21C658686B096D9F23AF4569CE938AF0AAF8D1879BB0780DE4957F9E7C7116144EC24780029ED8DE1AFAAF
                  Malicious:false
                  Reputation:low
                  Preview:EA06..p......\.k8.......p.L&S...k6......1.L&.i..i5.M-...K.....7...p. .... .o...m.\-......[..9....3.|.f....s2..@.]..g3@..h.m.M.......8.l..6....a.........i4........g3Y...c ._..k4...d....H-.......Ap.H..g.....F..=q....>....C`....@02..N@...u.t....Y..ao.M.]>........x>;.......j.;.......j.;.....L.j.;..... '.b.5.....^..f./Z.M..#^...h.#..z.o0.H....S....#.p..N@B=8..........l......>_L......|........`.R...Mf....m8....d....{.........x.....I..l...$..6..._...r...f..x.g.o..l|3I..h...|..K...4.;x#G.o.h.-. .o..0...f........n.@./..6.......%.....\.4.p.\&..is...3I....x\'....f.)..F.8....ep.....9...I.....,......50...bi2..4.9..`....n.0...v....Yvp.N.B3@...B3....@.5n..a....%p.....c......S....5..B3`..\f@....,fmq.L.`+ .#7.....c. ...7)......f.....,vf.....o3.N.M..p...0.....3o..N.i...9...!94.X...c79..s4..F.!..f......Xjqr...W...f.....f.,...6.......g.....,vj.....r...B..!...;6....h...7...&.S ...,fqq....,P.!...(..Y...F.....s7..B3`.....;7.X...q..@B..Fj......g....9-...#.q...!78.X...c3...mr...

                  C:\Users\user\AppData\Local\Temp\eupolyzoan

                  Download File
                  Process:C:\Users\user\Desktop\whiteee.exe
                  File Type:ASCII text, with very long lines (28680), with no line terminators
                  Category:dropped
                  Size (bytes):28680
                  Entropy (8bit):3.5819791737673996
                  Encrypted:false
                  SSDEEP:384:YzJejro12+7eXZdNPlWrqGjfOtr+KJmJEcouNlLmmuN0b0mTTqLOTHhC:YNegs6eXDNPlWrGtwJEcouNpuXIT0KC
                  MD5:A327834B411331A2A30DD0982B1B0FD0
                  SHA1:CFED37E33A24005D85BF1C9F70ED67AB517F8FBF
                  SHA-256:5E9FA4E8A141D8720FF63B2ADD4A8D22046F1B8A177725FE2F89852AC1F2AF55
                  SHA-512:84BB685943B0953137BC1F676C66CE950815BB2D076AB2E51AD91F5EF4522A74322A329D89C3917361F6F08C53F00FE5E36A76C01B45D7871F9FD8B25EA04B20
                  Malicious:false
                  Reputation:low
                  Preview:AAAAAA0k558orp81rppp0200005657o86o00000066894584o96500000066894q86on7200000066895588o86r0000006689458no96500000066894q8pon6p0000006689558ro83300000066894590o93200000066894q92on2r00000066895594o86400000066894596o96p00000066894q98on6p0000006689559n33p06689459po96r00000066898q44sssssson7400000066899546sssssso86400000066898548sssssso96p00000066898q4nsssssson6p0000006689954psssssso82r0000006689854rsssssso96400000066898q50sssssson6p00000066899552sssssso86p00000066898554ssssss33p966898q56sssssson75000000668955q0o873000000668945q2o96500000066894qq4on72000000668955q6o833000000668945q8o93200000066894qqnon2r000000668955qpo864000000668945qro96p00000066894qr0on6p000000668955r233p0668945r4o96100000066898q68sssssson640000006689956nsssssso8760000006689856psssssso96100000066898q6rsssssson7000000066899570sssssso86900000066898572sssssso93300000066898q74sssssson3200000066899576sssssso82r00000066898578sssssso96400000066898q7nsssssson6p0000006689957psssssso86p0000006689857rssssss33p966894q80on73000000668955

                  C:\Users\user\AppData\Local\Temp\horrify

                  Download File
                  Process:C:\Users\user\Desktop\whiteee.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):133120
                  Entropy (8bit):6.981698798475341
                  Encrypted:false
                  SSDEEP:3072:mdfi0JI5x2QxTz0qJteWhqUZXxLYGlaCB4I5WHn1:mdXeDlQetThqokMaCaIEV
                  MD5:4C2A282BAB95F9DA2CFE55CEF1A10DF4
                  SHA1:4B1DCC4B7D0DD47E643B423480C0DB7BF55FDBD6
                  SHA-256:45F186D0F1364BAC390B52C5E872CC731EB18D754151EF096D82A16FC73BB819
                  SHA-512:76DD642F670ED04992E42C09EC7003E3EDF5E49B6870E869C1257A115AF2F8EFBAD1DB6BF05591114114212F4353B1556C522622A6085DD5B78761DDE6A5AD52
                  Malicious:false
                  Reputation:low
                  Preview:t..1Q00X=A59..4A.UZPV79E.1R00X9A59IN4A1UZPV79EC1R00X9A59IN4A.UZPX(.KC.[...8....&]2.%(?1EX(cR3^^7MaW\i<A/.<4p.xje.^6U.U4K.9IN4A1U..V7uD@1~UE>9A59IN4A.UXQ]6iEC.S00L9A59IN.P3UZpV79eA1R0pX9a59IL4A5UZPV79EG1R00X9A5YKN4C1UZPV7;E..R0 X9Q59IN$A1EZPV79ES1R00X9A59IN.P3U.PV79eA1. 0X9A59IN4A1UZPV79ECqP0<X9A59IN4A1UZPV79EC1R00X9A59IN4A1UZPV79EC1R00X9A59IN4a1URPV79EC1R00X1a59.N4A1UZPV79EmE7HDX9A..HN4a1UZ.W79GC1R00X9A59IN4A.UZ0xEJ7 1R0.H9A5.KN4S1UZ.W79EC1R00X9A59.N4..'?<9T9EO1R00.;A5;IN4G3UZPV79EC1R00XyA5{IN4A1UZPV79EC1R0@I;A59IN|A1UXPS7.dB1V.0X:A59.N4G.u[P.79EC1R00X9A59IN4A1UZPV79EC1R00X9A59IN4A1UZP.J.J..YC..A59IN4@3V^V^?9EC1R00XGA59.N4AqUZPa79Ef1R0]X9A.9INJA1U$PV7]EC1 00XXA59.N4A^UZP879E=1R0.Z.a59Cd.A3}{PV=9o.Bp00R.@59M=.A1_.RV7=6g1R:.[9A1JlN4K.QZPRD.EC;.50X=ko9J."G1UA?o79OC2.%6X9Z..IL.{1UPP|.9F.$T00C.c5;.G4A5..#K79CkrR0:,0A5;.D4A5.DR~s9EI.pN X9E.9clJP1U^{V..;Q1R4.X.cK*IN0j1.x.B79Ah1x.2.-A5=clJT1U^{V..;U1R4.X.cK.IN0j1.DR. 9EG.T.RXK.)99M[.1U\x.79OknR06X.{5GiN4E3:.PV=.o.1P.1Y9K5;J3.A1QXT+.9EG..02#.A

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):6.789821451267343
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:whiteee.exe
                  File size:1'078'272 bytes
                  MD5:9a961cdb405219d714347c06a7a6a995
                  SHA1:2bf6f2e31d453c52685f8ffeaa52056aa727674d
                  SHA256:2cbc13099ee1ba4b8c671bfca525bb2c5c057c2fc13df105dec2852a8b672e50
                  SHA512:c016af696bf4b3eb6d27a61afc6760eee7d50624ee198e9d64562564ee6f5243508edf215b5325010ee9a484cbe4d218bc6beb52eefe9a548738022e82fedf3f
                  SSDEEP:24576:tqDEvCTbMWu7rQYlBQcBiT6rprG8af3BG5kPJ:tTvC/MTQYxsWR7afJ
                  TLSH:70358D03738D822EFF9A91721B76E23146BC6F270123A55F32D85D7EB970165063E6E2
                  File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                  File Icon

                  Icon Hash:6ced8d96b2ace4b2

                  Static PE Info

                  General

                  Entrypoint:0x420577
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                  Time Stamp:0x66834214 [Mon Jul 1 23:56:04 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:948cc502fe9226992dce9417f952fce3

                  Entrypoint Preview

                  Instruction
                  call 00007FAD0CE15873h
                  jmp 00007FAD0CE1517Fh
                  push ebp
                  mov ebp, esp
                  push esi
                  push dword ptr [ebp+08h]
                  mov esi, ecx
                  call 00007FAD0CE1535Dh
                  mov dword ptr [esi], 0049FDF0h
                  mov eax, esi
                  pop esi
                  pop ebp
                  retn 0004h
                  and dword ptr [ecx+04h], 00000000h
                  mov eax, ecx
                  and dword ptr [ecx+08h], 00000000h
                  mov dword ptr [ecx+04h], 0049FDF8h
                  mov dword ptr [ecx], 0049FDF0h
                  ret
                  push ebp
                  mov ebp, esp
                  push esi
                  push dword ptr [ebp+08h]
                  mov esi, ecx
                  call 00007FAD0CE1532Ah
                  mov dword ptr [esi], 0049FE0Ch
                  mov eax, esi
                  pop esi
                  pop ebp
                  retn 0004h
                  and dword ptr [ecx+04h], 00000000h
                  mov eax, ecx
                  and dword ptr [ecx+08h], 00000000h
                  mov dword ptr [ecx+04h], 0049FE14h
                  mov dword ptr [ecx], 0049FE0Ch
                  ret
                  push ebp
                  mov ebp, esp
                  push esi
                  mov esi, ecx
                  lea eax, dword ptr [esi+04h]
                  mov dword ptr [esi], 0049FDD0h
                  and dword ptr [eax], 00000000h
                  and dword ptr [eax+04h], 00000000h
                  push eax
                  mov eax, dword ptr [ebp+08h]
                  add eax, 04h
                  push eax
                  call 00007FAD0CE17F1Dh
                  pop ecx
                  pop ecx
                  mov eax, esi
                  pop esi
                  pop ebp
                  retn 0004h
                  lea eax, dword ptr [ecx+04h]
                  mov dword ptr [ecx], 0049FDD0h
                  push eax
                  call 00007FAD0CE17F68h
                  pop ecx
                  ret
                  push ebp
                  mov ebp, esp
                  push esi
                  mov esi, ecx
                  lea eax, dword ptr [esi+04h]
                  mov dword ptr [esi], 0049FDD0h
                  push eax
                  call 00007FAD0CE17F51h
                  test byte ptr [ebp+08h], 00000001h
                  pop ecx

                  Rich Headers

                  Programming Language:
                  • [ C ] VS2008 SP1 build 30729
                  • [IMP] VS2008 SP1 build 30729

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x309d4.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1050000x7594.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0xd40000x309d40x30a0053b90fe8965d1e582c974302cca02fb6False0.6482567480719794data7.032311781909001IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x1050000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0xd44580x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                  RT_ICON0xd45800x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                  RT_ICON0xd46a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                  RT_ICON0xd47d00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 34556 x 34556 px/mEnglishGreat Britain0.07952797823258015
                  RT_MENU0xe4ff80x50dataEnglishGreat Britain0.9
                  RT_STRING0xe50480x594dataEnglishGreat Britain0.3333333333333333
                  RT_STRING0xe55dc0x68adataEnglishGreat Britain0.2735961768219833
                  RT_STRING0xe5c680x490dataEnglishGreat Britain0.3715753424657534
                  RT_STRING0xe60f80x5fcdataEnglishGreat Britain0.3087467362924282
                  RT_STRING0xe66f40x65cdataEnglishGreat Britain0.34336609336609336
                  RT_STRING0xe6d500x466dataEnglishGreat Britain0.3605683836589698
                  RT_STRING0xe71b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                  RT_RCDATA0xe73100x1d176data1.0003860420618003
                  RT_GROUP_ICON0x1044880x14dataEnglishGreat Britain1.25
                  RT_GROUP_ICON0x10449c0x14dataEnglishGreat Britain1.25
                  RT_GROUP_ICON0x1044b00x14dataEnglishGreat Britain1.15
                  RT_GROUP_ICON0x1044c40x14dataEnglishGreat Britain1.25
                  RT_VERSION0x1044d80x10cdataEnglishGreat Britain0.5970149253731343
                  RT_MANIFEST0x1045e40x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                  Imports

                  DLLImport
                  WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                  VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                  MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                  WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                  PSAPI.DLLGetProcessMemoryInfo
                  IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                  USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                  UxTheme.dllIsThemeActive
                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                  USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                  GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                  COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                  SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                  OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishGreat Britain

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 2, 2024 08:38:55.893037081 CEST4971180192.168.2.6158.101.44.242
                  Jul 2, 2024 08:38:55.898010969 CEST8049711158.101.44.242192.168.2.6
                  Jul 2, 2024 08:38:55.898086071 CEST4971180192.168.2.6158.101.44.242
                  Jul 2, 2024 08:38:55.898494959 CEST4971180192.168.2.6158.101.44.242
                  Jul 2, 2024 08:38:55.903378963 CEST8049711158.101.44.242192.168.2.6
                  Jul 2, 2024 08:38:56.513449907 CEST8049711158.101.44.242192.168.2.6
                  Jul 2, 2024 08:38:56.518548965 CEST4971180192.168.2.6158.101.44.242
                  Jul 2, 2024 08:38:56.523432970 CEST8049711158.101.44.242192.168.2.6
                  Jul 2, 2024 08:38:56.698467016 CEST8049711158.101.44.242192.168.2.6
                  Jul 2, 2024 08:38:56.752600908 CEST4971180192.168.2.6158.101.44.242
                  Jul 2, 2024 08:38:56.753374100 CEST49712443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:38:56.753410101 CEST44349712188.114.96.3192.168.2.6
                  Jul 2, 2024 08:38:56.753746033 CEST49712443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:38:56.762919903 CEST49712443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:38:56.762940884 CEST44349712188.114.96.3192.168.2.6
                  Jul 2, 2024 08:38:57.257183075 CEST44349712188.114.96.3192.168.2.6
                  Jul 2, 2024 08:38:57.257271051 CEST49712443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:38:57.262291908 CEST49712443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:38:57.262303114 CEST44349712188.114.96.3192.168.2.6
                  Jul 2, 2024 08:38:57.262618065 CEST44349712188.114.96.3192.168.2.6
                  Jul 2, 2024 08:38:57.315083027 CEST49712443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:38:57.320368052 CEST49712443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:38:57.364497900 CEST44349712188.114.96.3192.168.2.6
                  Jul 2, 2024 08:38:57.429291010 CEST44349712188.114.96.3192.168.2.6
                  Jul 2, 2024 08:38:57.429399014 CEST44349712188.114.96.3192.168.2.6
                  Jul 2, 2024 08:38:57.429502010 CEST49712443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:38:57.444062948 CEST49712443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:38:57.447247028 CEST4971180192.168.2.6158.101.44.242
                  Jul 2, 2024 08:38:57.452020884 CEST8049711158.101.44.242192.168.2.6
                  Jul 2, 2024 08:38:57.869168997 CEST8049711158.101.44.242192.168.2.6
                  Jul 2, 2024 08:38:57.871540070 CEST49713443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:38:57.871582985 CEST44349713188.114.96.3192.168.2.6
                  Jul 2, 2024 08:38:57.871671915 CEST49713443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:38:57.871937037 CEST49713443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:38:57.871952057 CEST44349713188.114.96.3192.168.2.6
                  Jul 2, 2024 08:38:57.924634933 CEST4971180192.168.2.6158.101.44.242
                  Jul 2, 2024 08:38:58.340121984 CEST44349713188.114.96.3192.168.2.6
                  Jul 2, 2024 08:38:58.355197906 CEST49713443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:38:58.355240107 CEST44349713188.114.96.3192.168.2.6
                  Jul 2, 2024 08:38:58.465744019 CEST44349713188.114.96.3192.168.2.6
                  Jul 2, 2024 08:38:58.465850115 CEST44349713188.114.96.3192.168.2.6
                  Jul 2, 2024 08:38:58.465907097 CEST49713443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:38:58.466870070 CEST49713443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:38:58.476095915 CEST4971180192.168.2.6158.101.44.242
                  Jul 2, 2024 08:38:58.477319956 CEST4971480192.168.2.6158.101.44.242
                  Jul 2, 2024 08:38:58.481192112 CEST8049711158.101.44.242192.168.2.6
                  Jul 2, 2024 08:38:58.481273890 CEST4971180192.168.2.6158.101.44.242
                  Jul 2, 2024 08:38:58.482187033 CEST8049714158.101.44.242192.168.2.6
                  Jul 2, 2024 08:38:58.482259989 CEST4971480192.168.2.6158.101.44.242
                  Jul 2, 2024 08:38:58.482341051 CEST4971480192.168.2.6158.101.44.242
                  Jul 2, 2024 08:38:58.487307072 CEST8049714158.101.44.242192.168.2.6
                  Jul 2, 2024 08:38:59.466856003 CEST8049714158.101.44.242192.168.2.6
                  Jul 2, 2024 08:38:59.467243910 CEST8049714158.101.44.242192.168.2.6
                  Jul 2, 2024 08:38:59.467310905 CEST4971480192.168.2.6158.101.44.242
                  Jul 2, 2024 08:38:59.468133926 CEST49715443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:38:59.468195915 CEST44349715188.114.96.3192.168.2.6
                  Jul 2, 2024 08:38:59.468256950 CEST49715443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:38:59.468493938 CEST49715443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:38:59.468509912 CEST44349715188.114.96.3192.168.2.6
                  Jul 2, 2024 08:38:59.966028929 CEST44349715188.114.96.3192.168.2.6
                  Jul 2, 2024 08:38:59.967813969 CEST49715443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:38:59.967854977 CEST44349715188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:00.119798899 CEST44349715188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:00.119921923 CEST44349715188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:00.119982004 CEST49715443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:00.120460033 CEST49715443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:00.123786926 CEST4971480192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:00.124733925 CEST4971680192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:00.129009962 CEST8049714158.101.44.242192.168.2.6
                  Jul 2, 2024 08:39:00.129089117 CEST4971480192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:00.129586935 CEST8049716158.101.44.242192.168.2.6
                  Jul 2, 2024 08:39:00.129656076 CEST4971680192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:00.130814075 CEST4971680192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:00.136162996 CEST8049716158.101.44.242192.168.2.6
                  Jul 2, 2024 08:39:00.777565002 CEST8049716158.101.44.242192.168.2.6
                  Jul 2, 2024 08:39:00.778938055 CEST49717443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:00.778994083 CEST44349717188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:00.779081106 CEST49717443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:00.779453039 CEST49717443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:00.779474020 CEST44349717188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:00.830754042 CEST4971680192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:01.256793976 CEST44349717188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:01.258702993 CEST49717443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:01.258728981 CEST44349717188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:01.407318115 CEST44349717188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:01.407426119 CEST44349717188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:01.407505989 CEST49717443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:01.408037901 CEST49717443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:01.411366940 CEST4971680192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:01.412611008 CEST4971880192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:01.416829109 CEST8049716158.101.44.242192.168.2.6
                  Jul 2, 2024 08:39:01.416985989 CEST4971680192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:01.417650938 CEST8049718158.101.44.242192.168.2.6
                  Jul 2, 2024 08:39:01.417732954 CEST4971880192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:01.417824030 CEST4971880192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:01.422585011 CEST8049718158.101.44.242192.168.2.6
                  Jul 2, 2024 08:39:02.267807007 CEST8049718158.101.44.242192.168.2.6
                  Jul 2, 2024 08:39:02.270205021 CEST49719443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:02.270257950 CEST44349719188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:02.270334005 CEST49719443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:02.270744085 CEST49719443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:02.270757914 CEST44349719188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:02.315067053 CEST4971880192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:02.741991997 CEST44349719188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:02.743515015 CEST49719443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:02.743554115 CEST44349719188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:02.886197090 CEST44349719188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:02.886301994 CEST44349719188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:02.886373043 CEST49719443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:02.890626907 CEST49719443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:02.921675920 CEST4972080192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:02.933077097 CEST8049720158.101.44.242192.168.2.6
                  Jul 2, 2024 08:39:02.933196068 CEST4972080192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:02.934290886 CEST4972080192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:02.939328909 CEST8049720158.101.44.242192.168.2.6
                  Jul 2, 2024 08:39:03.774065971 CEST8049720158.101.44.242192.168.2.6
                  Jul 2, 2024 08:39:03.775831938 CEST49721443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:03.775866985 CEST44349721188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:03.775957108 CEST49721443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:03.776500940 CEST49721443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:03.776510954 CEST44349721188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:03.815182924 CEST4972080192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:04.274029970 CEST44349721188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:04.275650978 CEST49721443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:04.275682926 CEST44349721188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:04.789920092 CEST44349721188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:04.790023088 CEST44349721188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:04.791896105 CEST49721443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:04.791896105 CEST49721443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:04.793760061 CEST4972080192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:04.795082092 CEST4972380192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:04.798968077 CEST8049720158.101.44.242192.168.2.6
                  Jul 2, 2024 08:39:04.799031019 CEST4972080192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:04.800390959 CEST8049723158.101.44.242192.168.2.6
                  Jul 2, 2024 08:39:04.800461054 CEST4972380192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:04.800592899 CEST4972380192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:04.805418968 CEST8049723158.101.44.242192.168.2.6
                  Jul 2, 2024 08:39:06.032855988 CEST8049723158.101.44.242192.168.2.6
                  Jul 2, 2024 08:39:06.034332037 CEST49724443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:06.034382105 CEST44349724188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:06.034476042 CEST49724443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:06.034704924 CEST49724443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:06.034718990 CEST44349724188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:06.080777884 CEST4972380192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:06.538352013 CEST44349724188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:06.540306091 CEST49724443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:06.540328979 CEST44349724188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:06.672759056 CEST44349724188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:06.672848940 CEST44349724188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:06.672909975 CEST49724443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:06.673422098 CEST49724443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:06.697932959 CEST4972380192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:06.698638916 CEST4972580192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:06.704727888 CEST8049725158.101.44.242192.168.2.6
                  Jul 2, 2024 08:39:06.704843998 CEST4972580192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:06.704950094 CEST4972580192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:06.707878113 CEST8049723158.101.44.242192.168.2.6
                  Jul 2, 2024 08:39:06.707961082 CEST4972380192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:06.709973097 CEST8049725158.101.44.242192.168.2.6
                  Jul 2, 2024 08:39:07.301351070 CEST8049725158.101.44.242192.168.2.6
                  Jul 2, 2024 08:39:07.302804947 CEST49726443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:07.302855015 CEST44349726188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:07.302915096 CEST49726443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:07.303193092 CEST49726443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:07.303208113 CEST44349726188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:07.346353054 CEST4972580192.168.2.6158.101.44.242
                  Jul 2, 2024 08:39:07.790761948 CEST44349726188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:07.797324896 CEST49726443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:07.797352076 CEST44349726188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:07.944225073 CEST44349726188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:07.944328070 CEST44349726188.114.96.3192.168.2.6
                  Jul 2, 2024 08:39:07.944379091 CEST49726443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:39:07.944943905 CEST49726443192.168.2.6188.114.96.3
                  Jul 2, 2024 08:40:07.270071983 CEST8049718158.101.44.242192.168.2.6
                  Jul 2, 2024 08:40:07.270153999 CEST4971880192.168.2.6158.101.44.242
                  Jul 2, 2024 08:40:12.316901922 CEST8049725158.101.44.242192.168.2.6
                  Jul 2, 2024 08:40:12.317009926 CEST4972580192.168.2.6158.101.44.242
                  Jul 2, 2024 08:40:47.315221071 CEST4972580192.168.2.6158.101.44.242
                  Jul 2, 2024 08:40:47.320334911 CEST8049725158.101.44.242192.168.2.6

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 2, 2024 08:38:55.875473022 CEST6407253192.168.2.61.1.1.1
                  Jul 2, 2024 08:38:55.884227991 CEST53640721.1.1.1192.168.2.6
                  Jul 2, 2024 08:38:56.737998009 CEST6130453192.168.2.61.1.1.1
                  Jul 2, 2024 08:38:56.746923923 CEST53613041.1.1.1192.168.2.6

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jul 2, 2024 08:38:55.875473022 CEST192.168.2.61.1.1.10xa8fcStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                  Jul 2, 2024 08:38:56.737998009 CEST192.168.2.61.1.1.10x183Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jul 2, 2024 08:38:55.884227991 CEST1.1.1.1192.168.2.60xa8fcNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                  Jul 2, 2024 08:38:55.884227991 CEST1.1.1.1192.168.2.60xa8fcNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                  Jul 2, 2024 08:38:55.884227991 CEST1.1.1.1192.168.2.60xa8fcNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                  Jul 2, 2024 08:38:55.884227991 CEST1.1.1.1192.168.2.60xa8fcNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                  Jul 2, 2024 08:38:55.884227991 CEST1.1.1.1192.168.2.60xa8fcNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                  Jul 2, 2024 08:38:55.884227991 CEST1.1.1.1192.168.2.60xa8fcNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                  Jul 2, 2024 08:38:56.746923923 CEST1.1.1.1192.168.2.60x183No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                  Jul 2, 2024 08:38:56.746923923 CEST1.1.1.1192.168.2.60x183No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • reallyfreegeoip.org
                  • checkip.dyndns.org

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.649711158.101.44.242804420C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 08:38:55.898494959 CEST151OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Connection: Keep-Alive
                  Jul 2, 2024 08:38:56.513449907 CEST320INHTTP/1.1 200 OK
                  Date: Tue, 02 Jul 2024 06:38:56 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: c16f1a85a172c2c09b02c78ad0d1c4a4
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                  Jul 2, 2024 08:38:56.518548965 CEST127OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Jul 2, 2024 08:38:56.698467016 CEST320INHTTP/1.1 200 OK
                  Date: Tue, 02 Jul 2024 06:38:56 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 318f3ed8069c34e390a79d2b6aa3b661
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                  Jul 2, 2024 08:38:57.447247028 CEST127OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Jul 2, 2024 08:38:57.869168997 CEST320INHTTP/1.1 200 OK
                  Date: Tue, 02 Jul 2024 06:38:57 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: e8f07c787056f1fe38fb53bdeef3d2ba
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.649714158.101.44.242804420C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 08:38:58.482341051 CEST127OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Jul 2, 2024 08:38:59.466856003 CEST320INHTTP/1.1 200 OK
                  Date: Tue, 02 Jul 2024 06:38:59 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 9182d28c6d8ff9fbc6ae31de6e2691a1
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                  Jul 2, 2024 08:38:59.467243910 CEST320INHTTP/1.1 200 OK
                  Date: Tue, 02 Jul 2024 06:38:59 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 9182d28c6d8ff9fbc6ae31de6e2691a1
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.649716158.101.44.242804420C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 08:39:00.130814075 CEST127OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Jul 2, 2024 08:39:00.777565002 CEST320INHTTP/1.1 200 OK
                  Date: Tue, 02 Jul 2024 06:39:00 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 23786e94edefbee01e096125e2f7b93e
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  3192.168.2.649718158.101.44.242804420C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 08:39:01.417824030 CEST127OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Jul 2, 2024 08:39:02.267807007 CEST320INHTTP/1.1 200 OK
                  Date: Tue, 02 Jul 2024 06:39:02 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: c0b75b9ec67b47e755e5809855243856
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  4192.168.2.649720158.101.44.242804420C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 08:39:02.934290886 CEST151OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Connection: Keep-Alive
                  Jul 2, 2024 08:39:03.774065971 CEST320INHTTP/1.1 200 OK
                  Date: Tue, 02 Jul 2024 06:39:03 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 6446cddb7fe773e74bf2d80fbd106f43
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  5192.168.2.649723158.101.44.242804420C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 08:39:04.800592899 CEST151OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Connection: Keep-Alive
                  Jul 2, 2024 08:39:06.032855988 CEST320INHTTP/1.1 200 OK
                  Date: Tue, 02 Jul 2024 06:39:05 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: 41be55970c10c26f7b023a8d835676f3
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  6192.168.2.649725158.101.44.242804420C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 08:39:06.704950094 CEST151OUTGET / HTTP/1.1
                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                  Host: checkip.dyndns.org
                  Connection: Keep-Alive
                  Jul 2, 2024 08:39:07.301351070 CEST320INHTTP/1.1 200 OK
                  Date: Tue, 02 Jul 2024 06:39:07 GMT
                  Content-Type: text/html
                  Content-Length: 103
                  Connection: keep-alive
                  Cache-Control: no-cache
                  Pragma: no-cache
                  X-Request-ID: e29a332dd259ea1302bcf9203aea7e20
                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                  HTTPS Proxied Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.649712188.114.96.34434420C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  TimestampBytes transferredDirectionData
                  2024-07-02 06:38:57 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  Connection: Keep-Alive
                  2024-07-02 06:38:57 UTC708INHTTP/1.1 200 OK
                  Date: Tue, 02 Jul 2024 06:38:57 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 18666
                  Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hoZM6Wl%2BtwyOZ2SLLSLdFxgr6%2FEWruxD1%2FNc9oHu6H4usyQLaI6UPVLo%2BSDSR3RrsixyfBz1E9OYO7O3VqaFtK1wRqgsEweID0seoxIuIWLJgXg5aQc0Ysepsgk0cjLyKUhgOLME"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89cca2c89c2b0f4f-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-02 06:38:57 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-02 06:38:57 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.649713188.114.96.34434420C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  TimestampBytes transferredDirectionData
                  2024-07-02 06:38:58 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  2024-07-02 06:38:58 UTC708INHTTP/1.1 200 OK
                  Date: Tue, 02 Jul 2024 06:38:58 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 18667
                  Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DTGE%2BHJulkPO8KShYKp0ZIC4yVYuYY%2FS%2FMOZkzWhqMR4wklBALv16oTqBi8h97yI79sGVY2CcyPSU7dFFw01s37TKGEqMW6IN9NXXF%2Bb7Q8H2QtD48eYMNIhpGURWYbJTgItpwJD"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89cca2cf0d687cb2-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-02 06:38:58 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-02 06:38:58 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.649715188.114.96.34434420C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  TimestampBytes transferredDirectionData
                  2024-07-02 06:38:59 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  2024-07-02 06:39:00 UTC714INHTTP/1.1 200 OK
                  Date: Tue, 02 Jul 2024 06:39:00 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 18669
                  Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GWRS%2Fj9phIoHkfyc6oTavevlK66qB7a%2BRtUykcTar%2BoQ0nOeQfzg%2BgWWFnq95UeW59%2B8ihYc1A27wdsV6hRJqiawUFEznNUk%2FaAcHJqZfXMIxjbkWU6pGjZTI8Qze9t12oPSVt%2BO"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89cca2d95f8742bb-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-02 06:39:00 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-02 06:39:00 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  3192.168.2.649717188.114.96.34434420C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  TimestampBytes transferredDirectionData
                  2024-07-02 06:39:01 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  2024-07-02 06:39:01 UTC708INHTTP/1.1 200 OK
                  Date: Tue, 02 Jul 2024 06:39:01 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 18670
                  Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=In6iQt53Rb7rno5Jc9dGdj9U4mHGLGdU6oRMZmMYEfZo%2Bbq3hk38fZSrfYb%2BMZ681CTY%2BreCFj7pAIWpwBg7OV84OCS4U1CGhemKj6SFxwZ98bYLvcYZ3M%2BKLXBgF5VDXNX5XWP3"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89cca2e16e5142ec-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-02 06:39:01 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-02 06:39:01 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  4192.168.2.649719188.114.96.34434420C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  TimestampBytes transferredDirectionData
                  2024-07-02 06:39:02 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  2024-07-02 06:39:02 UTC716INHTTP/1.1 200 OK
                  Date: Tue, 02 Jul 2024 06:39:02 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 18671
                  Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=szhHeGjT%2FcM9b73vJohVdX8iioryD0R08z0yn8LO5%2B7CDnER%2B%2BKFdQ04gPw8%2B0ieEvSw%2FAHQqF2V%2BS2RViE9ESNyDU81ytiO3JMri7PhdRpoUrpF%2FA8FYgeGLinr0Ti0zu2aoMw0"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89cca2eaacc0c42a-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-02 06:39:02 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-02 06:39:02 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  5192.168.2.649721188.114.96.34434420C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  TimestampBytes transferredDirectionData
                  2024-07-02 06:39:04 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  Connection: Keep-Alive
                  2024-07-02 06:39:04 UTC712INHTTP/1.1 200 OK
                  Date: Tue, 02 Jul 2024 06:39:04 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 18673
                  Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YqZADUUcM1CfrEBPedw%2B7AR05MnF3sD6o1b%2BfGyv9WaHpGKhc1OnF50oQX4DGaJSbsuG2rNJUsWuzqeT9d2Ts8RX2%2BEAiU7rrBmwdTM2RNwZDF0HwnwMSH9R3t%2Btl6vgrfp%2B%2Fkv9"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89cca2f44a867d06-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-02 06:39:04 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-02 06:39:04 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  6192.168.2.649724188.114.96.34434420C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  TimestampBytes transferredDirectionData
                  2024-07-02 06:39:06 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  Connection: Keep-Alive
                  2024-07-02 06:39:06 UTC708INHTTP/1.1 200 OK
                  Date: Tue, 02 Jul 2024 06:39:06 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 18675
                  Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BTzD4xOSNw0wibxI6955ZEFML32BmZ6XmiOSb33p0wKJbQUI4a28oBVaXD%2FfDT%2FKH%2FZ8GqGY11G7GO3BnP7fAxCsb9DrX1LgK8Xq6rjDFy1V3Kf73aUzzQrOz7QcgddcS3egIvzb"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89cca302596418b1-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-02 06:39:06 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-02 06:39:06 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  7192.168.2.649726188.114.96.34434420C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  TimestampBytes transferredDirectionData
                  2024-07-02 06:39:07 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                  Host: reallyfreegeoip.org
                  Connection: Keep-Alive
                  2024-07-02 06:39:07 UTC708INHTTP/1.1 200 OK
                  Date: Tue, 02 Jul 2024 06:39:07 GMT
                  Content-Type: application/xml
                  Transfer-Encoding: chunked
                  Connection: close
                  access-control-allow-origin: *
                  vary: Accept-Encoding
                  Cache-Control: max-age=86400
                  CF-Cache-Status: HIT
                  Age: 18676
                  Last-Modified: Tue, 02 Jul 2024 01:27:51 GMT
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lsG2nH32jxWeAPamZT63448lhF5B5oZnS0LJF%2Fk37LhEa%2Fwggthov%2BslsosqsHTafVsjqzHMeVApnU8if%2FVZ5SXHaYV4hQCwN9hO9Ig1qqQVv07hDXSRCJySyEs73G1JqVC2dJCq"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 89cca30a4bd94332-EWR
                  alt-svc: h3=":443"; ma=86400
                  2024-07-02 06:39:07 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                  Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                  2024-07-02 06:39:07 UTC5INData Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:02:38:53
                  Start date:02/07/2024
                  Path:C:\Users\user\Desktop\whiteee.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\whiteee.exe"
                  Imagebase:0xf20000
                  File size:1'078'272 bytes
                  MD5 hash:9A961CDB405219D714347C06A7A6A995
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                  • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2164059753.00000000014B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:2
                  Start time:02:38:54
                  Start date:02/07/2024
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\whiteee.exe"
                  Imagebase:0xa70000
                  File size:45'984 bytes
                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4608953854.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4608953854.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4608953854.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000002.00000002.4608953854.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4609772501.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4609772501.0000000002F8C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:false

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:3.3%
                    Dynamic/Decrypted Code Coverage:0.4%
                    Signature Coverage:3%
                    Total number of Nodes:2000
                    Total number of Limit Nodes:41
                    execution_graph 95556 f21033 95561 f24c91 95556->95561 95560 f21042 95569 f2a961 95561->95569 95566 f24d9c 95567 f21038 95566->95567 95577 f251f7 22 API calls __fread_nolock 95566->95577 95568 f400a3 29 API calls __onexit 95567->95568 95568->95560 95578 f3fe0b 95569->95578 95571 f2a976 95588 f3fddb 95571->95588 95573 f24cff 95574 f23af0 95573->95574 95613 f23b1c 95574->95613 95577->95566 95580 f3fddb 95578->95580 95581 f3fdfa 95580->95581 95584 f3fdfc 95580->95584 95598 f4ea0c 95580->95598 95605 f44ead 7 API calls 2 library calls 95580->95605 95581->95571 95583 f4066d 95607 f432a4 RaiseException 95583->95607 95584->95583 95606 f432a4 RaiseException 95584->95606 95586 f4068a 95586->95571 95590 f3fde0 95588->95590 95589 f4ea0c ___std_exception_copy 21 API calls 95589->95590 95590->95589 95591 f3fdfa 95590->95591 95595 f3fdfc 95590->95595 95610 f44ead 7 API calls 2 library calls 95590->95610 95591->95573 95593 f4066d 95612 f432a4 RaiseException 95593->95612 95595->95593 95611 f432a4 RaiseException 95595->95611 95597 f4068a 95597->95573 95604 f53820 _free 95598->95604 95599 f5385e 95609 f4f2d9 20 API calls _free 95599->95609 95600 f53849 RtlAllocateHeap 95602 f5385c 95600->95602 95600->95604 95602->95580 95604->95599 95604->95600 95608 f44ead 7 API calls 2 library calls 95604->95608 95605->95580 95606->95583 95607->95586 95608->95604 95609->95602 95610->95590 95611->95593 95612->95597 95614 f23b29 95613->95614 95615 f23b0f 95613->95615 95614->95615 95616 f23b30 RegOpenKeyExW 95614->95616 95615->95566 95616->95615 95617 f23b4a RegQueryValueExW 95616->95617 95618 f23b80 RegCloseKey 95617->95618 95619 f23b6b 95617->95619 95618->95615 95619->95618 95620 f23156 95623 f23170 95620->95623 95624 f23187 95623->95624 95625 f231eb 95624->95625 95626 f2318c 95624->95626 95663 f231e9 95624->95663 95628 f231f1 95625->95628 95629 f62dfb 95625->95629 95630 f23265 PostQuitMessage 95626->95630 95631 f23199 95626->95631 95627 f231d0 DefWindowProcW 95665 f2316a 95627->95665 95632 f231f8 95628->95632 95633 f2321d SetTimer RegisterWindowMessageW 95628->95633 95672 f218e2 10 API calls 95629->95672 95630->95665 95635 f231a4 95631->95635 95636 f62e7c 95631->95636 95637 f23201 KillTimer 95632->95637 95638 f62d9c 95632->95638 95640 f23246 CreatePopupMenu 95633->95640 95633->95665 95641 f231ae 95635->95641 95642 f62e68 95635->95642 95687 f8bf30 34 API calls ___scrt_fastfail 95636->95687 95668 f230f2 Shell_NotifyIconW ___scrt_fastfail 95637->95668 95644 f62dd7 MoveWindow 95638->95644 95645 f62da1 95638->95645 95639 f62e1c 95673 f3e499 42 API calls 95639->95673 95640->95665 95649 f62e4d 95641->95649 95650 f231b9 95641->95650 95686 f8c161 27 API calls ___scrt_fastfail 95642->95686 95644->95665 95652 f62dc6 SetFocus 95645->95652 95653 f62da7 95645->95653 95649->95627 95685 f80ad7 22 API calls 95649->95685 95655 f23253 95650->95655 95656 f231c4 95650->95656 95651 f62e8e 95651->95627 95651->95665 95652->95665 95653->95656 95657 f62db0 95653->95657 95654 f23214 95669 f23c50 DeleteObject DestroyWindow 95654->95669 95670 f2326f 44 API calls ___scrt_fastfail 95655->95670 95656->95627 95674 f230f2 Shell_NotifyIconW ___scrt_fastfail 95656->95674 95671 f218e2 10 API calls 95657->95671 95661 f23263 95661->95665 95663->95627 95666 f62e41 95675 f23837 95666->95675 95668->95654 95669->95665 95670->95661 95671->95665 95672->95639 95673->95656 95674->95666 95676 f23862 ___scrt_fastfail 95675->95676 95688 f24212 95676->95688 95679 f238e8 95681 f63386 Shell_NotifyIconW 95679->95681 95682 f23906 Shell_NotifyIconW 95679->95682 95692 f23923 95682->95692 95684 f2391c 95684->95663 95685->95663 95686->95661 95687->95651 95689 f635a4 95688->95689 95690 f238b7 95688->95690 95689->95690 95691 f635ad DestroyIcon 95689->95691 95690->95679 95714 f8c874 42 API calls _strftime 95690->95714 95691->95690 95693 f2393f 95692->95693 95712 f23a13 95692->95712 95715 f26270 95693->95715 95696 f63393 LoadStringW 95699 f633ad 95696->95699 95697 f2395a 95720 f26b57 95697->95720 95707 f23994 ___scrt_fastfail 95699->95707 95741 f2a8c7 95699->95741 95700 f2396f 95701 f2397c 95700->95701 95702 f633c9 95700->95702 95701->95699 95704 f23986 95701->95704 95705 f26350 22 API calls 95702->95705 95732 f26350 95704->95732 95708 f633d7 95705->95708 95710 f239f9 Shell_NotifyIconW 95707->95710 95708->95707 95745 f233c6 95708->95745 95710->95712 95711 f633f9 95713 f233c6 22 API calls 95711->95713 95712->95684 95713->95707 95714->95679 95716 f3fe0b 22 API calls 95715->95716 95717 f26295 95716->95717 95718 f3fddb 22 API calls 95717->95718 95719 f2394d 95718->95719 95719->95696 95719->95697 95721 f26b67 _wcslen 95720->95721 95722 f64ba1 95720->95722 95725 f26ba2 95721->95725 95726 f26b7d 95721->95726 95755 f293b2 95722->95755 95724 f64baa 95724->95724 95727 f3fddb 22 API calls 95725->95727 95754 f26f34 22 API calls 95726->95754 95729 f26bae 95727->95729 95731 f3fe0b 22 API calls 95729->95731 95730 f26b85 __fread_nolock 95730->95700 95731->95730 95733 f26362 95732->95733 95734 f64a51 95732->95734 95765 f26373 95733->95765 95775 f24a88 22 API calls __fread_nolock 95734->95775 95737 f2636e 95737->95707 95738 f64a67 95739 f64a5b 95739->95738 95740 f2a8c7 22 API calls 95739->95740 95740->95738 95742 f2a8ea __fread_nolock 95741->95742 95743 f2a8db 95741->95743 95742->95707 95743->95742 95744 f3fe0b 22 API calls 95743->95744 95744->95742 95746 f630bb 95745->95746 95747 f233dd 95745->95747 95748 f3fddb 22 API calls 95746->95748 95781 f233ee 95747->95781 95751 f630c5 _wcslen 95748->95751 95750 f233e8 95750->95711 95752 f3fe0b 22 API calls 95751->95752 95753 f630fe __fread_nolock 95752->95753 95754->95730 95756 f293c0 95755->95756 95757 f293c9 __fread_nolock 95755->95757 95756->95757 95759 f2aec9 95756->95759 95757->95724 95760 f2aedc 95759->95760 95764 f2aed9 __fread_nolock 95759->95764 95761 f3fddb 22 API calls 95760->95761 95762 f2aee7 95761->95762 95763 f3fe0b 22 API calls 95762->95763 95763->95764 95764->95757 95767 f26382 95765->95767 95771 f263b6 __fread_nolock 95765->95771 95766 f64a82 95770 f3fddb 22 API calls 95766->95770 95767->95766 95768 f263a9 95767->95768 95767->95771 95776 f2a587 95768->95776 95772 f64a91 95770->95772 95771->95737 95773 f3fe0b 22 API calls 95772->95773 95774 f64ac5 __fread_nolock 95773->95774 95775->95739 95777 f2a59d 95776->95777 95780 f2a598 __fread_nolock 95776->95780 95778 f3fe0b 22 API calls 95777->95778 95779 f6f80f 95777->95779 95778->95780 95780->95771 95782 f233fe _wcslen 95781->95782 95783 f23411 95782->95783 95784 f6311d 95782->95784 95785 f2a587 22 API calls 95783->95785 95786 f3fddb 22 API calls 95784->95786 95787 f2341e __fread_nolock 95785->95787 95788 f63127 95786->95788 95787->95750 95789 f3fe0b 22 API calls 95788->95789 95790 f63157 __fread_nolock 95789->95790 95791 f22e37 95792 f2a961 22 API calls 95791->95792 95793 f22e4d 95792->95793 95870 f24ae3 95793->95870 95795 f22e6b 95884 f23a5a 95795->95884 95797 f22e7f 95891 f29cb3 95797->95891 95802 f62cb0 95935 f92cf9 95802->95935 95803 f22ead 95807 f2a8c7 22 API calls 95803->95807 95805 f62cc3 95806 f62ccf 95805->95806 95961 f24f39 95805->95961 95811 f24f39 68 API calls 95806->95811 95809 f22ec3 95807->95809 95919 f26f88 22 API calls 95809->95919 95813 f62ce5 95811->95813 95812 f22ecf 95814 f29cb3 22 API calls 95812->95814 95967 f23084 22 API calls 95813->95967 95815 f22edc 95814->95815 95920 f2a81b 41 API calls 95815->95920 95817 f22eec 95820 f29cb3 22 API calls 95817->95820 95819 f62d02 95968 f23084 22 API calls 95819->95968 95822 f22f12 95820->95822 95921 f2a81b 41 API calls 95822->95921 95823 f62d1e 95825 f23a5a 24 API calls 95823->95825 95826 f62d44 95825->95826 95969 f23084 22 API calls 95826->95969 95827 f22f21 95830 f2a961 22 API calls 95827->95830 95829 f62d50 95831 f2a8c7 22 API calls 95829->95831 95832 f22f3f 95830->95832 95833 f62d5e 95831->95833 95922 f23084 22 API calls 95832->95922 95970 f23084 22 API calls 95833->95970 95836 f22f4b 95923 f44a28 40 API calls 3 library calls 95836->95923 95838 f22f59 95838->95813 95839 f22f63 95838->95839 95924 f44a28 40 API calls 3 library calls 95839->95924 95840 f62d6d 95842 f2a8c7 22 API calls 95840->95842 95844 f62d83 95842->95844 95843 f22f6e 95843->95819 95846 f22f78 95843->95846 95971 f23084 22 API calls 95844->95971 95925 f44a28 40 API calls 3 library calls 95846->95925 95847 f62d90 95849 f22f83 95849->95823 95850 f22f8d 95849->95850 95926 f44a28 40 API calls 3 library calls 95850->95926 95852 f22f98 95853 f22fdc 95852->95853 95927 f23084 22 API calls 95852->95927 95853->95840 95854 f22fe8 95853->95854 95854->95847 95929 f263eb 22 API calls 95854->95929 95857 f22fbf 95858 f2a8c7 22 API calls 95857->95858 95860 f22fcd 95858->95860 95859 f22ff8 95930 f26a50 22 API calls 95859->95930 95928 f23084 22 API calls 95860->95928 95863 f23006 95931 f270b0 23 API calls 95863->95931 95867 f23021 95868 f23065 95867->95868 95932 f26f88 22 API calls 95867->95932 95933 f270b0 23 API calls 95867->95933 95934 f23084 22 API calls 95867->95934 95871 f24af0 __wsopen_s 95870->95871 95872 f26b57 22 API calls 95871->95872 95873 f24b22 95871->95873 95872->95873 95883 f24b58 95873->95883 95972 f24c6d 95873->95972 95875 f29cb3 22 API calls 95877 f24c52 95875->95877 95876 f29cb3 22 API calls 95876->95883 95879 f2515f 22 API calls 95877->95879 95878 f24c6d 22 API calls 95878->95883 95881 f24c5e 95879->95881 95881->95795 95882 f24c29 95882->95875 95882->95881 95883->95876 95883->95878 95883->95882 95975 f2515f 95883->95975 95981 f61f50 95884->95981 95887 f29cb3 22 API calls 95888 f23a8d 95887->95888 95983 f23aa2 95888->95983 95890 f23a97 95890->95797 95892 f29cc2 _wcslen 95891->95892 95893 f3fe0b 22 API calls 95892->95893 95894 f29cea __fread_nolock 95893->95894 95895 f3fddb 22 API calls 95894->95895 95896 f22e8c 95895->95896 95897 f24ecb 95896->95897 96003 f24e90 LoadLibraryA 95897->96003 95902 f24ef6 LoadLibraryExW 96011 f24e59 LoadLibraryA 95902->96011 95903 f63ccf 95905 f24f39 68 API calls 95903->95905 95907 f63cd6 95905->95907 95909 f24e59 3 API calls 95907->95909 95911 f63cde 95909->95911 95910 f24f20 95910->95911 95912 f24f2c 95910->95912 96033 f250f5 95911->96033 95914 f24f39 68 API calls 95912->95914 95916 f22ea5 95914->95916 95916->95802 95916->95803 95918 f63d05 95919->95812 95920->95817 95921->95827 95922->95836 95923->95838 95924->95843 95925->95849 95926->95852 95927->95857 95928->95853 95929->95859 95930->95863 95931->95867 95932->95867 95933->95867 95934->95867 95936 f92d15 95935->95936 95937 f2511f 64 API calls 95936->95937 95938 f92d29 95937->95938 96304 f92e66 95938->96304 95941 f250f5 40 API calls 95942 f92d56 95941->95942 95943 f250f5 40 API calls 95942->95943 95944 f92d66 95943->95944 95945 f250f5 40 API calls 95944->95945 95946 f92d81 95945->95946 95947 f250f5 40 API calls 95946->95947 95948 f92d9c 95947->95948 95949 f2511f 64 API calls 95948->95949 95950 f92db3 95949->95950 95951 f4ea0c ___std_exception_copy 21 API calls 95950->95951 95952 f92dba 95951->95952 95953 f4ea0c ___std_exception_copy 21 API calls 95952->95953 95954 f92dc4 95953->95954 95955 f250f5 40 API calls 95954->95955 95956 f92dd8 95955->95956 95957 f928fe 27 API calls 95956->95957 95958 f92dee 95957->95958 95959 f92d3f 95958->95959 96310 f922ce 95958->96310 95959->95805 95962 f24f43 95961->95962 95963 f24f4a 95961->95963 95964 f4e678 67 API calls 95962->95964 95965 f24f6a FreeLibrary 95963->95965 95966 f24f59 95963->95966 95964->95963 95965->95966 95966->95806 95967->95819 95968->95823 95969->95829 95970->95840 95971->95847 95973 f2aec9 22 API calls 95972->95973 95974 f24c78 95973->95974 95974->95873 95976 f2516e 95975->95976 95980 f2518f __fread_nolock 95975->95980 95979 f3fe0b 22 API calls 95976->95979 95977 f3fddb 22 API calls 95978 f251a2 95977->95978 95978->95883 95979->95980 95980->95977 95982 f23a67 GetModuleFileNameW 95981->95982 95982->95887 95984 f61f50 __wsopen_s 95983->95984 95985 f23aaf GetFullPathNameW 95984->95985 95986 f23ae9 95985->95986 95987 f23ace 95985->95987 95997 f2a6c3 95986->95997 95989 f26b57 22 API calls 95987->95989 95990 f23ada 95989->95990 95993 f237a0 95990->95993 95994 f237ae 95993->95994 95995 f293b2 22 API calls 95994->95995 95996 f237c2 95995->95996 95996->95890 95998 f2a6dd 95997->95998 96002 f2a6d0 95997->96002 95999 f3fddb 22 API calls 95998->95999 96000 f2a6e7 95999->96000 96001 f3fe0b 22 API calls 96000->96001 96001->96002 96002->95990 96004 f24ec6 96003->96004 96005 f24ea8 GetProcAddress 96003->96005 96008 f4e5eb 96004->96008 96006 f24eb8 96005->96006 96006->96004 96007 f24ebf FreeLibrary 96006->96007 96007->96004 96041 f4e52a 96008->96041 96010 f24eea 96010->95902 96010->95903 96012 f24e6e GetProcAddress 96011->96012 96013 f24e8d 96011->96013 96014 f24e7e 96012->96014 96016 f24f80 96013->96016 96014->96013 96015 f24e86 FreeLibrary 96014->96015 96015->96013 96017 f3fe0b 22 API calls 96016->96017 96018 f24f95 96017->96018 96109 f25722 96018->96109 96020 f24fa1 __fread_nolock 96021 f250a5 96020->96021 96022 f63d1d 96020->96022 96032 f24fdc 96020->96032 96112 f242a2 CreateStreamOnHGlobal 96021->96112 96123 f9304d 74 API calls 96022->96123 96025 f63d22 96027 f2511f 64 API calls 96025->96027 96026 f250f5 40 API calls 96026->96032 96028 f63d45 96027->96028 96029 f250f5 40 API calls 96028->96029 96031 f2506e ISource 96029->96031 96031->95910 96032->96025 96032->96026 96032->96031 96118 f2511f 96032->96118 96034 f25107 96033->96034 96035 f63d70 96033->96035 96145 f4e8c4 96034->96145 96038 f928fe 96287 f9274e 96038->96287 96040 f92919 96040->95918 96044 f4e536 ___BuildCatchObject 96041->96044 96042 f4e544 96066 f4f2d9 20 API calls _free 96042->96066 96044->96042 96046 f4e574 96044->96046 96045 f4e549 96067 f527ec 26 API calls _abort 96045->96067 96048 f4e586 96046->96048 96049 f4e579 96046->96049 96058 f58061 96048->96058 96068 f4f2d9 20 API calls _free 96049->96068 96052 f4e58f 96053 f4e595 96052->96053 96054 f4e5a2 96052->96054 96069 f4f2d9 20 API calls _free 96053->96069 96070 f4e5d4 LeaveCriticalSection __fread_nolock 96054->96070 96055 f4e554 __wsopen_s 96055->96010 96059 f5806d ___BuildCatchObject 96058->96059 96071 f52f5e EnterCriticalSection 96059->96071 96061 f5807b 96072 f580fb 96061->96072 96065 f580ac __wsopen_s 96065->96052 96066->96045 96067->96055 96068->96055 96069->96055 96070->96055 96071->96061 96078 f5811e 96072->96078 96073 f58088 96085 f580b7 96073->96085 96074 f58177 96090 f54c7d 96074->96090 96078->96073 96078->96074 96088 f4918d EnterCriticalSection 96078->96088 96089 f491a1 LeaveCriticalSection 96078->96089 96080 f58189 96080->96073 96103 f53405 11 API calls 2 library calls 96080->96103 96082 f581a8 96104 f4918d EnterCriticalSection 96082->96104 96108 f52fa6 LeaveCriticalSection 96085->96108 96087 f580be 96087->96065 96088->96078 96089->96078 96095 f54c8a _free 96090->96095 96091 f54cca 96106 f4f2d9 20 API calls _free 96091->96106 96092 f54cb5 RtlAllocateHeap 96093 f54cc8 96092->96093 96092->96095 96097 f529c8 96093->96097 96095->96091 96095->96092 96105 f44ead 7 API calls 2 library calls 96095->96105 96098 f529d3 RtlFreeHeap 96097->96098 96102 f529fc _free 96097->96102 96099 f529e8 96098->96099 96098->96102 96107 f4f2d9 20 API calls _free 96099->96107 96101 f529ee GetLastError 96101->96102 96102->96080 96103->96082 96104->96073 96105->96095 96106->96093 96107->96101 96108->96087 96110 f3fddb 22 API calls 96109->96110 96111 f25734 96110->96111 96111->96020 96113 f242bc FindResourceExW 96112->96113 96117 f242d9 96112->96117 96114 f635ba LoadResource 96113->96114 96113->96117 96115 f635cf SizeofResource 96114->96115 96114->96117 96116 f635e3 LockResource 96115->96116 96115->96117 96116->96117 96117->96032 96119 f63d90 96118->96119 96120 f2512e 96118->96120 96124 f4ece3 96120->96124 96123->96025 96127 f4eaaa 96124->96127 96126 f2513c 96126->96032 96130 f4eab6 ___BuildCatchObject 96127->96130 96128 f4eac2 96140 f4f2d9 20 API calls _free 96128->96140 96130->96128 96131 f4eae8 96130->96131 96142 f4918d EnterCriticalSection 96131->96142 96132 f4eac7 96141 f527ec 26 API calls _abort 96132->96141 96134 f4eaf4 96143 f4ec0a 62 API calls 2 library calls 96134->96143 96137 f4eb08 96144 f4eb27 LeaveCriticalSection __fread_nolock 96137->96144 96139 f4ead2 __wsopen_s 96139->96126 96140->96132 96141->96139 96142->96134 96143->96137 96144->96139 96148 f4e8e1 96145->96148 96147 f25118 96147->96038 96149 f4e8ed ___BuildCatchObject 96148->96149 96150 f4e92d 96149->96150 96151 f4e925 __wsopen_s 96149->96151 96153 f4e900 ___scrt_fastfail 96149->96153 96161 f4918d EnterCriticalSection 96150->96161 96151->96147 96175 f4f2d9 20 API calls _free 96153->96175 96154 f4e937 96162 f4e6f8 96154->96162 96157 f4e91a 96176 f527ec 26 API calls _abort 96157->96176 96161->96154 96165 f4e70a ___scrt_fastfail 96162->96165 96168 f4e727 96162->96168 96163 f4e717 96250 f4f2d9 20 API calls _free 96163->96250 96165->96163 96165->96168 96170 f4e76a __fread_nolock 96165->96170 96166 f4e71c 96251 f527ec 26 API calls _abort 96166->96251 96177 f4e96c LeaveCriticalSection __fread_nolock 96168->96177 96169 f4e886 ___scrt_fastfail 96253 f4f2d9 20 API calls _free 96169->96253 96170->96168 96170->96169 96178 f4d955 96170->96178 96185 f58d45 96170->96185 96252 f4cf78 26 API calls 4 library calls 96170->96252 96175->96157 96176->96151 96177->96151 96179 f4d976 96178->96179 96180 f4d961 96178->96180 96179->96170 96254 f4f2d9 20 API calls _free 96180->96254 96182 f4d966 96255 f527ec 26 API calls _abort 96182->96255 96184 f4d971 96184->96170 96186 f58d57 96185->96186 96187 f58d6f 96185->96187 96265 f4f2c6 20 API calls _free 96186->96265 96188 f590d9 96187->96188 96192 f58db4 96187->96192 96281 f4f2c6 20 API calls _free 96188->96281 96190 f58d5c 96266 f4f2d9 20 API calls _free 96190->96266 96196 f58dbf 96192->96196 96199 f58d64 96192->96199 96203 f58def 96192->96203 96194 f590de 96282 f4f2d9 20 API calls _free 96194->96282 96267 f4f2c6 20 API calls _free 96196->96267 96197 f58dcc 96283 f527ec 26 API calls _abort 96197->96283 96199->96170 96200 f58dc4 96268 f4f2d9 20 API calls _free 96200->96268 96204 f58e08 96203->96204 96205 f58e2e 96203->96205 96206 f58e4a 96203->96206 96204->96205 96212 f58e15 96204->96212 96269 f4f2c6 20 API calls _free 96205->96269 96272 f53820 21 API calls _free 96206->96272 96208 f58e33 96270 f4f2d9 20 API calls _free 96208->96270 96256 f5f89b 96212->96256 96213 f58e61 96216 f529c8 _free 20 API calls 96213->96216 96214 f58e3a 96271 f527ec 26 API calls _abort 96214->96271 96215 f58fb3 96218 f59029 96215->96218 96221 f58fcc GetConsoleMode 96215->96221 96219 f58e6a 96216->96219 96220 f5902d ReadFile 96218->96220 96222 f529c8 _free 20 API calls 96219->96222 96224 f59047 96220->96224 96225 f590a1 GetLastError 96220->96225 96221->96218 96226 f58fdd 96221->96226 96223 f58e71 96222->96223 96227 f58e96 96223->96227 96228 f58e7b 96223->96228 96224->96225 96231 f5901e 96224->96231 96229 f59005 96225->96229 96230 f590ae 96225->96230 96226->96220 96232 f58fe3 ReadConsoleW 96226->96232 96275 f59424 28 API calls __wsopen_s 96227->96275 96273 f4f2d9 20 API calls _free 96228->96273 96248 f58e45 __fread_nolock 96229->96248 96276 f4f2a3 20 API calls 2 library calls 96229->96276 96279 f4f2d9 20 API calls _free 96230->96279 96243 f59083 96231->96243 96244 f5906c 96231->96244 96231->96248 96232->96231 96237 f58fff GetLastError 96232->96237 96233 f529c8 _free 20 API calls 96233->96199 96237->96229 96238 f58e80 96274 f4f2c6 20 API calls _free 96238->96274 96239 f590b3 96280 f4f2c6 20 API calls _free 96239->96280 96246 f5909a 96243->96246 96243->96248 96277 f58a61 31 API calls 4 library calls 96244->96277 96278 f588a1 29 API calls __wsopen_s 96246->96278 96248->96233 96249 f5909f 96249->96248 96250->96166 96251->96168 96252->96170 96253->96166 96254->96182 96255->96184 96257 f5f8a8 96256->96257 96259 f5f8b5 96256->96259 96284 f4f2d9 20 API calls _free 96257->96284 96262 f5f8c1 96259->96262 96285 f4f2d9 20 API calls _free 96259->96285 96261 f5f8ad 96261->96215 96262->96215 96263 f5f8e2 96286 f527ec 26 API calls _abort 96263->96286 96265->96190 96266->96199 96267->96200 96268->96197 96269->96208 96270->96214 96271->96248 96272->96213 96273->96238 96274->96248 96275->96212 96276->96248 96277->96248 96278->96249 96279->96239 96280->96248 96281->96194 96282->96197 96283->96199 96284->96261 96285->96263 96286->96261 96290 f4e4e8 96287->96290 96289 f9275d 96289->96040 96293 f4e469 96290->96293 96292 f4e505 96292->96289 96294 f4e48c 96293->96294 96295 f4e478 96293->96295 96300 f4e488 __alldvrm 96294->96300 96303 f5333f 11 API calls 2 library calls 96294->96303 96301 f4f2d9 20 API calls _free 96295->96301 96297 f4e47d 96302 f527ec 26 API calls _abort 96297->96302 96300->96292 96301->96297 96302->96300 96303->96300 96308 f92e7a 96304->96308 96305 f92d3b 96305->95941 96305->95959 96306 f250f5 40 API calls 96306->96308 96307 f928fe 27 API calls 96307->96308 96308->96305 96308->96306 96308->96307 96309 f2511f 64 API calls 96308->96309 96309->96308 96311 f922d9 96310->96311 96312 f922e7 96310->96312 96313 f4e5eb 29 API calls 96311->96313 96314 f9232c 96312->96314 96315 f4e5eb 29 API calls 96312->96315 96332 f922f0 96312->96332 96313->96312 96339 f92557 96314->96339 96317 f92311 96315->96317 96317->96314 96319 f9231a 96317->96319 96318 f92370 96320 f92395 96318->96320 96321 f92374 96318->96321 96324 f4e678 67 API calls 96319->96324 96319->96332 96343 f92171 96320->96343 96323 f92381 96321->96323 96326 f4e678 67 API calls 96321->96326 96329 f4e678 67 API calls 96323->96329 96323->96332 96324->96332 96325 f9239d 96327 f923c3 96325->96327 96328 f923a3 96325->96328 96326->96323 96350 f923f3 96327->96350 96330 f923b0 96328->96330 96333 f4e678 67 API calls 96328->96333 96329->96332 96330->96332 96334 f4e678 67 API calls 96330->96334 96332->95959 96333->96330 96334->96332 96335 f923ca 96336 f923de 96335->96336 96358 f4e678 96335->96358 96336->96332 96338 f4e678 67 API calls 96336->96338 96338->96332 96340 f9257c 96339->96340 96342 f92565 __fread_nolock 96339->96342 96341 f4e8c4 __fread_nolock 40 API calls 96340->96341 96341->96342 96342->96318 96344 f4ea0c ___std_exception_copy 21 API calls 96343->96344 96345 f9217f 96344->96345 96346 f4ea0c ___std_exception_copy 21 API calls 96345->96346 96347 f92190 96346->96347 96348 f4ea0c ___std_exception_copy 21 API calls 96347->96348 96349 f9219c 96348->96349 96349->96325 96354 f92408 96350->96354 96351 f924c0 96386 f92724 96351->96386 96353 f921cc 40 API calls 96353->96354 96354->96351 96354->96353 96357 f924c7 96354->96357 96371 f92269 96354->96371 96382 f92606 96354->96382 96357->96335 96359 f4e684 ___BuildCatchObject 96358->96359 96360 f4e695 96359->96360 96361 f4e6aa 96359->96361 96467 f4f2d9 20 API calls _free 96360->96467 96370 f4e6a5 __wsopen_s 96361->96370 96450 f4918d EnterCriticalSection 96361->96450 96364 f4e69a 96468 f527ec 26 API calls _abort 96364->96468 96365 f4e6c6 96451 f4e602 96365->96451 96368 f4e6d1 96370->96336 96390 f921cc 96371->96390 96374 f922c5 96374->96354 96375 f921cc 40 API calls 96376 f92285 96375->96376 96376->96374 96377 f921cc 40 API calls 96376->96377 96378 f92296 96377->96378 96378->96374 96379 f921cc 40 API calls 96378->96379 96381 f922a8 96379->96381 96381->96374 96383 f92617 96382->96383 96384 f9261d 96382->96384 96383->96384 96394 f926d7 96383->96394 96384->96354 96387 f92742 96386->96387 96388 f92731 96386->96388 96387->96357 96389 f4dbb3 65 API calls 96388->96389 96389->96387 96392 f921ec 96390->96392 96391 f9225d 96391->96374 96391->96375 96392->96391 96393 f92693 40 API calls 96392->96393 96393->96392 96395 f92714 96394->96395 96396 f92703 96394->96396 96395->96383 96398 f4dbb3 96396->96398 96399 f4dbc1 96398->96399 96400 f4dbdd 96398->96400 96399->96400 96401 f4dbe3 96399->96401 96402 f4dbcd 96399->96402 96400->96395 96407 f4d9cc 96401->96407 96410 f4f2d9 20 API calls _free 96402->96410 96405 f4dbd2 96411 f527ec 26 API calls _abort 96405->96411 96412 f4d97b 96407->96412 96410->96405 96411->96400 96413 f4d987 ___BuildCatchObject 96412->96413 96450->96365 96452 f4e624 96451->96452 96453 f4e60f 96451->96453 96465 f4e61f 96452->96465 96470 f4dc0b 96452->96470 96495 f4f2d9 20 API calls _free 96453->96495 96465->96368 96467->96364 96468->96370 96471 f4dc23 96470->96471 96674 d723b0 96688 d70000 96674->96688 96676 d7246b 96691 d722a0 96676->96691 96694 d73490 GetPEB 96688->96694 96690 d7068b 96690->96676 96692 d722a9 Sleep 96691->96692 96693 d722b7 96692->96693 96695 d734ba 96694->96695 96695->96690 96696 f2105b 96701 f2344d 96696->96701 96698 f2106a 96732 f400a3 29 API calls __onexit 96698->96732 96700 f21074 96702 f2345d __wsopen_s 96701->96702 96703 f2a961 22 API calls 96702->96703 96704 f23513 96703->96704 96705 f23a5a 24 API calls 96704->96705 96706 f2351c 96705->96706 96733 f23357 96706->96733 96709 f233c6 22 API calls 96710 f23535 96709->96710 96711 f2515f 22 API calls 96710->96711 96712 f23544 96711->96712 96713 f2a961 22 API calls 96712->96713 96714 f2354d 96713->96714 96715 f2a6c3 22 API calls 96714->96715 96716 f23556 RegOpenKeyExW 96715->96716 96717 f63176 RegQueryValueExW 96716->96717 96721 f23578 96716->96721 96718 f63193 96717->96718 96719 f6320c RegCloseKey 96717->96719 96720 f3fe0b 22 API calls 96718->96720 96719->96721 96728 f6321e _wcslen 96719->96728 96722 f631ac 96720->96722 96721->96698 96724 f25722 22 API calls 96722->96724 96723 f24c6d 22 API calls 96723->96728 96725 f631b7 RegQueryValueExW 96724->96725 96726 f631d4 96725->96726 96729 f631ee ISource 96725->96729 96727 f26b57 22 API calls 96726->96727 96727->96729 96728->96721 96728->96723 96730 f29cb3 22 API calls 96728->96730 96731 f2515f 22 API calls 96728->96731 96729->96719 96730->96728 96731->96728 96732->96700 96734 f61f50 __wsopen_s 96733->96734 96735 f23364 GetFullPathNameW 96734->96735 96736 f23386 96735->96736 96737 f26b57 22 API calls 96736->96737 96738 f233a4 96737->96738 96738->96709 96739 f21098 96744 f242de 96739->96744 96743 f210a7 96745 f2a961 22 API calls 96744->96745 96746 f242f5 GetVersionExW 96745->96746 96747 f26b57 22 API calls 96746->96747 96748 f24342 96747->96748 96749 f293b2 22 API calls 96748->96749 96754 f24378 96748->96754 96750 f2436c 96749->96750 96752 f237a0 22 API calls 96750->96752 96751 f2441b GetCurrentProcess IsWow64Process 96753 f24437 96751->96753 96752->96754 96755 f63824 GetSystemInfo 96753->96755 96756 f2444f LoadLibraryA 96753->96756 96754->96751 96760 f637df 96754->96760 96757 f24460 GetProcAddress 96756->96757 96758 f2449c GetSystemInfo 96756->96758 96757->96758 96761 f24470 GetNativeSystemInfo 96757->96761 96759 f24476 96758->96759 96762 f2109d 96759->96762 96763 f2447a FreeLibrary 96759->96763 96761->96759 96764 f400a3 29 API calls __onexit 96762->96764 96763->96762 96764->96743 96765 f2f7bf 96766 f2f7d3 96765->96766 96767 f2fcb6 96765->96767 96769 f2fcc2 96766->96769 96770 f3fddb 22 API calls 96766->96770 96859 f2aceb 23 API calls ISource 96767->96859 96860 f2aceb 23 API calls ISource 96769->96860 96772 f2f7e5 96770->96772 96772->96769 96773 f2fd3d 96772->96773 96774 f2f83e 96772->96774 96861 f91155 22 API calls 96773->96861 96779 f2ed9d ISource 96774->96779 96800 f31310 96774->96800 96777 f74beb 96865 f9359c 82 API calls __wsopen_s 96777->96865 96778 f2ec76 ISource 96778->96777 96778->96779 96780 f2fef7 96778->96780 96782 f3fddb 22 API calls 96778->96782 96784 f74600 96778->96784 96785 f74b0b 96778->96785 96786 f2a8c7 22 API calls 96778->96786 96792 f2fbe3 96778->96792 96793 f2a961 22 API calls 96778->96793 96796 f400a3 29 API calls pre_c_initialization 96778->96796 96797 f40242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96778->96797 96798 f401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96778->96798 96799 f2f3ae ISource 96778->96799 96857 f301e0 256 API calls 2 library calls 96778->96857 96858 f306a0 41 API calls ISource 96778->96858 96780->96779 96788 f2a8c7 22 API calls 96780->96788 96782->96778 96784->96779 96790 f2a8c7 22 API calls 96784->96790 96863 f9359c 82 API calls __wsopen_s 96785->96863 96786->96778 96788->96779 96790->96779 96792->96779 96794 f74bdc 96792->96794 96792->96799 96793->96778 96864 f9359c 82 API calls __wsopen_s 96794->96864 96796->96778 96797->96778 96798->96778 96799->96779 96862 f9359c 82 API calls __wsopen_s 96799->96862 96801 f317b0 96800->96801 96802 f31376 96800->96802 97149 f40242 5 API calls __Init_thread_wait 96801->97149 96804 f31390 96802->96804 96805 f76331 96802->96805 96866 f31940 96804->96866 97154 fa709c 256 API calls 96805->97154 96808 f317ba 96810 f317fb 96808->96810 96812 f29cb3 22 API calls 96808->96812 96815 f3182c 96810->96815 96816 f7633d 96810->96816 96811 f31940 9 API calls 96813 f313b6 96811->96813 96820 f317d4 96812->96820 96813->96810 96814 f313ec 96813->96814 96814->96816 96839 f31408 __fread_nolock 96814->96839 97151 f2aceb 23 API calls ISource 96815->97151 97155 f9359c 82 API calls __wsopen_s 96816->97155 96819 f31839 97152 f3d217 256 API calls 96819->97152 97150 f401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96820->97150 96823 f7636e 97156 f9359c 82 API calls __wsopen_s 96823->97156 96825 f3152f 96826 f763d1 96825->96826 96827 f3153c 96825->96827 97158 fa5745 54 API calls _wcslen 96826->97158 96828 f31940 9 API calls 96827->96828 96830 f31549 96828->96830 96835 f31940 9 API calls 96830->96835 96840 f315c7 ISource 96830->96840 96831 f3fddb 22 API calls 96831->96839 96832 f3fe0b 22 API calls 96832->96839 96833 f31872 97153 f3faeb 23 API calls 96833->97153 96834 f3171d 96834->96778 96843 f31563 96835->96843 96839->96819 96839->96823 96839->96825 96839->96831 96839->96832 96839->96840 96841 f763b2 96839->96841 96876 f2ec40 96839->96876 96840->96833 96844 f31940 9 API calls 96840->96844 96846 f3167b ISource 96840->96846 96855 f24f39 68 API calls 96840->96855 96900 f3effa 96840->96900 96957 fae204 96840->96957 96993 f9744a 96840->96993 97050 f8d4ce 96840->97050 97053 fa958b 96840->97053 97056 f9f0ec 96840->97056 97065 fa959f 96840->97065 97068 f96ef1 96840->97068 97159 f9359c 82 API calls __wsopen_s 96840->97159 97157 f9359c 82 API calls __wsopen_s 96841->97157 96843->96840 96847 f2a8c7 22 API calls 96843->96847 96844->96840 96846->96834 97148 f3ce17 22 API calls ISource 96846->97148 96847->96840 96855->96840 96857->96778 96858->96778 96859->96769 96860->96773 96861->96779 96862->96779 96863->96779 96864->96777 96865->96779 96867 f31981 96866->96867 96874 f3195d 96866->96874 97160 f40242 5 API calls __Init_thread_wait 96867->97160 96868 f313a0 96868->96811 96871 f3198b 96871->96874 97161 f401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96871->97161 96872 f38727 96872->96868 97163 f401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96872->97163 96874->96868 97162 f40242 5 API calls __Init_thread_wait 96874->97162 96878 f2ec76 ISource 96876->96878 96877 f400a3 29 API calls pre_c_initialization 96877->96878 96878->96877 96879 f74beb 96878->96879 96880 f3fddb 22 API calls 96878->96880 96883 f2f3ae ISource 96878->96883 96884 f2fef7 96878->96884 96885 f74600 96878->96885 96886 f74b0b 96878->96886 96892 f2a8c7 22 API calls 96878->96892 96893 f40242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96878->96893 96894 f2fbe3 96878->96894 96895 f2a961 22 API calls 96878->96895 96898 f401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96878->96898 96899 f2ed9d ISource 96878->96899 97164 f301e0 256 API calls 2 library calls 96878->97164 97165 f306a0 41 API calls ISource 96878->97165 97169 f9359c 82 API calls __wsopen_s 96879->97169 96880->96878 96883->96899 97166 f9359c 82 API calls __wsopen_s 96883->97166 96888 f2a8c7 22 API calls 96884->96888 96884->96899 96890 f2a8c7 22 API calls 96885->96890 96885->96899 97167 f9359c 82 API calls __wsopen_s 96886->97167 96888->96899 96890->96899 96892->96878 96893->96878 96894->96883 96896 f74bdc 96894->96896 96894->96899 96895->96878 97168 f9359c 82 API calls __wsopen_s 96896->97168 96898->96878 96899->96839 97170 f29c6e 96900->97170 96903 f7f0a8 96907 f3f0a4 96903->96907 97263 f99caa 39 API calls 96903->97263 96904 f3fddb 22 API calls 96906 f3f02b 96904->96906 96908 f3fe0b 22 API calls 96906->96908 96916 f3f0b1 96907->96916 97203 f2b567 96907->97203 96909 f3f03c 96908->96909 97208 f26246 96909->97208 96913 f2a961 22 API calls 96915 f3f04f 96913->96915 96914 f7f10a 96914->96916 96917 f7f112 96914->96917 96918 f26246 CloseHandle 96915->96918 97184 f3fa5b 96916->97184 96920 f2b567 39 API calls 96917->96920 96921 f3f056 96918->96921 96925 f3f0b8 96920->96925 97212 f27510 96921->97212 96924 f26246 CloseHandle 96926 f3f06c 96924->96926 96927 f7f127 96925->96927 96928 f3f0d3 96925->96928 97235 f25745 96926->97235 96931 f3fe0b 22 API calls 96927->96931 96930 f26270 22 API calls 96928->96930 96933 f3f0db 96930->96933 96934 f7f12c 96931->96934 97189 f3f141 96933->97189 96938 f7f140 96934->96938 97264 f3f866 ReadFile SetFilePointerEx 96934->97264 96935 f3f085 97243 f253de 96935->97243 96936 f7f0a0 97262 f26216 CloseHandle ISource 96936->97262 96946 f7f144 __fread_nolock 96938->96946 97265 f90e85 22 API calls ___scrt_fastfail 96938->97265 96941 f3f0ea 96941->96946 97259 f262b5 22 API calls 96941->97259 96945 f3f093 97258 f253c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96945->97258 96948 f3f0fe 96949 f3f138 96948->96949 96952 f26246 CloseHandle 96948->96952 96949->96840 96950 f3f09a 96950->96907 96951 f7f069 96950->96951 97261 f8ccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 96951->97261 96954 f3f12c 96952->96954 96954->96949 97260 f26216 CloseHandle ISource 96954->97260 96955 f7f080 96955->96907 96958 f2a961 22 API calls 96957->96958 96959 fae21b 96958->96959 96960 f27510 53 API calls 96959->96960 96961 fae22a 96960->96961 96962 f26270 22 API calls 96961->96962 96963 fae23d 96962->96963 96964 f27510 53 API calls 96963->96964 96965 fae24a 96964->96965 96966 fae262 96965->96966 96967 fae2c7 96965->96967 96968 f2b567 39 API calls 96966->96968 96969 f27510 53 API calls 96967->96969 96970 fae267 96968->96970 96971 fae2cc 96969->96971 96972 fae2d9 96970->96972 96974 fae280 96970->96974 96971->96972 96976 fae314 96971->96976 96973 f29c6e 22 API calls 96972->96973 96990 fae2e6 96973->96990 97314 f26d25 96974->97314 96975 fae32c 96979 fae345 96975->96979 96982 f2b567 39 API calls 96975->96982 96976->96975 96978 f2b567 39 API calls 96976->96978 96978->96975 96980 f2a8c7 22 API calls 96979->96980 96983 fae35f 96980->96983 96981 fae28d 96984 f26350 22 API calls 96981->96984 96982->96979 97327 f892c8 43 API calls 96983->97327 96986 fae29b 96984->96986 96987 f26d25 22 API calls 96986->96987 96988 fae2b4 96987->96988 96989 f26350 22 API calls 96988->96989 96992 fae2c2 96989->96992 96990->96840 97328 f262b5 22 API calls 96992->97328 96994 f97469 96993->96994 96995 f97474 96993->96995 96996 f2b567 39 API calls 96994->96996 96999 f2a961 22 API calls 96995->96999 97032 f97554 96995->97032 96996->96995 96997 f3fddb 22 API calls 96998 f97587 96997->96998 97000 f3fe0b 22 API calls 96998->97000 97001 f97495 96999->97001 97002 f97598 97000->97002 97003 f2a961 22 API calls 97001->97003 97004 f26246 CloseHandle 97002->97004 97005 f9749e 97003->97005 97007 f975a3 97004->97007 97006 f27510 53 API calls 97005->97006 97008 f974aa 97006->97008 97009 f2a961 22 API calls 97007->97009 97330 f2525f 97008->97330 97011 f975ab 97009->97011 97013 f26246 CloseHandle 97011->97013 97012 f974bf 97014 f26350 22 API calls 97012->97014 97015 f975b2 97013->97015 97016 f974f2 97014->97016 97017 f27510 53 API calls 97015->97017 97018 f9754a 97016->97018 97020 f8d4ce 4 API calls 97016->97020 97019 f975be 97017->97019 97022 f2b567 39 API calls 97018->97022 97021 f26246 CloseHandle 97019->97021 97023 f97502 97020->97023 97024 f975c8 97021->97024 97022->97032 97023->97018 97025 f97506 97023->97025 97026 f25745 5 API calls 97024->97026 97027 f29cb3 22 API calls 97025->97027 97028 f975e2 97026->97028 97029 f97513 97027->97029 97030 f975ea 97028->97030 97031 f976de GetLastError 97028->97031 97372 f8d2c1 26 API calls 97029->97372 97035 f253de 27 API calls 97030->97035 97034 f976f7 97031->97034 97032->96997 97039 f976a4 97032->97039 97376 f26216 CloseHandle ISource 97034->97376 97038 f975f8 97035->97038 97037 f9751c 97037->97018 97373 f253c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97038->97373 97039->96840 97041 f975ff 97042 f97645 97041->97042 97044 f97619 97041->97044 97043 f3fddb 22 API calls 97042->97043 97045 f97679 97043->97045 97374 f8ccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 97044->97374 97047 f2a961 22 API calls 97045->97047 97048 f97686 97047->97048 97048->97039 97375 f8417d 22 API calls __fread_nolock 97048->97375 97378 f8dbbe lstrlenW 97050->97378 97383 fa7f59 97053->97383 97055 fa959b 97055->96840 97057 f27510 53 API calls 97056->97057 97058 f9f126 97057->97058 97475 f29e90 97058->97475 97060 f9f136 97061 f2ec40 256 API calls 97060->97061 97062 f9f15b 97060->97062 97061->97062 97063 f29c6e 22 API calls 97062->97063 97064 f9f15f 97062->97064 97063->97064 97064->96840 97066 fa7f59 120 API calls 97065->97066 97067 fa95af 97066->97067 97067->96840 97069 f2a961 22 API calls 97068->97069 97070 f96f1d 97069->97070 97071 f2a961 22 API calls 97070->97071 97072 f96f26 97071->97072 97073 f96f3a 97072->97073 97074 f2b567 39 API calls 97072->97074 97075 f27510 53 API calls 97073->97075 97074->97073 97081 f96f57 _wcslen 97075->97081 97076 f96fbc 97079 f27510 53 API calls 97076->97079 97077 f970bf 97078 f24ecb 94 API calls 97077->97078 97080 f970d0 97078->97080 97082 f96fc8 97079->97082 97083 f970e5 97080->97083 97084 f24ecb 94 API calls 97080->97084 97081->97076 97081->97077 97090 f970e9 97081->97090 97086 f2a8c7 22 API calls 97082->97086 97088 f96fdb 97082->97088 97085 f2a961 22 API calls 97083->97085 97083->97090 97084->97083 97087 f9711a 97085->97087 97086->97088 97091 f2a961 22 API calls 97087->97091 97089 f97027 97088->97089 97092 f97005 97088->97092 97096 f2a8c7 22 API calls 97088->97096 97093 f27510 53 API calls 97089->97093 97090->96840 97094 f97126 97091->97094 97097 f233c6 22 API calls 97092->97097 97098 f97034 97093->97098 97095 f2a961 22 API calls 97094->97095 97099 f9712f 97095->97099 97096->97092 97100 f9700f 97097->97100 97101 f9703d 97098->97101 97102 f97047 97098->97102 97104 f2a961 22 API calls 97099->97104 97105 f27510 53 API calls 97100->97105 97106 f2a8c7 22 API calls 97101->97106 97621 f8e199 GetFileAttributesW 97102->97621 97108 f97138 97104->97108 97109 f9701b 97105->97109 97106->97102 97107 f97050 97110 f97063 97107->97110 97113 f24c6d 22 API calls 97107->97113 97111 f27510 53 API calls 97108->97111 97112 f26350 22 API calls 97109->97112 97115 f27510 53 API calls 97110->97115 97121 f97069 97110->97121 97114 f97145 97111->97114 97112->97089 97113->97110 97116 f2525f 22 API calls 97114->97116 97117 f970a0 97115->97117 97118 f97166 97116->97118 97622 f8d076 57 API calls 97117->97622 97120 f24c6d 22 API calls 97118->97120 97122 f97175 97120->97122 97121->97090 97123 f971a9 97122->97123 97125 f24c6d 22 API calls 97122->97125 97124 f2a8c7 22 API calls 97123->97124 97126 f971ba 97124->97126 97127 f97186 97125->97127 97128 f26350 22 API calls 97126->97128 97127->97123 97130 f26b57 22 API calls 97127->97130 97129 f971c8 97128->97129 97131 f26350 22 API calls 97129->97131 97132 f9719b 97130->97132 97134 f971d6 97131->97134 97133 f26b57 22 API calls 97132->97133 97133->97123 97135 f26350 22 API calls 97134->97135 97136 f971e4 97135->97136 97137 f27510 53 API calls 97136->97137 97138 f971f0 97137->97138 97512 f8d7bc 97138->97512 97140 f97201 97141 f8d4ce 4 API calls 97140->97141 97142 f9720b 97141->97142 97143 f27510 53 API calls 97142->97143 97147 f97239 97142->97147 97144 f97229 97143->97144 97566 f92947 97144->97566 97146 f24f39 68 API calls 97146->97090 97147->97146 97148->96846 97149->96808 97150->96810 97151->96819 97152->96833 97153->96833 97154->96816 97155->96840 97156->96840 97157->96840 97158->96843 97159->96840 97160->96871 97161->96874 97162->96872 97163->96868 97164->96878 97165->96878 97166->96899 97167->96899 97168->96879 97169->96899 97171 f6f545 97170->97171 97172 f29c7e 97170->97172 97173 f6f556 97171->97173 97174 f26b57 22 API calls 97171->97174 97177 f3fddb 22 API calls 97172->97177 97175 f2a6c3 22 API calls 97173->97175 97174->97173 97176 f6f560 97175->97176 97176->97176 97178 f29c91 97177->97178 97179 f29c9a 97178->97179 97180 f29cac 97178->97180 97182 f29cb3 22 API calls 97179->97182 97181 f2a961 22 API calls 97180->97181 97183 f29ca2 97181->97183 97182->97183 97183->96903 97183->96904 97266 f254c6 97184->97266 97187 f254c6 3 API calls 97188 f3fa9a 97187->97188 97188->96925 97190 f3f188 97189->97190 97191 f3f14c 97189->97191 97192 f2a6c3 22 API calls 97190->97192 97191->97190 97193 f3f15b 97191->97193 97199 f8caeb 97192->97199 97195 f3f170 97193->97195 97197 f3f17d 97193->97197 97194 f8cb1a 97194->96941 97272 f3f18e 97195->97272 97279 f8cbf2 26 API calls 97197->97279 97199->97194 97280 f8ca89 ReadFile SetFilePointerEx 97199->97280 97281 f249bd 22 API calls __fread_nolock 97199->97281 97200 f3f179 97200->96941 97204 f2b578 97203->97204 97205 f2b57f 97203->97205 97204->97205 97309 f462d1 39 API calls _strftime 97204->97309 97205->96914 97207 f2b5c2 97207->96914 97209 f26250 97208->97209 97210 f2625f 97208->97210 97209->96913 97210->97209 97211 f26264 CloseHandle 97210->97211 97211->97209 97213 f27525 97212->97213 97229 f27522 97212->97229 97214 f2755b 97213->97214 97215 f2752d 97213->97215 97218 f2756d 97214->97218 97222 f6500f 97214->97222 97225 f650f6 97214->97225 97310 f451c6 26 API calls 97215->97310 97311 f3fb21 51 API calls 97218->97311 97219 f2753d 97224 f3fddb 22 API calls 97219->97224 97220 f6510e 97220->97220 97228 f3fe0b 22 API calls 97222->97228 97234 f65088 97222->97234 97226 f27547 97224->97226 97313 f45183 26 API calls 97225->97313 97227 f29cb3 22 API calls 97226->97227 97227->97229 97230 f65058 97228->97230 97229->96924 97231 f3fddb 22 API calls 97230->97231 97232 f6507f 97231->97232 97233 f29cb3 22 API calls 97232->97233 97233->97234 97312 f3fb21 51 API calls 97234->97312 97236 f64035 97235->97236 97237 f2575c CreateFileW 97235->97237 97238 f2577b 97236->97238 97239 f6403b CreateFileW 97236->97239 97237->97238 97238->96935 97238->96936 97239->97238 97240 f64063 97239->97240 97241 f254c6 3 API calls 97240->97241 97242 f6406e 97241->97242 97242->97238 97244 f253f3 97243->97244 97245 f253f0 ISource 97243->97245 97244->97245 97246 f254c6 3 API calls 97244->97246 97245->96945 97247 f25410 97246->97247 97248 f63f4b 97247->97248 97249 f2541d 97247->97249 97250 f3fa5b 3 API calls 97248->97250 97251 f3fe0b 22 API calls 97249->97251 97250->97245 97252 f25429 97251->97252 97253 f25722 22 API calls 97252->97253 97254 f25433 97253->97254 97255 f29a40 2 API calls 97254->97255 97256 f2543f 97255->97256 97257 f254c6 3 API calls 97256->97257 97257->97245 97258->96950 97259->96948 97260->96949 97261->96955 97262->96903 97263->96903 97264->96938 97265->96946 97271 f254dd 97266->97271 97267 f25564 SetFilePointerEx SetFilePointerEx 97269 f25530 97267->97269 97268 f63f9c SetFilePointerEx 97269->97187 97270 f63f8b 97270->97268 97271->97267 97271->97268 97271->97269 97271->97270 97282 f3f1d8 97272->97282 97278 f3f1c1 97278->97200 97279->97200 97280->97199 97281->97199 97283 f3fe0b 22 API calls 97282->97283 97284 f3f1ef 97283->97284 97285 f3fddb 22 API calls 97284->97285 97286 f3f1a6 97285->97286 97287 f297b6 97286->97287 97294 f29a1e 97287->97294 97290 f297fc 97290->97278 97293 f26e14 24 API calls 97290->97293 97292 f297c7 97292->97290 97301 f29a40 97292->97301 97307 f29b01 22 API calls __fread_nolock 97292->97307 97293->97278 97295 f29a2f 97294->97295 97296 f6f378 97294->97296 97295->97292 97297 f3fddb 22 API calls 97296->97297 97298 f6f382 97297->97298 97299 f3fe0b 22 API calls 97298->97299 97300 f6f397 97299->97300 97302 f29abb 97301->97302 97306 f29a4e 97301->97306 97308 f3e40f SetFilePointerEx 97302->97308 97303 f29a7c 97303->97292 97305 f29a8c ReadFile 97305->97303 97305->97306 97306->97303 97306->97305 97307->97292 97308->97306 97309->97207 97310->97219 97311->97219 97312->97225 97313->97220 97315 f26d91 97314->97315 97316 f26d34 97314->97316 97317 f293b2 22 API calls 97315->97317 97316->97315 97318 f26d3f 97316->97318 97324 f26d62 __fread_nolock 97317->97324 97319 f26d5a 97318->97319 97320 f64c9d 97318->97320 97329 f26f34 22 API calls 97319->97329 97321 f3fddb 22 API calls 97320->97321 97323 f64ca7 97321->97323 97325 f3fe0b 22 API calls 97323->97325 97324->96981 97326 f64cda 97325->97326 97327->96992 97328->96990 97329->97324 97331 f2a961 22 API calls 97330->97331 97332 f25275 97331->97332 97333 f2a961 22 API calls 97332->97333 97334 f2527d 97333->97334 97335 f2a961 22 API calls 97334->97335 97336 f25285 97335->97336 97337 f2a961 22 API calls 97336->97337 97338 f2528d 97337->97338 97339 f63df5 97338->97339 97340 f252c1 97338->97340 97342 f2a8c7 22 API calls 97339->97342 97341 f26d25 22 API calls 97340->97341 97343 f252cf 97341->97343 97344 f63dfe 97342->97344 97346 f293b2 22 API calls 97343->97346 97345 f2a6c3 22 API calls 97344->97345 97348 f25304 97345->97348 97347 f252d9 97346->97347 97347->97348 97349 f26d25 22 API calls 97347->97349 97350 f25325 97348->97350 97363 f25349 97348->97363 97367 f63e20 97348->97367 97352 f252fa 97349->97352 97355 f24c6d 22 API calls 97350->97355 97350->97363 97351 f26d25 22 API calls 97353 f2535a 97351->97353 97354 f293b2 22 API calls 97352->97354 97356 f25370 97353->97356 97359 f2a8c7 22 API calls 97353->97359 97354->97348 97357 f25332 97355->97357 97360 f25384 97356->97360 97362 f2a8c7 22 API calls 97356->97362 97361 f26d25 22 API calls 97357->97361 97357->97363 97358 f26b57 22 API calls 97369 f63ee0 97358->97369 97359->97356 97364 f2a8c7 22 API calls 97360->97364 97365 f2538f 97360->97365 97361->97363 97362->97360 97363->97351 97364->97365 97366 f2a8c7 22 API calls 97365->97366 97371 f2539a 97365->97371 97366->97371 97367->97358 97368 f24c6d 22 API calls 97368->97369 97369->97363 97369->97368 97377 f249bd 22 API calls __fread_nolock 97369->97377 97371->97012 97372->97037 97373->97041 97374->97042 97375->97039 97376->97039 97377->97369 97379 f8dbdc GetFileAttributesW 97378->97379 97380 f8d4d5 97378->97380 97379->97380 97381 f8dbe8 FindFirstFileW 97379->97381 97380->96840 97381->97380 97382 f8dbf9 FindClose 97381->97382 97382->97380 97384 f27510 53 API calls 97383->97384 97385 fa7f90 97384->97385 97408 fa7fd5 ISource 97385->97408 97421 fa8cd3 97385->97421 97387 fa8281 97388 fa844f 97387->97388 97393 fa828f 97387->97393 97462 fa8ee4 60 API calls 97388->97462 97391 fa845e 97392 fa846a 97391->97392 97391->97393 97392->97408 97434 fa7e86 97393->97434 97394 f27510 53 API calls 97412 fa8049 97394->97412 97399 fa82c8 97449 f3fc70 97399->97449 97402 fa82e8 97455 f9359c 82 API calls __wsopen_s 97402->97455 97403 fa8302 97456 f263eb 22 API calls 97403->97456 97406 fa82f3 GetCurrentProcess TerminateProcess 97406->97403 97407 fa8311 97457 f26a50 22 API calls 97407->97457 97408->97055 97410 fa832a 97420 fa8352 97410->97420 97458 f304f0 22 API calls 97410->97458 97412->97387 97412->97394 97412->97408 97453 f8417d 22 API calls __fread_nolock 97412->97453 97454 fa851d 42 API calls _strftime 97412->97454 97413 fa84c5 97413->97408 97416 fa84d9 FreeLibrary 97413->97416 97414 fa8341 97459 fa8b7b 75 API calls 97414->97459 97416->97408 97420->97413 97460 f304f0 22 API calls 97420->97460 97461 f2aceb 23 API calls ISource 97420->97461 97463 fa8b7b 75 API calls 97420->97463 97422 f2aec9 22 API calls 97421->97422 97423 fa8cee CharLowerBuffW 97422->97423 97464 f88e54 97423->97464 97427 f2a961 22 API calls 97428 fa8d2a 97427->97428 97429 f26d25 22 API calls 97428->97429 97430 fa8d3e 97429->97430 97431 f293b2 22 API calls 97430->97431 97433 fa8d48 _wcslen 97431->97433 97432 fa8e5e _wcslen 97432->97412 97433->97432 97471 fa851d 42 API calls _strftime 97433->97471 97435 fa7ea1 97434->97435 97439 fa7eec 97434->97439 97436 f3fe0b 22 API calls 97435->97436 97437 fa7ec3 97436->97437 97438 f3fddb 22 API calls 97437->97438 97437->97439 97438->97437 97440 fa9096 97439->97440 97441 fa92ab ISource 97440->97441 97448 fa90ba _strcat _wcslen 97440->97448 97441->97399 97442 f2b567 39 API calls 97442->97448 97443 f2b6b5 39 API calls 97443->97448 97444 f2b38f 39 API calls 97444->97448 97445 f27510 53 API calls 97445->97448 97446 f4ea0c 21 API calls ___std_exception_copy 97446->97448 97448->97441 97448->97442 97448->97443 97448->97444 97448->97445 97448->97446 97474 f8efae 24 API calls _wcslen 97448->97474 97450 f3fc85 97449->97450 97451 f3fd1d VirtualAlloc 97450->97451 97452 f3fceb 97450->97452 97451->97452 97452->97402 97452->97403 97453->97412 97454->97412 97455->97406 97456->97407 97457->97410 97458->97414 97459->97420 97460->97420 97461->97420 97462->97391 97463->97420 97466 f88e74 _wcslen 97464->97466 97465 f88f63 97465->97427 97465->97433 97466->97465 97468 f88f68 97466->97468 97469 f88ea9 97466->97469 97468->97465 97473 f3ce60 41 API calls 97468->97473 97469->97465 97472 f3ce60 41 API calls 97469->97472 97471->97432 97472->97469 97473->97468 97474->97448 97476 f26270 22 API calls 97475->97476 97502 f29eb5 97476->97502 97477 f29fd2 97504 f2a4a1 22 API calls __fread_nolock 97477->97504 97479 f29fec 97479->97060 97482 f2a6c3 22 API calls 97482->97502 97483 f6f7c4 97509 f896e2 84 API calls __wsopen_s 97483->97509 97484 f6f699 97490 f3fddb 22 API calls 97484->97490 97486 f2a405 97486->97479 97511 f896e2 84 API calls __wsopen_s 97486->97511 97488 f2a4a1 22 API calls 97488->97502 97492 f6f754 97490->97492 97491 f6f7d2 97510 f2a4a1 22 API calls __fread_nolock 97491->97510 97495 f3fe0b 22 API calls 97492->97495 97494 f6f7e8 97494->97479 97497 f2a12c __fread_nolock 97495->97497 97497->97483 97497->97486 97498 f2a587 22 API calls 97498->97502 97499 f2aec9 22 API calls 97500 f2a0db CharUpperBuffW 97499->97500 97505 f2a673 22 API calls 97500->97505 97502->97477 97502->97482 97502->97483 97502->97484 97502->97486 97502->97488 97502->97497 97502->97498 97502->97499 97503 f24573 41 API calls _wcslen 97502->97503 97506 f248c8 23 API calls 97502->97506 97507 f249bd 22 API calls __fread_nolock 97502->97507 97508 f2a673 22 API calls 97502->97508 97503->97502 97504->97479 97505->97502 97506->97502 97507->97502 97508->97502 97509->97491 97510->97494 97511->97479 97513 f8d7d8 97512->97513 97514 f8d7dd 97513->97514 97515 f8d7f3 97513->97515 97518 f2a8c7 22 API calls 97514->97518 97565 f8d7ee 97514->97565 97516 f2a961 22 API calls 97515->97516 97517 f8d7fb 97516->97517 97519 f2a961 22 API calls 97517->97519 97518->97565 97520 f8d803 97519->97520 97521 f2a961 22 API calls 97520->97521 97522 f8d80e 97521->97522 97523 f2a961 22 API calls 97522->97523 97524 f8d816 97523->97524 97525 f2a961 22 API calls 97524->97525 97526 f8d81e 97525->97526 97527 f2a961 22 API calls 97526->97527 97528 f8d826 97527->97528 97529 f2a961 22 API calls 97528->97529 97530 f8d82e 97529->97530 97531 f2a961 22 API calls 97530->97531 97532 f8d836 97531->97532 97533 f2525f 22 API calls 97532->97533 97534 f8d84d 97533->97534 97535 f2525f 22 API calls 97534->97535 97536 f8d866 97535->97536 97537 f24c6d 22 API calls 97536->97537 97538 f8d872 97537->97538 97539 f8d885 97538->97539 97540 f293b2 22 API calls 97538->97540 97541 f24c6d 22 API calls 97539->97541 97540->97539 97542 f8d88e 97541->97542 97543 f8d89e 97542->97543 97544 f293b2 22 API calls 97542->97544 97545 f8d8b0 97543->97545 97547 f2a8c7 22 API calls 97543->97547 97544->97543 97546 f26350 22 API calls 97545->97546 97548 f8d8bb 97546->97548 97547->97545 97623 f8d978 22 API calls 97548->97623 97550 f8d8ca 97624 f8d978 22 API calls 97550->97624 97552 f8d8dd 97553 f24c6d 22 API calls 97552->97553 97554 f8d8e7 97553->97554 97555 f8d8ec 97554->97555 97556 f8d8fe 97554->97556 97557 f233c6 22 API calls 97555->97557 97558 f24c6d 22 API calls 97556->97558 97559 f8d8f9 97557->97559 97560 f8d907 97558->97560 97563 f26350 22 API calls 97559->97563 97561 f8d925 97560->97561 97562 f233c6 22 API calls 97560->97562 97564 f26350 22 API calls 97561->97564 97562->97559 97563->97561 97564->97565 97565->97140 97567 f92954 __wsopen_s 97566->97567 97568 f3fe0b 22 API calls 97567->97568 97569 f92971 97568->97569 97570 f25722 22 API calls 97569->97570 97571 f9297b 97570->97571 97572 f9274e 27 API calls 97571->97572 97573 f92986 97572->97573 97574 f2511f 64 API calls 97573->97574 97575 f9299b 97574->97575 97576 f92a6c 97575->97576 97577 f929bf 97575->97577 97578 f92e66 75 API calls 97576->97578 97579 f92e66 75 API calls 97577->97579 97594 f92a38 97578->97594 97580 f929c4 97579->97580 97585 f92a75 ISource 97580->97585 97629 f4d583 26 API calls 97580->97629 97582 f250f5 40 API calls 97583 f92a91 97582->97583 97584 f250f5 40 API calls 97583->97584 97587 f92aa1 97584->97587 97585->97147 97586 f929ed 97630 f4d583 26 API calls 97586->97630 97588 f250f5 40 API calls 97587->97588 97590 f92abc 97588->97590 97591 f250f5 40 API calls 97590->97591 97592 f92acc 97591->97592 97593 f250f5 40 API calls 97592->97593 97595 f92ae7 97593->97595 97594->97582 97594->97585 97596 f250f5 40 API calls 97595->97596 97597 f92af7 97596->97597 97598 f250f5 40 API calls 97597->97598 97599 f92b07 97598->97599 97600 f250f5 40 API calls 97599->97600 97601 f92b17 97600->97601 97625 f93017 GetTempPathW GetTempFileNameW 97601->97625 97603 f92b22 97604 f4e5eb 29 API calls 97603->97604 97605 f92b33 97604->97605 97605->97585 97608 f250f5 40 API calls 97605->97608 97615 f4dbb3 65 API calls 97605->97615 97616 f92bed 97605->97616 97606 f4e678 67 API calls 97607 f92bf8 97606->97607 97609 f92bfe DeleteFileW 97607->97609 97610 f92c12 97607->97610 97608->97605 97609->97585 97611 f92c91 CopyFileW 97610->97611 97617 f92c18 97610->97617 97612 f92cb9 DeleteFileW 97611->97612 97613 f92ca7 DeleteFileW 97611->97613 97626 f92fd8 CreateFileW 97612->97626 97613->97585 97615->97605 97616->97606 97618 f922ce 79 API calls 97617->97618 97619 f92c7c 97618->97619 97619->97612 97620 f92c80 DeleteFileW 97619->97620 97620->97585 97621->97107 97622->97121 97623->97550 97624->97552 97625->97603 97627 f92fff SetFileTime CloseHandle 97626->97627 97628 f93013 97626->97628 97627->97628 97628->97585 97629->97586 97630->97594 97631 f590fa 97632 f59107 97631->97632 97636 f5911f 97631->97636 97681 f4f2d9 20 API calls _free 97632->97681 97634 f5910c 97682 f527ec 26 API calls _abort 97634->97682 97637 f5917a 97636->97637 97645 f59117 97636->97645 97683 f5fdc4 21 API calls 2 library calls 97636->97683 97639 f4d955 __fread_nolock 26 API calls 97637->97639 97640 f59192 97639->97640 97651 f58c32 97640->97651 97642 f59199 97643 f4d955 __fread_nolock 26 API calls 97642->97643 97642->97645 97644 f591c5 97643->97644 97644->97645 97646 f4d955 __fread_nolock 26 API calls 97644->97646 97647 f591d3 97646->97647 97647->97645 97648 f4d955 __fread_nolock 26 API calls 97647->97648 97649 f591e3 97648->97649 97650 f4d955 __fread_nolock 26 API calls 97649->97650 97650->97645 97652 f58c3e ___BuildCatchObject 97651->97652 97653 f58c46 97652->97653 97654 f58c5e 97652->97654 97685 f4f2c6 20 API calls _free 97653->97685 97655 f58d24 97654->97655 97660 f58c97 97654->97660 97692 f4f2c6 20 API calls _free 97655->97692 97658 f58c4b 97686 f4f2d9 20 API calls _free 97658->97686 97663 f58ca6 97660->97663 97664 f58cbb 97660->97664 97661 f58d29 97693 f4f2d9 20 API calls _free 97661->97693 97662 f58c53 __wsopen_s 97662->97642 97687 f4f2c6 20 API calls _free 97663->97687 97684 f55147 EnterCriticalSection 97664->97684 97668 f58cab 97688 f4f2d9 20 API calls _free 97668->97688 97669 f58cc1 97672 f58cf2 97669->97672 97673 f58cdd 97669->97673 97670 f58cb3 97694 f527ec 26 API calls _abort 97670->97694 97675 f58d45 __fread_nolock 38 API calls 97672->97675 97689 f4f2d9 20 API calls _free 97673->97689 97678 f58ced 97675->97678 97677 f58ce2 97690 f4f2c6 20 API calls _free 97677->97690 97691 f58d1c LeaveCriticalSection __wsopen_s 97678->97691 97681->97634 97682->97645 97683->97637 97684->97669 97685->97658 97686->97662 97687->97668 97688->97670 97689->97677 97690->97678 97691->97662 97692->97661 97693->97670 97694->97662 97695 f403fb 97696 f40407 ___BuildCatchObject 97695->97696 97724 f3feb1 97696->97724 97698 f4040e 97699 f40561 97698->97699 97702 f40438 97698->97702 97751 f4083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 97699->97751 97701 f40568 97752 f44e52 28 API calls _abort 97701->97752 97713 f40477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 97702->97713 97735 f5247d 97702->97735 97704 f4056e 97753 f44e04 28 API calls _abort 97704->97753 97708 f40576 97709 f40457 97711 f404d8 97743 f40959 97711->97743 97713->97711 97747 f44e1a 38 API calls 2 library calls 97713->97747 97715 f404de 97716 f404f3 97715->97716 97748 f40992 GetModuleHandleW 97716->97748 97718 f404fa 97718->97701 97719 f404fe 97718->97719 97720 f40507 97719->97720 97749 f44df5 28 API calls _abort 97719->97749 97750 f40040 13 API calls 2 library calls 97720->97750 97723 f4050f 97723->97709 97725 f3feba 97724->97725 97754 f40698 IsProcessorFeaturePresent 97725->97754 97727 f3fec6 97755 f42c94 10 API calls 3 library calls 97727->97755 97729 f3fecb 97734 f3fecf 97729->97734 97756 f52317 97729->97756 97731 f3fee6 97731->97698 97734->97698 97738 f52494 97735->97738 97736 f40a8c _ValidateLocalCookies 5 API calls 97737 f40451 97736->97737 97737->97709 97739 f52421 97737->97739 97738->97736 97740 f52450 97739->97740 97741 f40a8c _ValidateLocalCookies 5 API calls 97740->97741 97742 f52479 97741->97742 97742->97713 97807 f42340 97743->97807 97745 f4096c GetStartupInfoW 97746 f4097f 97745->97746 97746->97715 97747->97711 97748->97718 97749->97720 97750->97723 97751->97701 97752->97704 97753->97708 97754->97727 97755->97729 97760 f5d1f6 97756->97760 97759 f42cbd 8 API calls 3 library calls 97759->97734 97761 f5d213 97760->97761 97764 f5d20f 97760->97764 97761->97764 97766 f54bfb 97761->97766 97762 f40a8c _ValidateLocalCookies 5 API calls 97763 f3fed8 97762->97763 97763->97731 97763->97759 97764->97762 97767 f54c07 ___BuildCatchObject 97766->97767 97778 f52f5e EnterCriticalSection 97767->97778 97769 f54c0e 97779 f550af 97769->97779 97771 f54c1d 97772 f54c2c 97771->97772 97792 f54a8f 29 API calls 97771->97792 97794 f54c48 LeaveCriticalSection _abort 97772->97794 97775 f54c27 97793 f54b45 GetStdHandle GetFileType 97775->97793 97776 f54c3d __wsopen_s 97776->97761 97778->97769 97780 f550bb ___BuildCatchObject 97779->97780 97781 f550df 97780->97781 97782 f550c8 97780->97782 97795 f52f5e EnterCriticalSection 97781->97795 97803 f4f2d9 20 API calls _free 97782->97803 97785 f550cd 97804 f527ec 26 API calls _abort 97785->97804 97787 f55117 97805 f5513e LeaveCriticalSection _abort 97787->97805 97788 f550d7 __wsopen_s 97788->97771 97789 f550eb 97789->97787 97796 f55000 97789->97796 97792->97775 97793->97772 97794->97776 97795->97789 97797 f54c7d _free 20 API calls 97796->97797 97799 f55012 97797->97799 97798 f5501f 97800 f529c8 _free 20 API calls 97798->97800 97799->97798 97806 f53405 11 API calls 2 library calls 97799->97806 97801 f55071 97800->97801 97801->97789 97803->97785 97804->97788 97805->97788 97806->97799 97808 f42357 97807->97808 97808->97745 97808->97808 97809 f22de3 97810 f22df0 __wsopen_s 97809->97810 97811 f22e09 97810->97811 97812 f62c2b ___scrt_fastfail 97810->97812 97813 f23aa2 23 API calls 97811->97813 97815 f62c47 GetOpenFileNameW 97812->97815 97814 f22e12 97813->97814 97825 f22da5 97814->97825 97817 f62c96 97815->97817 97819 f26b57 22 API calls 97817->97819 97821 f62cab 97819->97821 97821->97821 97822 f22e27 97843 f244a8 97822->97843 97826 f61f50 __wsopen_s 97825->97826 97827 f22db2 GetLongPathNameW 97826->97827 97828 f26b57 22 API calls 97827->97828 97829 f22dda 97828->97829 97830 f23598 97829->97830 97831 f2a961 22 API calls 97830->97831 97832 f235aa 97831->97832 97833 f23aa2 23 API calls 97832->97833 97834 f235b5 97833->97834 97835 f235c0 97834->97835 97840 f632eb 97834->97840 97836 f2515f 22 API calls 97835->97836 97838 f235cc 97836->97838 97872 f235f3 97838->97872 97841 f6330d 97840->97841 97878 f3ce60 41 API calls 97840->97878 97842 f235df 97842->97822 97844 f24ecb 94 API calls 97843->97844 97845 f244cd 97844->97845 97846 f63833 97845->97846 97848 f24ecb 94 API calls 97845->97848 97847 f92cf9 80 API calls 97846->97847 97849 f63848 97847->97849 97850 f244e1 97848->97850 97852 f6384c 97849->97852 97853 f63869 97849->97853 97850->97846 97851 f244e9 97850->97851 97854 f63854 97851->97854 97855 f244f5 97851->97855 97856 f24f39 68 API calls 97852->97856 97857 f3fe0b 22 API calls 97853->97857 97880 f8da5a 82 API calls 97854->97880 97879 f2940c 136 API calls 2 library calls 97855->97879 97856->97854 97871 f638ae 97857->97871 97860 f22e31 97861 f63862 97861->97853 97862 f24f39 68 API calls 97865 f63a5f 97862->97865 97865->97862 97886 f8989b 82 API calls __wsopen_s 97865->97886 97868 f29cb3 22 API calls 97868->97871 97871->97865 97871->97868 97881 f8967e 22 API calls __fread_nolock 97871->97881 97882 f895ad 42 API calls _wcslen 97871->97882 97883 f90b5a 22 API calls 97871->97883 97884 f2a4a1 22 API calls __fread_nolock 97871->97884 97885 f23ff7 22 API calls 97871->97885 97873 f23605 97872->97873 97877 f23624 __fread_nolock 97872->97877 97876 f3fe0b 22 API calls 97873->97876 97874 f3fddb 22 API calls 97875 f2363b 97874->97875 97875->97842 97876->97877 97877->97874 97878->97840 97879->97860 97880->97861 97881->97871 97882->97871 97883->97871 97884->97871 97885->97871 97886->97865 97887 f62ba5 97888 f22b25 97887->97888 97889 f62baf 97887->97889 97915 f22b83 7 API calls 97888->97915 97891 f23a5a 24 API calls 97889->97891 97893 f62bb8 97891->97893 97895 f29cb3 22 API calls 97893->97895 97897 f62bc6 97895->97897 97896 f22b2f 97901 f23837 49 API calls 97896->97901 97905 f22b44 97896->97905 97898 f62bf5 97897->97898 97899 f62bce 97897->97899 97900 f233c6 22 API calls 97898->97900 97902 f233c6 22 API calls 97899->97902 97913 f62bf1 GetForegroundWindow ShellExecuteW 97900->97913 97901->97905 97903 f62bd9 97902->97903 97906 f26350 22 API calls 97903->97906 97907 f22b5f 97905->97907 97919 f230f2 Shell_NotifyIconW ___scrt_fastfail 97905->97919 97910 f62be7 97906->97910 97912 f22b66 SetCurrentDirectoryW 97907->97912 97908 f62c26 97908->97907 97911 f233c6 22 API calls 97910->97911 97911->97913 97914 f22b7a 97912->97914 97913->97908 97920 f22cd4 7 API calls 97915->97920 97917 f22b2a 97918 f22c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97917->97918 97918->97896 97919->97907 97920->97917 97921 f21044 97926 f210f3 97921->97926 97923 f2104a 97962 f400a3 29 API calls __onexit 97923->97962 97925 f21054 97963 f21398 97926->97963 97930 f2116a 97931 f2a961 22 API calls 97930->97931 97932 f21174 97931->97932 97933 f2a961 22 API calls 97932->97933 97934 f2117e 97933->97934 97935 f2a961 22 API calls 97934->97935 97936 f21188 97935->97936 97937 f2a961 22 API calls 97936->97937 97938 f211c6 97937->97938 97939 f2a961 22 API calls 97938->97939 97940 f21292 97939->97940 97973 f2171c 97940->97973 97944 f212c4 97945 f2a961 22 API calls 97944->97945 97946 f212ce 97945->97946 97947 f31940 9 API calls 97946->97947 97948 f212f9 97947->97948 97994 f21aab 97948->97994 97950 f21315 97951 f21325 GetStdHandle 97950->97951 97952 f62485 97951->97952 97953 f2137a 97951->97953 97952->97953 97954 f6248e 97952->97954 97956 f21387 OleInitialize 97953->97956 97955 f3fddb 22 API calls 97954->97955 97957 f62495 97955->97957 97956->97923 98001 f9011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 97957->98001 97959 f6249e 98002 f90944 CreateThread 97959->98002 97961 f624aa CloseHandle 97961->97953 97962->97925 98003 f213f1 97963->98003 97966 f213f1 22 API calls 97967 f213d0 97966->97967 97968 f2a961 22 API calls 97967->97968 97969 f213dc 97968->97969 97970 f26b57 22 API calls 97969->97970 97971 f21129 97970->97971 97972 f21bc3 6 API calls 97971->97972 97972->97930 97974 f2a961 22 API calls 97973->97974 97975 f2172c 97974->97975 97976 f2a961 22 API calls 97975->97976 97977 f21734 97976->97977 97978 f2a961 22 API calls 97977->97978 97979 f2174f 97978->97979 97980 f3fddb 22 API calls 97979->97980 97981 f2129c 97980->97981 97982 f21b4a 97981->97982 97983 f21b58 97982->97983 97984 f2a961 22 API calls 97983->97984 97985 f21b63 97984->97985 97986 f2a961 22 API calls 97985->97986 97987 f21b6e 97986->97987 97988 f2a961 22 API calls 97987->97988 97989 f21b79 97988->97989 97990 f2a961 22 API calls 97989->97990 97991 f21b84 97990->97991 97992 f3fddb 22 API calls 97991->97992 97993 f21b96 RegisterWindowMessageW 97992->97993 97993->97944 97995 f21abb 97994->97995 97996 f6272d 97994->97996 97998 f3fddb 22 API calls 97995->97998 98010 f93209 23 API calls 97996->98010 98000 f21ac3 97998->98000 97999 f62738 98000->97950 98001->97959 98002->97961 98011 f9092a 28 API calls 98002->98011 98004 f2a961 22 API calls 98003->98004 98005 f213fc 98004->98005 98006 f2a961 22 API calls 98005->98006 98007 f21404 98006->98007 98008 f2a961 22 API calls 98007->98008 98009 f213c6 98008->98009 98009->97966 98010->97999 98012 f72a00 98027 f2d7b0 ISource 98012->98027 98013 f2db11 PeekMessageW 98013->98027 98014 f2d807 GetInputState 98014->98013 98014->98027 98015 f71cbe TranslateAcceleratorW 98015->98027 98017 f2db8f PeekMessageW 98017->98027 98018 f2da04 timeGetTime 98018->98027 98019 f2db73 TranslateMessage DispatchMessageW 98019->98017 98020 f2dbaf Sleep 98042 f2dbc0 98020->98042 98021 f72b74 Sleep 98021->98042 98022 f3e551 timeGetTime 98022->98042 98023 f71dda timeGetTime 98127 f3e300 23 API calls 98023->98127 98026 f72c0b GetExitCodeProcess 98028 f72c37 CloseHandle 98026->98028 98029 f72c21 WaitForSingleObject 98026->98029 98027->98013 98027->98014 98027->98015 98027->98017 98027->98018 98027->98019 98027->98020 98027->98021 98027->98023 98031 f2d9d5 98027->98031 98039 f2ec40 256 API calls 98027->98039 98040 f31310 256 API calls 98027->98040 98044 f2dfd0 98027->98044 98067 f2bf40 98027->98067 98125 f2dd50 256 API calls 98027->98125 98126 f3edf6 IsDialogMessageW GetClassLongW 98027->98126 98128 f93a2a 23 API calls 98027->98128 98129 f9359c 82 API calls __wsopen_s 98027->98129 98028->98042 98029->98027 98029->98028 98030 f72a31 98030->98031 98032 fb29bf GetForegroundWindow 98032->98042 98034 f72ca9 Sleep 98034->98027 98039->98027 98040->98027 98042->98022 98042->98026 98042->98027 98042->98030 98042->98031 98042->98032 98042->98034 98130 fa5658 23 API calls 98042->98130 98131 f8e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98042->98131 98132 f8d4dc 47 API calls 98042->98132 98045 f2e010 98044->98045 98057 f2e0dc ISource 98045->98057 98135 f40242 5 API calls __Init_thread_wait 98045->98135 98048 f2e3e1 98048->98027 98049 f72fca 98051 f2a961 22 API calls 98049->98051 98049->98057 98050 f2a961 22 API calls 98050->98057 98053 f72fe4 98051->98053 98136 f400a3 29 API calls __onexit 98053->98136 98057->98048 98057->98050 98061 f2ec40 256 API calls 98057->98061 98062 f2a8c7 22 API calls 98057->98062 98063 f304f0 22 API calls 98057->98063 98064 f9359c 82 API calls 98057->98064 98133 f2a81b 41 API calls 98057->98133 98134 f3a308 256 API calls 98057->98134 98138 f40242 5 API calls __Init_thread_wait 98057->98138 98139 f400a3 29 API calls __onexit 98057->98139 98140 f401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98057->98140 98141 fa47d4 256 API calls 98057->98141 98142 fa68c1 256 API calls 98057->98142 98058 f72fee 98137 f401f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98058->98137 98061->98057 98062->98057 98063->98057 98064->98057 98143 f2adf0 98067->98143 98069 f2bf9d 98070 f704b6 98069->98070 98071 f2bfa9 98069->98071 98162 f9359c 82 API calls __wsopen_s 98070->98162 98073 f704c6 98071->98073 98074 f2c01e 98071->98074 98163 f9359c 82 API calls __wsopen_s 98073->98163 98148 f2ac91 98074->98148 98078 f87120 22 API calls 98091 f2c039 ISource __fread_nolock 98078->98091 98079 f2c7da 98082 f3fe0b 22 API calls 98079->98082 98087 f2c808 __fread_nolock 98082->98087 98084 f704f5 98088 f7055a 98084->98088 98164 f3d217 256 API calls 98084->98164 98089 f3fe0b 22 API calls 98087->98089 98111 f2c603 98088->98111 98165 f9359c 82 API calls __wsopen_s 98088->98165 98122 f2c350 ISource __fread_nolock 98089->98122 98090 f2af8a 22 API calls 98090->98091 98091->98078 98091->98079 98091->98084 98091->98087 98091->98088 98091->98090 98092 f7091a 98091->98092 98095 f2ec40 256 API calls 98091->98095 98096 f708a5 98091->98096 98100 f70591 98091->98100 98104 f708f6 98091->98104 98105 f2bbe0 40 API calls 98091->98105 98108 f2c237 98091->98108 98091->98111 98113 f3fddb 22 API calls 98091->98113 98118 f709bf 98091->98118 98123 f3fe0b 22 API calls 98091->98123 98152 f2ad81 98091->98152 98167 f87099 22 API calls __fread_nolock 98091->98167 98168 fa5745 54 API calls _wcslen 98091->98168 98169 f3aa42 22 API calls ISource 98091->98169 98170 f8f05c 40 API calls 98091->98170 98171 f2a993 41 API calls 98091->98171 98172 f2aceb 23 API calls ISource 98091->98172 98175 f93209 23 API calls 98092->98175 98095->98091 98097 f2ec40 256 API calls 98096->98097 98098 f708cf 98097->98098 98098->98111 98173 f2a81b 41 API calls 98098->98173 98166 f9359c 82 API calls __wsopen_s 98100->98166 98174 f9359c 82 API calls __wsopen_s 98104->98174 98105->98091 98109 f2c253 98108->98109 98110 f2a8c7 22 API calls 98108->98110 98114 f70976 98109->98114 98116 f2c297 ISource 98109->98116 98110->98109 98111->98027 98113->98091 98176 f2aceb 23 API calls ISource 98114->98176 98116->98118 98159 f2aceb 23 API calls ISource 98116->98159 98118->98111 98177 f9359c 82 API calls __wsopen_s 98118->98177 98119 f2c335 98119->98118 98120 f2c342 98119->98120 98160 f2a704 22 API calls ISource 98120->98160 98124 f2c3ac 98122->98124 98161 f3ce17 22 API calls ISource 98122->98161 98123->98091 98124->98027 98125->98027 98126->98027 98127->98027 98128->98027 98129->98027 98130->98042 98131->98042 98132->98042 98133->98057 98134->98057 98135->98049 98136->98058 98137->98057 98138->98057 98139->98057 98140->98057 98141->98057 98142->98057 98144 f2ae01 98143->98144 98147 f2ae1c ISource 98143->98147 98145 f2aec9 22 API calls 98144->98145 98146 f2ae09 CharUpperBuffW 98145->98146 98146->98147 98147->98069 98149 f2acae 98148->98149 98151 f2acd1 98149->98151 98178 f9359c 82 API calls __wsopen_s 98149->98178 98151->98091 98153 f2ad92 98152->98153 98154 f6fadb 98152->98154 98155 f3fddb 22 API calls 98153->98155 98156 f2ad99 98155->98156 98179 f2adcd 98156->98179 98159->98119 98160->98122 98161->98122 98162->98073 98163->98111 98164->98088 98165->98111 98166->98111 98167->98091 98168->98091 98169->98091 98170->98091 98171->98091 98172->98091 98173->98104 98174->98111 98175->98108 98176->98118 98177->98111 98178->98151 98183 f2addd 98179->98183 98180 f2adb6 98180->98091 98181 f3fddb 22 API calls 98181->98183 98182 f2a961 22 API calls 98182->98183 98183->98180 98183->98181 98183->98182 98184 f2a8c7 22 API calls 98183->98184 98185 f2adcd 22 API calls 98183->98185 98184->98183 98185->98183 98186 f58402 98191 f581be 98186->98191 98189 f5842a 98192 f581ef try_get_first_available_module 98191->98192 98199 f58338 98192->98199 98206 f48e0b 40 API calls 2 library calls 98192->98206 98194 f583ee 98210 f527ec 26 API calls _abort 98194->98210 98196 f58343 98196->98189 98203 f60984 98196->98203 98198 f5838c 98198->98199 98207 f48e0b 40 API calls 2 library calls 98198->98207 98199->98196 98209 f4f2d9 20 API calls _free 98199->98209 98201 f583ab 98201->98199 98208 f48e0b 40 API calls 2 library calls 98201->98208 98211 f60081 98203->98211 98205 f6099f 98205->98189 98206->98198 98207->98201 98208->98199 98209->98194 98210->98196 98214 f6008d ___BuildCatchObject 98211->98214 98212 f6009b 98269 f4f2d9 20 API calls _free 98212->98269 98214->98212 98216 f600d4 98214->98216 98215 f600a0 98270 f527ec 26 API calls _abort 98215->98270 98222 f6065b 98216->98222 98221 f600aa __wsopen_s 98221->98205 98272 f6042f 98222->98272 98225 f606a6 98290 f55221 98225->98290 98226 f6068d 98304 f4f2c6 20 API calls _free 98226->98304 98229 f606ab 98231 f606b4 98229->98231 98232 f606cb 98229->98232 98230 f60692 98305 f4f2d9 20 API calls _free 98230->98305 98306 f4f2c6 20 API calls _free 98231->98306 98303 f6039a CreateFileW 98232->98303 98236 f606b9 98307 f4f2d9 20 API calls _free 98236->98307 98238 f60781 GetFileType 98239 f607d3 98238->98239 98240 f6078c GetLastError 98238->98240 98312 f5516a 21 API calls 3 library calls 98239->98312 98310 f4f2a3 20 API calls 2 library calls 98240->98310 98241 f60756 GetLastError 98309 f4f2a3 20 API calls 2 library calls 98241->98309 98244 f60704 98244->98238 98244->98241 98308 f6039a CreateFileW 98244->98308 98245 f6079a CloseHandle 98245->98230 98247 f607c3 98245->98247 98311 f4f2d9 20 API calls _free 98247->98311 98249 f60749 98249->98238 98249->98241 98251 f60840 98257 f6086d 98251->98257 98314 f6014d 72 API calls 4 library calls 98251->98314 98252 f607f4 98252->98251 98313 f605ab 72 API calls 4 library calls 98252->98313 98253 f607c8 98253->98230 98256 f60866 98256->98257 98258 f6087e 98256->98258 98259 f586ae __wsopen_s 29 API calls 98257->98259 98260 f600f8 98258->98260 98261 f608fc CloseHandle 98258->98261 98259->98260 98271 f60121 LeaveCriticalSection __wsopen_s 98260->98271 98315 f6039a CreateFileW 98261->98315 98263 f60927 98264 f6095d 98263->98264 98265 f60931 GetLastError 98263->98265 98264->98260 98316 f4f2a3 20 API calls 2 library calls 98265->98316 98267 f6093d 98317 f55333 21 API calls 3 library calls 98267->98317 98269->98215 98270->98221 98271->98221 98273 f6046a 98272->98273 98274 f60450 98272->98274 98318 f603bf 98273->98318 98274->98273 98325 f4f2d9 20 API calls _free 98274->98325 98277 f6045f 98326 f527ec 26 API calls _abort 98277->98326 98279 f604a2 98280 f604d1 98279->98280 98327 f4f2d9 20 API calls _free 98279->98327 98285 f60524 98280->98285 98329 f4d70d 26 API calls 2 library calls 98280->98329 98283 f6051f 98283->98285 98286 f6059e 98283->98286 98284 f604c6 98328 f527ec 26 API calls _abort 98284->98328 98285->98225 98285->98226 98330 f527fc 11 API calls _abort 98286->98330 98289 f605aa 98291 f5522d ___BuildCatchObject 98290->98291 98333 f52f5e EnterCriticalSection 98291->98333 98293 f55259 98295 f55000 __wsopen_s 21 API calls 98293->98295 98298 f5525e 98295->98298 98296 f552a4 __wsopen_s 98296->98229 98297 f55234 98297->98293 98299 f552c7 EnterCriticalSection 98297->98299 98300 f5527b 98297->98300 98298->98300 98337 f55147 EnterCriticalSection 98298->98337 98299->98300 98301 f552d4 LeaveCriticalSection 98299->98301 98334 f5532a 98300->98334 98301->98297 98303->98244 98304->98230 98305->98260 98306->98236 98307->98230 98308->98249 98309->98230 98310->98245 98311->98253 98312->98252 98313->98251 98314->98256 98315->98263 98316->98267 98317->98264 98320 f603d7 98318->98320 98319 f603f2 98319->98279 98320->98319 98331 f4f2d9 20 API calls _free 98320->98331 98322 f60416 98332 f527ec 26 API calls _abort 98322->98332 98324 f60421 98324->98279 98325->98277 98326->98273 98327->98284 98328->98280 98329->98283 98330->98289 98331->98322 98332->98324 98333->98297 98338 f52fa6 LeaveCriticalSection 98334->98338 98336 f55331 98336->98296 98337->98300 98338->98336 98339 f21cad SystemParametersInfoW

                    Executed Functions

                    Function 00F242DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 234 f242de-f2434d call f2a961 GetVersionExW call f26b57 239 f63617-f6362a 234->239 240 f24353 234->240 241 f6362b-f6362f 239->241 242 f24355-f24357 240->242 243 f63632-f6363e 241->243 244 f63631 241->244 245 f63656 242->245 246 f2435d-f243bc call f293b2 call f237a0 242->246 243->241 247 f63640-f63642 243->247 244->243 250 f6365d-f63660 245->250 261 f243c2-f243c4 246->261 262 f637df-f637e6 246->262 247->242 249 f63648-f6364f 247->249 249->239 252 f63651 249->252 253 f63666-f636a8 250->253 254 f2441b-f24435 GetCurrentProcess IsWow64Process 250->254 252->245 253->254 258 f636ae-f636b1 253->258 256 f24437 254->256 257 f24494-f2449a 254->257 260 f2443d-f24449 256->260 257->260 263 f636b3-f636bd 258->263 264 f636db-f636e5 258->264 270 f63824-f63828 GetSystemInfo 260->270 271 f2444f-f2445e LoadLibraryA 260->271 261->250 265 f243ca-f243dd 261->265 266 f63806-f63809 262->266 267 f637e8 262->267 272 f636bf-f636c5 263->272 273 f636ca-f636d6 263->273 268 f636e7-f636f3 264->268 269 f636f8-f63702 264->269 274 f63726-f6372f 265->274 275 f243e3-f243e5 265->275 279 f637f4-f637fc 266->279 280 f6380b-f6381a 266->280 276 f637ee 267->276 268->254 277 f63704-f63710 269->277 278 f63715-f63721 269->278 281 f24460-f2446e GetProcAddress 271->281 282 f2449c-f244a6 GetSystemInfo 271->282 272->254 273->254 286 f63731-f63737 274->286 287 f6373c-f63748 274->287 284 f243eb-f243ee 275->284 285 f6374d-f63762 275->285 276->279 277->254 278->254 279->266 280->276 288 f6381c-f63822 280->288 281->282 289 f24470-f24474 GetNativeSystemInfo 281->289 283 f24476-f24478 282->283 294 f24481-f24493 283->294 295 f2447a-f2447b FreeLibrary 283->295 290 f243f4-f2440f 284->290 291 f63791-f63794 284->291 292 f63764-f6376a 285->292 293 f6376f-f6377b 285->293 286->254 287->254 288->279 289->283 296 f63780-f6378c 290->296 297 f24415 290->297 291->254 298 f6379a-f637c1 291->298 292->254 293->254 295->294 296->254 297->254 299 f637c3-f637c9 298->299 300 f637ce-f637da 298->300 299->254 300->254
                    APIs
                    • GetVersionExW.KERNEL32(?), ref: 00F2430D
                      • Part of subcall function 00F26B57: _wcslen.LIBCMT ref: 00F26B6A
                    • GetCurrentProcess.KERNEL32(?,00FBCB64,00000000,?,?), ref: 00F24422
                    • IsWow64Process.KERNEL32(00000000,?,?), ref: 00F24429
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00F24454
                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F24466
                    • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00F24474
                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 00F2447B
                    • GetSystemInfo.KERNEL32(?,?,?), ref: 00F244A0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                    • String ID: GetNativeSystemInfo$kernel32.dll$|O
                    • API String ID: 3290436268-3101561225
                    • Opcode ID: 09683c9dbfb9c0d1fed9c9c3686c6d3cb37a4806824104871cb1cce22acfc6b5
                    • Instruction ID: 94e2f75e5102dff3c77dfd1ebd02717761bea9d61ccd7546a02ddd6dce58d13c
                    • Opcode Fuzzy Hash: 09683c9dbfb9c0d1fed9c9c3686c6d3cb37a4806824104871cb1cce22acfc6b5
                    • Instruction Fuzzy Hash: A0A1B266D0E2DCDFC711D7ADBC816B57FEC7F26310B0849A9D48193A22D2615908FF61
                    Function 00F242A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 661 f242a2-f242ba CreateStreamOnHGlobal 662 f242da-f242dd 661->662 663 f242bc-f242d3 FindResourceExW 661->663 664 f242d9 663->664 665 f635ba-f635c9 LoadResource 663->665 664->662 665->664 666 f635cf-f635dd SizeofResource 665->666 666->664 667 f635e3-f635ee LockResource 666->667 667->664 668 f635f4-f63612 667->668 668->664
                    APIs
                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00F250AA,?,?,00000000,00000000), ref: 00F242B2
                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F250AA,?,?,00000000,00000000), ref: 00F242C9
                    • LoadResource.KERNEL32(?,00000000,?,?,00F250AA,?,?,00000000,00000000,?,?,?,?,?,?,00F24F20), ref: 00F635BE
                    • SizeofResource.KERNEL32(?,00000000,?,?,00F250AA,?,?,00000000,00000000,?,?,?,?,?,?,00F24F20), ref: 00F635D3
                    • LockResource.KERNEL32(00F250AA,?,?,00F250AA,?,?,00000000,00000000,?,?,?,?,?,?,00F24F20,?), ref: 00F635E6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                    • String ID: SCRIPT
                    • API String ID: 3051347437-3967369404
                    • Opcode ID: 28b46215802320524dc007a801a36cd5889cf4758e8e837ebdb855a9fb28579c
                    • Instruction ID: d89da2396fcae7abe1a8d0ee1aa53e150f9fbaf27b33ec0371400cbe73a85aa5
                    • Opcode Fuzzy Hash: 28b46215802320524dc007a801a36cd5889cf4758e8e837ebdb855a9fb28579c
                    • Instruction Fuzzy Hash: CA118271600705FFD7218BA6EC88F677BB9EBC5B51F144269F402D6290DBB1EC00AA70
                    Function 00F62BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F22B6B
                      • Part of subcall function 00F23A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00FF1418,?,00F22E7F,?,?,?,00000000), ref: 00F23A78
                      • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                    • GetForegroundWindow.USER32(runas,?,?,?,?,?,00FE2224), ref: 00F62C10
                    • ShellExecuteW.SHELL32(00000000,?,?,00FE2224), ref: 00F62C17
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                    • String ID: runas
                    • API String ID: 448630720-4000483414
                    • Opcode ID: ccc604bf70b5ed6975f2105e0bd64152399af344e7a636c947b7e5e486116a02
                    • Instruction ID: a8a5aad38052d65538a696b1c5c087d8f12ccdc7aab662c061082dff8a194dc0
                    • Opcode Fuzzy Hash: ccc604bf70b5ed6975f2105e0bd64152399af344e7a636c947b7e5e486116a02
                    • Instruction Fuzzy Hash: C311AF71608269AAC714FF60FC919BE77A8AFD5710F48082DB182570A3CF6D8A09F752
                    Function 00F8DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlenW.KERNEL32(?,00F65222), ref: 00F8DBCE
                    • GetFileAttributesW.KERNELBASE(?), ref: 00F8DBDD
                    • FindFirstFileW.KERNELBASE(?,?), ref: 00F8DBEE
                    • FindClose.KERNEL32(00000000), ref: 00F8DBFA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: FileFind$AttributesCloseFirstlstrlen
                    • String ID:
                    • API String ID: 2695905019-0
                    • Opcode ID: 0e25fa3cf85dbdaa70ce0fe62b2808b57f963750289002094fdb2559cf06b09b
                    • Instruction ID: 9f8045122bc415a70d964da10c3a3531d68ed7662c46ef35f7ec77decb5b77aa
                    • Opcode Fuzzy Hash: 0e25fa3cf85dbdaa70ce0fe62b2808b57f963750289002094fdb2559cf06b09b
                    • Instruction Fuzzy Hash: 6BF0ED31810918678620BB7CAC4D8EB37AC9E02334B104702F836C20F0EBB09D94EBD6
                    Function 00F2D730 Relevance: 21.6, APIs: 14, Instructions: 624windowsleeptimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetInputState.USER32 ref: 00F2D807
                    • timeGetTime.WINMM ref: 00F2DA07
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F2DB28
                    • TranslateMessage.USER32(?), ref: 00F2DB7B
                    • DispatchMessageW.USER32(?), ref: 00F2DB89
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F2DB9F
                    • Sleep.KERNEL32(0000000A), ref: 00F2DBB1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                    • String ID:
                    • API String ID: 2189390790-0
                    • Opcode ID: f1586c516eacee57f272686e44c187b9f65a81491e2c2111f6fd00c8de4352dc
                    • Instruction ID: 3a09e394a8219ab9db8b9bb174f0c7d8156db4c19a5847f6642232f8099cd998
                    • Opcode Fuzzy Hash: f1586c516eacee57f272686e44c187b9f65a81491e2c2111f6fd00c8de4352dc
                    • Instruction Fuzzy Hash: 60421431A08255DFD728CF24D894BAAB7E4BF85320F14861EF49987291D774E884FF82
                    Function 00F22CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00F22D07
                    • RegisterClassExW.USER32(00000030), ref: 00F22D31
                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F22D42
                    • InitCommonControlsEx.COMCTL32(?), ref: 00F22D5F
                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F22D6F
                    • LoadIconW.USER32(000000A9), ref: 00F22D85
                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F22D94
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                    • API String ID: 2914291525-1005189915
                    • Opcode ID: 7a3e53c6142633cdbc7cccf79403c0e666485781b0bac35332aae8fff7d82e50
                    • Instruction ID: 84e2b3c1808d9a311b2c101c6f40222297cf3e4b48ca19732d0573ed3183565f
                    • Opcode Fuzzy Hash: 7a3e53c6142633cdbc7cccf79403c0e666485781b0bac35332aae8fff7d82e50
                    • Instruction Fuzzy Hash: 1B21C3B591121CEFDB10DFA4E889BEEBBB8FB08700F10421AF551A62A0D7B54544EF91
                    Function 00F6065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 302 f6065b-f6068b call f6042f 305 f606a6-f606b2 call f55221 302->305 306 f6068d-f60698 call f4f2c6 302->306 311 f606b4-f606c9 call f4f2c6 call f4f2d9 305->311 312 f606cb-f60714 call f6039a 305->312 313 f6069a-f606a1 call f4f2d9 306->313 311->313 322 f60716-f6071f 312->322 323 f60781-f6078a GetFileType 312->323 320 f6097d-f60983 313->320 327 f60756-f6077c GetLastError call f4f2a3 322->327 328 f60721-f60725 322->328 324 f607d3-f607d6 323->324 325 f6078c-f607bd GetLastError call f4f2a3 CloseHandle 323->325 331 f607df-f607e5 324->331 332 f607d8-f607dd 324->332 325->313 339 f607c3-f607ce call f4f2d9 325->339 327->313 328->327 333 f60727-f60754 call f6039a 328->333 336 f607e9-f60837 call f5516a 331->336 337 f607e7 331->337 332->336 333->323 333->327 344 f60847-f6086b call f6014d 336->344 345 f60839-f60845 call f605ab 336->345 337->336 339->313 352 f6087e-f608c1 344->352 353 f6086d 344->353 345->344 351 f6086f-f60879 call f586ae 345->351 351->320 355 f608e2-f608f0 352->355 356 f608c3-f608c7 352->356 353->351 359 f608f6-f608fa 355->359 360 f6097b 355->360 356->355 358 f608c9-f608dd 356->358 358->355 359->360 361 f608fc-f6092f CloseHandle call f6039a 359->361 360->320 364 f60963-f60977 361->364 365 f60931-f6095d GetLastError call f4f2a3 call f55333 361->365 364->360 365->364
                    APIs
                      • Part of subcall function 00F6039A: CreateFileW.KERNELBASE(00000000,00000000,?,00F60704,?,?,00000000,?,00F60704,00000000,0000000C), ref: 00F603B7
                    • GetLastError.KERNEL32 ref: 00F6076F
                    • __dosmaperr.LIBCMT ref: 00F60776
                    • GetFileType.KERNELBASE(00000000), ref: 00F60782
                    • GetLastError.KERNEL32 ref: 00F6078C
                    • __dosmaperr.LIBCMT ref: 00F60795
                    • CloseHandle.KERNEL32(00000000), ref: 00F607B5
                    • CloseHandle.KERNEL32(?), ref: 00F608FF
                    • GetLastError.KERNEL32 ref: 00F60931
                    • __dosmaperr.LIBCMT ref: 00F60938
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                    • String ID: H
                    • API String ID: 4237864984-2852464175
                    • Opcode ID: 818ac49e44ae5b4a05ec733b5505c6a31da57dfd537e9900caa264844cb89747
                    • Instruction ID: 84efb5c0743232c984c8a74a28a2dc470ec1afc2933b49864ebd8778c30e28db
                    • Opcode Fuzzy Hash: 818ac49e44ae5b4a05ec733b5505c6a31da57dfd537e9900caa264844cb89747
                    • Instruction Fuzzy Hash: 28A12432E141088FDF19EF68DC91BAE3BA0EB46320F240159F8159B3D2DB359D16EB91
                    Function 00F2344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00F23A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00FF1418,?,00F22E7F,?,?,?,00000000), ref: 00F23A78
                      • Part of subcall function 00F23357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F23379
                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F2356A
                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F6318D
                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F631CE
                    • RegCloseKey.ADVAPI32(?), ref: 00F63210
                    • _wcslen.LIBCMT ref: 00F63277
                    • _wcslen.LIBCMT ref: 00F63286
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                    • API String ID: 98802146-2727554177
                    • Opcode ID: 2bdac05754a83f453813cbef17dcf043fee156db2f70447cbb05a47486716fe2
                    • Instruction ID: c7e0bd7390dbdb90d4ebf826a9fa0ff96f6e0c92804910ab553104aaf8c16ca8
                    • Opcode Fuzzy Hash: 2bdac05754a83f453813cbef17dcf043fee156db2f70447cbb05a47486716fe2
                    • Instruction Fuzzy Hash: B671A2B18053199FC314EF69EC819ABBBECFF85750F40042DF54583161EB789A48EB52
                    Function 00F22B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00F22B8E
                    • LoadCursorW.USER32(00000000,00007F00), ref: 00F22B9D
                    • LoadIconW.USER32(00000063), ref: 00F22BB3
                    • LoadIconW.USER32(000000A4), ref: 00F22BC5
                    • LoadIconW.USER32(000000A2), ref: 00F22BD7
                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F22BEF
                    • RegisterClassExW.USER32(?), ref: 00F22C40
                      • Part of subcall function 00F22CD4: GetSysColorBrush.USER32(0000000F), ref: 00F22D07
                      • Part of subcall function 00F22CD4: RegisterClassExW.USER32(00000030), ref: 00F22D31
                      • Part of subcall function 00F22CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F22D42
                      • Part of subcall function 00F22CD4: InitCommonControlsEx.COMCTL32(?), ref: 00F22D5F
                      • Part of subcall function 00F22CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F22D6F
                      • Part of subcall function 00F22CD4: LoadIconW.USER32(000000A9), ref: 00F22D85
                      • Part of subcall function 00F22CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F22D94
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                    • String ID: #$0$AutoIt v3
                    • API String ID: 423443420-4155596026
                    • Opcode ID: 6bb601ec385dccdf60d722ad660b86613430b877a730fb570b779a869813f191
                    • Instruction ID: fbe7b3243a10236b9dcfb8975fdc440b9e750b3547beaee6e0b015cfc669ca0c
                    • Opcode Fuzzy Hash: 6bb601ec385dccdf60d722ad660b86613430b877a730fb570b779a869813f191
                    • Instruction Fuzzy Hash: F4212970E0031DEBDB109FA6EC99AAA7FB8FF48B50F14011AF600A66A0D7B50544EF90
                    Function 00F23170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 443 f23170-f23185 444 f23187-f2318a 443->444 445 f231e5-f231e7 443->445 447 f231eb 444->447 448 f2318c-f23193 444->448 445->444 446 f231e9 445->446 449 f231d0-f231d8 DefWindowProcW 446->449 450 f231f1-f231f6 447->450 451 f62dfb-f62e23 call f218e2 call f3e499 447->451 452 f23265-f2326d PostQuitMessage 448->452 453 f23199-f2319e 448->453 454 f231de-f231e4 449->454 456 f231f8-f231fb 450->456 457 f2321d-f23244 SetTimer RegisterWindowMessageW 450->457 485 f62e28-f62e2f 451->485 455 f23219-f2321b 452->455 459 f231a4-f231a8 453->459 460 f62e7c-f62e90 call f8bf30 453->460 455->454 461 f23201-f23214 KillTimer call f230f2 call f23c50 456->461 462 f62d9c-f62d9f 456->462 457->455 464 f23246-f23251 CreatePopupMenu 457->464 465 f231ae-f231b3 459->465 466 f62e68-f62e77 call f8c161 459->466 460->455 476 f62e96 460->476 461->455 468 f62dd7-f62df6 MoveWindow 462->468 469 f62da1-f62da5 462->469 464->455 473 f62e4d-f62e54 465->473 474 f231b9-f231be 465->474 466->455 468->455 477 f62dc6-f62dd2 SetFocus 469->477 478 f62da7-f62daa 469->478 473->449 479 f62e5a-f62e63 call f80ad7 473->479 483 f23253-f23263 call f2326f 474->483 484 f231c4-f231ca 474->484 476->449 477->455 478->484 486 f62db0-f62dc1 call f218e2 478->486 479->449 483->455 484->449 484->485 485->449 491 f62e35-f62e48 call f230f2 call f23837 485->491 486->455 491->449
                    APIs
                    • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00F2316A,?,?), ref: 00F231D8
                    • KillTimer.USER32(?,00000001,?,?,?,?,?,00F2316A,?,?), ref: 00F23204
                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F23227
                    • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00F2316A,?,?), ref: 00F23232
                    • CreatePopupMenu.USER32 ref: 00F23246
                    • PostQuitMessage.USER32(00000000), ref: 00F23267
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                    • String ID: TaskbarCreated
                    • API String ID: 129472671-2362178303
                    • Opcode ID: 9f8d71b37262933d8a7991a5a1815ad9506c2775c7ba5cd0b99362731ea7f840
                    • Instruction ID: fa9379726252ece24b171f972b7fa8f52ef5f5712c3b146d79a59e2aa578c3eb
                    • Opcode Fuzzy Hash: 9f8d71b37262933d8a7991a5a1815ad9506c2775c7ba5cd0b99362731ea7f840
                    • Instruction Fuzzy Hash: 564107B2A4022CE7DB145B78AD49B7A3629FF05360F140125F541D61E2CB7ECA40FBA1
                    Function 00F58D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 499 f58d45-f58d55 500 f58d57-f58d6a call f4f2c6 call f4f2d9 499->500 501 f58d6f-f58d71 499->501 515 f590f1 500->515 502 f58d77-f58d7d 501->502 503 f590d9-f590e6 call f4f2c6 call f4f2d9 501->503 502->503 505 f58d83-f58dae 502->505 520 f590ec call f527ec 503->520 505->503 508 f58db4-f58dbd 505->508 512 f58dd7-f58dd9 508->512 513 f58dbf-f58dd2 call f4f2c6 call f4f2d9 508->513 518 f590d5-f590d7 512->518 519 f58ddf-f58de3 512->519 513->520 521 f590f4-f590f9 515->521 518->521 519->518 523 f58de9-f58ded 519->523 520->515 523->513 526 f58def-f58e06 523->526 528 f58e23-f58e2c 526->528 529 f58e08-f58e0b 526->529 530 f58e2e-f58e45 call f4f2c6 call f4f2d9 call f527ec 528->530 531 f58e4a-f58e54 528->531 532 f58e15-f58e1e 529->532 533 f58e0d-f58e13 529->533 563 f5900c 530->563 536 f58e56-f58e58 531->536 537 f58e5b-f58e79 call f53820 call f529c8 * 2 531->537 534 f58ebf-f58ed9 532->534 533->530 533->532 539 f58fad-f58fb6 call f5f89b 534->539 540 f58edf-f58eef 534->540 536->537 567 f58e96-f58ebc call f59424 537->567 568 f58e7b-f58e91 call f4f2d9 call f4f2c6 537->568 551 f59029 539->551 552 f58fb8-f58fca 539->552 540->539 544 f58ef5-f58ef7 540->544 544->539 548 f58efd-f58f23 544->548 548->539 553 f58f29-f58f3c 548->553 555 f5902d-f59045 ReadFile 551->555 552->551 557 f58fcc-f58fdb GetConsoleMode 552->557 553->539 558 f58f3e-f58f40 553->558 561 f59047-f5904d 555->561 562 f590a1-f590ac GetLastError 555->562 557->551 564 f58fdd-f58fe1 557->564 558->539 565 f58f42-f58f6d 558->565 561->562 571 f5904f 561->571 569 f590c5-f590c8 562->569 570 f590ae-f590c0 call f4f2d9 call f4f2c6 562->570 573 f5900f-f59019 call f529c8 563->573 564->555 572 f58fe3-f58ffd ReadConsoleW 564->572 565->539 566 f58f6f-f58f82 565->566 566->539 575 f58f84-f58f86 566->575 567->534 568->563 582 f59005-f5900b call f4f2a3 569->582 583 f590ce-f590d0 569->583 570->563 579 f59052-f59064 571->579 580 f58fff GetLastError 572->580 581 f5901e-f59027 572->581 573->521 575->539 585 f58f88-f58fa8 575->585 579->573 589 f59066-f5906a 579->589 580->582 581->579 582->563 583->573 585->539 593 f59083-f5908e 589->593 594 f5906c-f5907c call f58a61 589->594 599 f59090 call f58bb1 593->599 600 f5909a-f5909f call f588a1 593->600 606 f5907f-f59081 594->606 604 f59095-f59098 599->604 600->604 604->606 606->573
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 056e09a2f4f8315a9e2534ede605c63bc94e3025d0251b63d636debd1f1db443
                    • Instruction ID: 7454deea413a67f08b93fe4d4820355009f2bae8965d0ca7c3c0fb70ad4d30e9
                    • Opcode Fuzzy Hash: 056e09a2f4f8315a9e2534ede605c63bc94e3025d0251b63d636debd1f1db443
                    • Instruction Fuzzy Hash: 5CC1E175D08249EFCF159FA8CC41BADBFB4AF09321F044159EE15A72D2C7748A4AEB60
                    Function 00D725E0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 607 d725e0-d7268e call d70000 610 d72695-d726bb call d734f0 CreateFileW 607->610 613 d726c2-d726d2 610->613 614 d726bd 610->614 621 d726d4 613->621 622 d726d9-d726f3 VirtualAlloc 613->622 615 d7280d-d72811 614->615 616 d72853-d72856 615->616 617 d72813-d72817 615->617 623 d72859-d72860 616->623 619 d72823-d72827 617->619 620 d72819-d7281c 617->620 626 d72837-d7283b 619->626 627 d72829-d72833 619->627 620->619 621->615 628 d726f5 622->628 629 d726fa-d72711 ReadFile 622->629 624 d728b5-d728ca 623->624 625 d72862-d7286d 623->625 632 d728cc-d728d7 VirtualFree 624->632 633 d728da-d728e2 624->633 630 d72871-d7287d 625->630 631 d7286f 625->631 634 d7283d-d72847 626->634 635 d7284b 626->635 627->626 628->615 636 d72713 629->636 637 d72718-d72758 VirtualAlloc 629->637 640 d72891-d7289d 630->640 641 d7287f-d7288f 630->641 631->624 632->633 634->635 635->616 636->615 638 d7275f-d7277a call d73740 637->638 639 d7275a 637->639 647 d72785-d7278f 638->647 639->615 644 d7289f-d728a8 640->644 645 d728aa-d728b0 640->645 643 d728b3 641->643 643->623 644->643 645->643 648 d727c2-d727d6 call d73550 647->648 649 d72791-d727c0 call d73740 647->649 655 d727da-d727de 648->655 656 d727d8 648->656 649->647 657 d727e0-d727e4 FindCloseChangeNotification 655->657 658 d727ea-d727ee 655->658 656->615 657->658 659 d727f0-d727fb VirtualFree 658->659 660 d727fe-d72807 658->660 659->660 660->610 660->615
                    APIs
                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00D726B1
                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D728D7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163515852.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_d70000_whiteee.jbxd
                    Similarity
                    • API ID: CreateFileFreeVirtual
                    • String ID:
                    • API String ID: 204039940-0
                    • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                    • Instruction ID: 6a31377de2f1548bece5106b55845a3d23bb929089013d2993a1e4fe1f9a8546
                    • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                    • Instruction Fuzzy Hash: C4A13770E00209EBDB14CFA4C994BEEBBB5FF48304F248159E505BB280E7759A81DFA1
                    Function 00F22C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 671 f22c63-f22cd3 CreateWindowExW * 2 ShowWindow * 2
                    APIs
                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F22C91
                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F22CB2
                    • ShowWindow.USER32(00000000,?,?,?,?,?,?,00F21CAD,?), ref: 00F22CC6
                    • ShowWindow.USER32(00000000,?,?,?,?,?,?,00F21CAD,?), ref: 00F22CCF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Window$CreateShow
                    • String ID: AutoIt v3$edit
                    • API String ID: 1584632944-3779509399
                    • Opcode ID: 65c30aed8acef1a232e64cef2a799872b108eddf3e5f8b8327be0bc1913ab2ff
                    • Instruction ID: 509f732b2049314cff861dc80dee1e271340629cc3dc37f098737711f78ab700
                    • Opcode Fuzzy Hash: 65c30aed8acef1a232e64cef2a799872b108eddf3e5f8b8327be0bc1913ab2ff
                    • Instruction Fuzzy Hash: 57F0DA76540298BAEB311717AC48EB73EBDEBC7F60B10005AF900A75A0C6625850FEB4
                    Function 00D723B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 786 d723b0-d724e1 call d70000 call d722a0 CreateFileW 793 d724e3 786->793 794 d724e8-d724f8 786->794 795 d72598-d7259d 793->795 797 d724ff-d72519 VirtualAlloc 794->797 798 d724fa 794->798 799 d7251d-d72534 ReadFile 797->799 800 d7251b 797->800 798->795 801 d72536 799->801 802 d72538-d72572 call d722e0 call d712a0 799->802 800->795 801->795 807 d72574-d72589 call d72330 802->807 808 d7258e-d72596 ExitProcess 802->808 807->808 808->795
                    APIs
                      • Part of subcall function 00D722A0: Sleep.KERNELBASE(000001F4), ref: 00D722B1
                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D724D7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163515852.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_d70000_whiteee.jbxd
                    Similarity
                    • API ID: CreateFileSleep
                    • String ID: 9EC1R00X9A59IN4A1UZPV7
                    • API String ID: 2694422964-2955565628
                    • Opcode ID: 4f78b2114735147aab0e7c3f93de90d508718047de993ae2c6190bf2fd3dd873
                    • Instruction ID: 12c0114a595a8f009c3d00c7ddda78eeeb48f30eb537d58b7a73bf45ba38ecad
                    • Opcode Fuzzy Hash: 4f78b2114735147aab0e7c3f93de90d508718047de993ae2c6190bf2fd3dd873
                    • Instruction Fuzzy Hash: AD51B370D04289DBEF11DBE4C819BEEBBB8AF19304F044199E648BB2C1D6B94B44CB75
                    Function 00F92947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F92C05
                    • DeleteFileW.KERNEL32(?), ref: 00F92C87
                    • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F92C9D
                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F92CAE
                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F92CC0
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: File$Delete$Copy
                    • String ID:
                    • API String ID: 3226157194-0
                    • Opcode ID: 93ad482354d4aa634de3174500252dace4727cb6c7d164aa9f21f9a5d375ae6c
                    • Instruction ID: 4f8d81d6634ab729df7c369feacc8970365ef197665d39d6ded8506296cf5775
                    • Opcode Fuzzy Hash: 93ad482354d4aa634de3174500252dace4727cb6c7d164aa9f21f9a5d375ae6c
                    • Instruction Fuzzy Hash: 8BB14F72D00129ABDF61DFA4CC85EDEBBBDEF48350F1040A6F509E6151EA349E44AF61
                    Function 00F23B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 952 f23b1c-f23b27 953 f23b99-f23b9b 952->953 954 f23b29-f23b2e 952->954 955 f23b8c-f23b8f 953->955 954->953 956 f23b30-f23b48 RegOpenKeyExW 954->956 956->953 957 f23b4a-f23b69 RegQueryValueExW 956->957 958 f23b80-f23b8b RegCloseKey 957->958 959 f23b6b-f23b76 957->959 958->955 960 f23b90-f23b97 959->960 961 f23b78-f23b7a 959->961 962 f23b7e 960->962 961->962 962->958
                    APIs
                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00F23B0F,SwapMouseButtons,00000004,?), ref: 00F23B40
                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00F23B0F,SwapMouseButtons,00000004,?), ref: 00F23B61
                    • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00F23B0F,SwapMouseButtons,00000004,?), ref: 00F23B83
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID: Control Panel\Mouse
                    • API String ID: 3677997916-824357125
                    • Opcode ID: 130917eb1db4cf714a29d0c11c6f34dc75deb7b3b94c5372ceb138ff5fefbb91
                    • Instruction ID: 15c9be64fa4cdaf7512d710df768b4bcc3226e49cc1441c1b4761f19494c2de0
                    • Opcode Fuzzy Hash: 130917eb1db4cf714a29d0c11c6f34dc75deb7b3b94c5372ceb138ff5fefbb91
                    • Instruction Fuzzy Hash: 7A113CB5511218FFDB20DFA5EC84EAFBBB8EF44794B104559F805D7110D2359F40ABA0
                    Function 00D712A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000), ref: 00D71ACD
                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00D71AF1
                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D71B13
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163515852.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_d70000_whiteee.jbxd
                    Similarity
                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                    • String ID:
                    • API String ID: 2438371351-0
                    • Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                    • Instruction ID: 65439b0a7bd9c00e2d0f3339f2509c6a97d256d5a14f4b76ae92666f2e93fd3e
                    • Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                    • Instruction Fuzzy Hash: A6621B34A14258DBEB24CFA4C841BDEB372EF58700F1091A9E50DEB394E7759E81CB69
                    Function 00F2DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                    Download Yara Rule
                    Strings
                    • Variable must be of type 'Object'., xrefs: 00F732B7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID: Variable must be of type 'Object'.
                    • API String ID: 0-109567571
                    • Opcode ID: abedc8a3cd99f277e0274bc391d898134b2d697cf43582190453eb0738bc6a2d
                    • Instruction ID: 85bd166e68de0baa4c5906c52f91fa1c02a1e86caa1f5161c2f2fa12eaad1890
                    • Opcode Fuzzy Hash: abedc8a3cd99f277e0274bc391d898134b2d697cf43582190453eb0738bc6a2d
                    • Instruction Fuzzy Hash: 8DC28C75E00225DFCB24CF58E881AADB7B1FF08320F288169E955AB391D375ED41EB91
                    Function 00F23923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F633A2
                      • Part of subcall function 00F26B57: _wcslen.LIBCMT ref: 00F26B6A
                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F23A04
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: IconLoadNotifyShell_String_wcslen
                    • String ID: Line:
                    • API String ID: 2289894680-1585850449
                    • Opcode ID: f84c1d05e6f3bddd15f8f450bfeca1c1969def5c86d7681c125a154a62f51f97
                    • Instruction ID: 0f92ce7b4bf9ebcc39878b9ca46adb875e72a2b066430572fe004772efbf611c
                    • Opcode Fuzzy Hash: f84c1d05e6f3bddd15f8f450bfeca1c1969def5c86d7681c125a154a62f51f97
                    • Instruction Fuzzy Hash: 9931D6B1908324AAD725EB10EC45FEB77DCAF45710F00492AF59993191DF789A48EBC2
                    Function 00F3FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                    Download Yara Rule
                    APIs
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00F40668
                      • Part of subcall function 00F432A4: RaiseException.KERNEL32(?,?,?,00F4068A,?,00FF1444,?,?,?,?,?,?,00F4068A,00F21129,00FE8738,00F21129), ref: 00F43304
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00F40685
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Exception@8Throw$ExceptionRaise
                    • String ID: Unknown exception
                    • API String ID: 3476068407-410509341
                    • Opcode ID: f6cd6f96bd1b1335053c2aaca67c11b0a49b4eaf62de1848d5d19c3ce33413a4
                    • Instruction ID: 551defe8682aecfcb635441788cb2f7c6534ddddd9ef6364015f0354cc5ceb22
                    • Opcode Fuzzy Hash: f6cd6f96bd1b1335053c2aaca67c11b0a49b4eaf62de1848d5d19c3ce33413a4
                    • Instruction Fuzzy Hash: ADF0C234D0020D778B00BA65EC4AD9E7F6C9E40360B604531BE1996592EF75EB2AF981
                    Function 00F93017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                    Download Yara Rule
                    APIs
                    • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00F9302F
                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00F93044
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Temp$FileNamePath
                    • String ID: aut
                    • API String ID: 3285503233-3010740371
                    • Opcode ID: 17d1b6986c55b435fedb450d8ec9aa7fb200ed1a098f8a290f1aba782766b33a
                    • Instruction ID: 55576b24c528813992a6d3672dbb1771e05cadd963b91fec4b9444a430950c7d
                    • Opcode Fuzzy Hash: 17d1b6986c55b435fedb450d8ec9aa7fb200ed1a098f8a290f1aba782766b33a
                    • Instruction Fuzzy Hash: 33D05E7290032C67DA20A7A5AC4EFCB3A6CDB04750F0002A1B755E2091DAB4D984CFE0
                    Function 00FA7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00FA82F5
                    • TerminateProcess.KERNEL32(00000000), ref: 00FA82FC
                    • FreeLibrary.KERNEL32(?,?,?,?), ref: 00FA84DD
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Process$CurrentFreeLibraryTerminate
                    • String ID:
                    • API String ID: 146820519-0
                    • Opcode ID: ffeca1033786e7ac742de4f8338eefe33cfdbe261199f334ca5c39aed497f09d
                    • Instruction ID: cfc58d7aab1418b53861bafb5ad73bc60d8ab0d1b1d47c66f809b419e79cf75f
                    • Opcode Fuzzy Hash: ffeca1033786e7ac742de4f8338eefe33cfdbe261199f334ca5c39aed497f09d
                    • Instruction Fuzzy Hash: B1128CB19083019FC714DF28C484B6ABBE1FF89364F04895DE8898B252CB75ED46DF92
                    Function 00F55AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e7ee2cdc662536f4e8a4189da23bdc3171310ba64a792e4bdc0c2fe010e6f55e
                    • Instruction ID: f2e777048a51aa9b6c995c922c0b9302e6172db324bdf75a57787285c47a40bd
                    • Opcode Fuzzy Hash: e7ee2cdc662536f4e8a4189da23bdc3171310ba64a792e4bdc0c2fe010e6f55e
                    • Instruction Fuzzy Hash: 8451F271D00609ABCB109FB4CC59FAE7FB8AF45B22F140059FE04AB291C6759A09EB61
                    Function 00F210F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F21BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F21BF4
                      • Part of subcall function 00F21BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F21BFC
                      • Part of subcall function 00F21BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F21C07
                      • Part of subcall function 00F21BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F21C12
                      • Part of subcall function 00F21BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F21C1A
                      • Part of subcall function 00F21BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F21C22
                      • Part of subcall function 00F21B4A: RegisterWindowMessageW.USER32(00000004,?,00F212C4), ref: 00F21BA2
                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F2136A
                    • OleInitialize.OLE32 ref: 00F21388
                    • CloseHandle.KERNEL32(00000000,00000000), ref: 00F624AB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                    • String ID:
                    • API String ID: 1986988660-0
                    • Opcode ID: a0588b090981383332f59cd4c175c2f76997bbe1b0883b65f3dec8dcef2ff09f
                    • Instruction ID: 48ec303271ff3f67943d4f95b76c3ca9e629e05c142a68408784755a3ac7b62e
                    • Opcode Fuzzy Hash: a0588b090981383332f59cd4c175c2f76997bbe1b0883b65f3dec8dcef2ff09f
                    • Instruction Fuzzy Hash: 6971AAB5901208CFD384EF7AAD456763AE8BF9938475C822AD00ADB272EB354444FF54
                    Function 00F254C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON
                    Download Yara Rule
                    APIs
                    • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 00F2556D
                    • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 00F2557D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: FilePointer
                    • String ID:
                    • API String ID: 973152223-0
                    • Opcode ID: 7b59889b90ecff52bf70cce7f2b8f01d950e9e8d30871f71ef46c4c613e343e8
                    • Instruction ID: 2a376bf369a736e0e9a4260dcb1d879fad6c9406b6437c50749f7854a9296290
                    • Opcode Fuzzy Hash: 7b59889b90ecff52bf70cce7f2b8f01d950e9e8d30871f71ef46c4c613e343e8
                    • Instruction Fuzzy Hash: C1318D71A00619FFDB14CF28D881B99B7B6FB08728F188229E81597240D770FE94EBD0
                    Function 00F586AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00F585CC,?,00FE8CC8,0000000C), ref: 00F58704
                    • GetLastError.KERNEL32(?,00F585CC,?,00FE8CC8,0000000C), ref: 00F5870E
                    • __dosmaperr.LIBCMT ref: 00F58739
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                    • String ID:
                    • API String ID: 490808831-0
                    • Opcode ID: 052ebe77cea5dbdaf42d325fddaaaa2a493a0650a42bcfcb72baf19ea4acbd21
                    • Instruction ID: 01407d68e4c02b36e2d5d9146818e2c56140334aae29c8a301742eba7a018a41
                    • Opcode Fuzzy Hash: 052ebe77cea5dbdaf42d325fddaaaa2a493a0650a42bcfcb72baf19ea4acbd21
                    • Instruction Fuzzy Hash: 4E010832E0562416D7646234AC4577E7B4A4F81BB6F290219EE18AB1D2DEA48C8AB190
                    Function 00F92FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00F92CD4,?,?,?,00000004,00000001), ref: 00F92FF2
                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00F92CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F93006
                    • CloseHandle.KERNEL32(00000000,?,00F92CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F9300D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: File$CloseCreateHandleTime
                    • String ID:
                    • API String ID: 3397143404-0
                    • Opcode ID: bbc491888d37159442d1bca9580412af5fe494e69d5defd9b1c8670b8c62395d
                    • Instruction ID: f0907e2ff340b4fb816bac00f43e9049db736e8c0f45629bd9f489a932a65639
                    • Opcode Fuzzy Hash: bbc491888d37159442d1bca9580412af5fe494e69d5defd9b1c8670b8c62395d
                    • Instruction Fuzzy Hash: 87E0863268021477E6301759BC4DF8B3A5CD786B75F104320F759760D046A0150166E8
                    Function 00F31310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                    Download Yara Rule
                    APIs
                    • __Init_thread_footer.LIBCMT ref: 00F317F6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Init_thread_footer
                    • String ID: CALL
                    • API String ID: 1385522511-4196123274
                    • Opcode ID: 4e90c99f11ae0b8f771b9a51cf0575c39829e85ec60ef6ee068c875f7c908c4b
                    • Instruction ID: e2b41817591969022be0a3d89a5e20b650578ad037a2b4a0f4215aee15dc7c77
                    • Opcode Fuzzy Hash: 4e90c99f11ae0b8f771b9a51cf0575c39829e85ec60ef6ee068c875f7c908c4b
                    • Instruction Fuzzy Hash: 51228C71A08201DFC714DF14C880B2ABBF1BF89324F18892DF49A8B361D775E845EB92
                    Function 00F96EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                    Download Yara Rule
                    APIs
                    • _wcslen.LIBCMT ref: 00F96F6B
                      • Part of subcall function 00F24ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00FF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F24EFD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: LibraryLoad_wcslen
                    • String ID: >>>AUTOIT SCRIPT<<<
                    • API String ID: 3312870042-2806939583
                    • Opcode ID: c8c7980f181b01a9779db22f9aed6b83e067c21f0bbf6802cdf2cc5daf98b50c
                    • Instruction ID: 0e055c8583eb2904398e30f500642c6b4a39e5003ae77549ee975136cbd63b3f
                    • Opcode Fuzzy Hash: c8c7980f181b01a9779db22f9aed6b83e067c21f0bbf6802cdf2cc5daf98b50c
                    • Instruction Fuzzy Hash: 2AB1B0315183118FDB14FF20D8919AEB7E5BF94310F04882DF496972A2EB34ED49EB92
                    Function 00F22DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                    Download Yara Rule
                    APIs
                    • GetOpenFileNameW.COMDLG32(?), ref: 00F62C8C
                      • Part of subcall function 00F23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F23A97,?,?,00F22E7F,?,?,?,00000000), ref: 00F23AC2
                      • Part of subcall function 00F22DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F22DC4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Name$Path$FileFullLongOpen
                    • String ID: X
                    • API String ID: 779396738-3081909835
                    • Opcode ID: c49248ccd6b9e595c041d3f9bff73bf04e86d799e3bec86b2ff9b3bc4cde0fd7
                    • Instruction ID: 313453c0071b94f55fa725dbb3b907d8424d4dfc55cecceacf1951891f5454f5
                    • Opcode Fuzzy Hash: c49248ccd6b9e595c041d3f9bff73bf04e86d799e3bec86b2ff9b3bc4cde0fd7
                    • Instruction Fuzzy Hash: D9219671A0029C9BDB41EF94DC45BEE7BF8AF58314F004059E405EB241DBB85649AFA1
                    Function 00F92557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: __fread_nolock
                    • String ID: EA06
                    • API String ID: 2638373210-3962188686
                    • Opcode ID: 3652412907e8be0dec7d857c5e42647c491fd6ec416f882d1a5ea0c8176a7d33
                    • Instruction ID: a7ca1aa24ce2a78313a76f3f127fd1fc87054ccab6fe237c7f40cf06e1b73b3d
                    • Opcode Fuzzy Hash: 3652412907e8be0dec7d857c5e42647c491fd6ec416f882d1a5ea0c8176a7d33
                    • Instruction Fuzzy Hash: 9C01F572C042587EEF18C7A8CC16EAEBBF89B05301F00455EE552D21C1E4B8E6089B60
                    Function 00F23837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                    Download Yara Rule
                    APIs
                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F23908
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: IconNotifyShell_
                    • String ID:
                    • API String ID: 1144537725-0
                    • Opcode ID: 091e0c02bff29a18e92662b276767476d3fc9c810e773030925d0f1a4e8a9585
                    • Instruction ID: 6e570c2e7920862d91c3dc500439cebb25066290d16d9e4be21285d5b03d2acb
                    • Opcode Fuzzy Hash: 091e0c02bff29a18e92662b276767476d3fc9c810e773030925d0f1a4e8a9585
                    • Instruction Fuzzy Hash: 5931A0B1A04315CFD320DF24D8857A7BBE8FF49318F00092EF59987240E775AA44EB52
                    Function 00F25745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00F2949C,?,00008000), ref: 00F25773
                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00F2949C,?,00008000), ref: 00F64052
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 7c37b0a225b66b70409bfd83358539abb20fa5ef3a412d0237e92cb1c8374bb3
                    • Instruction ID: 91a3c92acddf528610aac7423cb4a885aff917b1a39c35adf19a0d008edd50a3
                    • Opcode Fuzzy Hash: 7c37b0a225b66b70409bfd83358539abb20fa5ef3a412d0237e92cb1c8374bb3
                    • Instruction Fuzzy Hash: 96018431685235B6E3305A29DC0EF977F54DF02B70F108300BE5C6A1E0C7B45454DB90
                    Function 00D7129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessW.KERNELBASE(?,00000000), ref: 00D71ACD
                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00D71AF1
                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D71B13
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163515852.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_d70000_whiteee.jbxd
                    Similarity
                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                    • String ID:
                    • API String ID: 2438371351-0
                    • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                    • Instruction ID: b77dcc198b9257f8acf006537ba06e0909cec1c11e914b3554a7b39db2e942b6
                    • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                    • Instruction Fuzzy Hash: 5C12CD24E24658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7A5E77A4F81CF5A
                    Function 00F24ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F24E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F24EDD,?,00FF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F24E9C
                      • Part of subcall function 00F24E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F24EAE
                      • Part of subcall function 00F24E90: FreeLibrary.KERNEL32(00000000,?,?,00F24EDD,?,00FF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F24EC0
                    • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00FF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F24EFD
                      • Part of subcall function 00F24E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F63CDE,?,00FF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F24E62
                      • Part of subcall function 00F24E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F24E74
                      • Part of subcall function 00F24E59: FreeLibrary.KERNEL32(00000000,?,?,00F63CDE,?,00FF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F24E87
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Library$Load$AddressFreeProc
                    • String ID:
                    • API String ID: 2632591731-0
                    • Opcode ID: 48f272f90b801678cab12ec9b0a626f0290c502518f9d1131789199655a7eb98
                    • Instruction ID: 8ea6cd67da7be5e131dab0a7be332f230bff5ae01d827ccb14521c1cbc050baa
                    • Opcode Fuzzy Hash: 48f272f90b801678cab12ec9b0a626f0290c502518f9d1131789199655a7eb98
                    • Instruction Fuzzy Hash: 4D11E732610615AADF14EB64ED12FAD77A5AF90B10F10842DF542AB1C1DEB8AE05BB90
                    Function 00F58402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: __wsopen_s
                    • String ID:
                    • API String ID: 3347428461-0
                    • Opcode ID: 16cef2c9fe8d02f8faf20fbcb16d2f43b2c94a639e16c0eff98af7c367ea3678
                    • Instruction ID: e2e996385bfe147e688ea534f5d0dc0b1d2d7a8bd2fb116916875d0ad4a00abb
                    • Opcode Fuzzy Hash: 16cef2c9fe8d02f8faf20fbcb16d2f43b2c94a639e16c0eff98af7c367ea3678
                    • Instruction Fuzzy Hash: 4411487190410AAFCB05DF58E9409DA7BF9EF48310F104059FD09AB312DA31DA16DBA4
                    Function 00F29A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                    Download Yara Rule
                    APIs
                    • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,00F2543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00F29A9C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: FileRead
                    • String ID:
                    • API String ID: 2738559852-0
                    • Opcode ID: de0b877b589223ab8bcad395c62ea4d9868fdd30258075736ada6013f063d492
                    • Instruction ID: 224f3c7c6c9d115451783103f944da1dc296dbb47aed8d1ea7e3fb70cd6bd357
                    • Opcode Fuzzy Hash: de0b877b589223ab8bcad395c62ea4d9868fdd30258075736ada6013f063d492
                    • Instruction Fuzzy Hash: 56114C312087159FEB20CF05D881B66B7F9EF44764F10C42DE5AB87651C7B4A945EF60
                    Function 00F55000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F54C7D: RtlAllocateHeap.NTDLL(00000008,00F21129,00000000,?,00F52E29,00000001,00000364,?,?,?,00F4F2DE,00F53863,00FF1444,?,00F3FDF5,?), ref: 00F54CBE
                    • _free.LIBCMT ref: 00F5506C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: AllocateHeap_free
                    • String ID:
                    • API String ID: 614378929-0
                    • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                    • Instruction ID: f136572af93f54b827410748478451c2842a5bda07bd49508ceb4a2ced94f2a6
                    • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                    • Instruction Fuzzy Hash: 0C014E726047055BE331CF59DC45A5AFBECFB85371F25051DEA84932C0E6306809C774
                    Function 00F4E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                    • Instruction ID: 0b8ec2d4a1c6c9e987b14229c96c0143848508e1a9bfd70e1dd8b31fdc2a5837
                    • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                    • Instruction Fuzzy Hash: 0CF07D33920A1096D7313A79DC05B573B9CAF52331F110715FD24932C1CB7CD806BAA5
                    Function 00F54C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RtlAllocateHeap.NTDLL(00000008,00F21129,00000000,?,00F52E29,00000001,00000364,?,?,?,00F4F2DE,00F53863,00FF1444,?,00F3FDF5,?), ref: 00F54CBE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: AllocateHeap
                    • String ID:
                    • API String ID: 1279760036-0
                    • Opcode ID: 2a26d6b87ced5a659e46fffc1d6d319dc4228fe66824b570d90d617d0a482b52
                    • Instruction ID: 019d7d8ce26194f866b39d6433fd280d3244fa01008c80d295136cacd56a56cf
                    • Opcode Fuzzy Hash: 2a26d6b87ced5a659e46fffc1d6d319dc4228fe66824b570d90d617d0a482b52
                    • Instruction Fuzzy Hash: C0F0E932A0223467DB215F629C0DB5B3B88BFC17BAB144111BE19F7281CA70F848B6F0
                    Function 00F53820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RtlAllocateHeap.NTDLL(00000000,?,00FF1444,?,00F3FDF5,?,?,00F2A976,00000010,00FF1440,00F213FC,?,00F213C6,?,00F21129), ref: 00F53852
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: AllocateHeap
                    • String ID:
                    • API String ID: 1279760036-0
                    • Opcode ID: 5d03e9a025b6e7ecb50eb9bafea2b216be1a3f2332e7c0e77efa803a8d3ef4c6
                    • Instruction ID: 6b3b88908014bfe6bfd8cb2a6b2e308a0dd947e55f5dd0a75c9d0151378738e8
                    • Opcode Fuzzy Hash: 5d03e9a025b6e7ecb50eb9bafea2b216be1a3f2332e7c0e77efa803a8d3ef4c6
                    • Instruction Fuzzy Hash: 54E0E533900624A6D635266F9C00B9B3A48AF427F3F090121BE14A3581CB61EE09B1E0
                    Function 00F24F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNEL32(?,?,00FF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F24F6D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: 617a7892c9105bbef723717e6b1b977281622eb74d6ac2d18a5f84b9837b16a4
                    • Instruction ID: 68dfd6755f9b7f1257a8fdb9815127c3929d6768f0f947dd5970b317f7adc004
                    • Opcode Fuzzy Hash: 617a7892c9105bbef723717e6b1b977281622eb74d6ac2d18a5f84b9837b16a4
                    • Instruction Fuzzy Hash: D2F03071505761CFDB349F64E590912BBE4FF54329310897EE5EA83511C7B1A844EF50
                    Function 00F22DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                    Download Yara Rule
                    APIs
                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F22DC4
                      • Part of subcall function 00F26B57: _wcslen.LIBCMT ref: 00F26B6A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: LongNamePath_wcslen
                    • String ID:
                    • API String ID: 541455249-0
                    • Opcode ID: 5347ebe147d11c0808e61bbfae23a0bb4acc4715346fe995e5a5cb7c1de1fb39
                    • Instruction ID: 39c80f495e7875dddc76ea07a913724f66d63737c204be4cf35e3b604e98eb1c
                    • Opcode Fuzzy Hash: 5347ebe147d11c0808e61bbfae23a0bb4acc4715346fe995e5a5cb7c1de1fb39
                    • Instruction Fuzzy Hash: FDE0CD726001245BC72092589C05FDA77DDDFC8790F050171FD09D7248D964AD809590
                    Function 00F92693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: __fread_nolock
                    • String ID:
                    • API String ID: 2638373210-0
                    • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                    • Instruction ID: b629f9cbafb7097a2ff44290b71ed19e676b2289d91a1ea3810ac46d895c5774
                    • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                    • Instruction Fuzzy Hash: 31E04FB0609B005FDF799E28A8517B677E89F4A310F00086EF69B82652E57268459A4D
                    Function 00F22B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F23837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F23908
                      • Part of subcall function 00F2D730: GetInputState.USER32 ref: 00F2D807
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F22B6B
                      • Part of subcall function 00F230F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F2314E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: IconNotifyShell_$CurrentDirectoryInputState
                    • String ID:
                    • API String ID: 3667716007-0
                    • Opcode ID: dcad359377a48eef9b38ddb17f0a0cf809cc2b3b4dfce5480f1fed43df9020c5
                    • Instruction ID: 05d2b3a5349225deddd9b3af15e40c0142b059b4af2d009eecdf0b41d01197dd
                    • Opcode Fuzzy Hash: dcad359377a48eef9b38ddb17f0a0cf809cc2b3b4dfce5480f1fed43df9020c5
                    • Instruction Fuzzy Hash: 1DE0266230422C02CA04FB34BC524BDB349EFD2311F84053EF14243163CE2C4545B2A1
                    Function 00F6039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(00000000,00000000,?,00F60704,?,?,00000000,?,00F60704,00000000,0000000C), ref: 00F603B7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 5671df99a47a9a5bb2eb8ed19d2bfa09b6d9f655e6da725e2d125c688130014e
                    • Instruction ID: 3b0fa7eaba43774650c55ffffa23dc0a2d161dc67636eb0b2ab30553845e96e6
                    • Opcode Fuzzy Hash: 5671df99a47a9a5bb2eb8ed19d2bfa09b6d9f655e6da725e2d125c688130014e
                    • Instruction Fuzzy Hash: E6D06C3214010DBBDF028F84DD46EDA3BAAFB48714F014100BE1866020C732E821AB90
                    Function 00F21CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                    Download Yara Rule
                    APIs
                    • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00F21CBC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: InfoParametersSystem
                    • String ID:
                    • API String ID: 3098949447-0
                    • Opcode ID: a15f24c94591038db42154a89b43f8b0ac95154a6daeaa2066a37a8da8f74651
                    • Instruction ID: 5e982aab4f62ac04e6d8d39fd8e0f515c89d2d5e8ea755f460028cc65772f50f
                    • Opcode Fuzzy Hash: a15f24c94591038db42154a89b43f8b0ac95154a6daeaa2066a37a8da8f74651
                    • Instruction Fuzzy Hash: 59C09B3628030DDFF2144B80BC4AF217758B748F00F0C4001F609555E3C7A11410FA50
                    Function 00F9744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F25745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00F2949C,?,00008000), ref: 00F25773
                    • GetLastError.KERNEL32(00000002,00000000), ref: 00F976DE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CreateErrorFileLast
                    • String ID:
                    • API String ID: 1214770103-0
                    • Opcode ID: d9cd3ef35dc5a81292ccac9fde9da4f364e22dd2a6fd94c19448847d4eff5d9a
                    • Instruction ID: b1ed7496c21c418088c06956b5e0dcbb721fe451fdb682102709d8e805346dd2
                    • Opcode Fuzzy Hash: d9cd3ef35dc5a81292ccac9fde9da4f364e22dd2a6fd94c19448847d4eff5d9a
                    • Instruction Fuzzy Hash: 5A81AF306087119FDB14FF28D891BA9B7E1BF88710F08452DF8865B292DB34ED45EB92
                    Function 00F3FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: AllocVirtual
                    • String ID:
                    • API String ID: 4275171209-0
                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                    • Instruction ID: 722fb28b5875da46d23c66e04d0b27772e8baa09f743dcea15ae73cddc879b1d
                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                    • Instruction Fuzzy Hash: 9F311275E0010A9BC718CF19D084A69FBA1FB49360F6492A5E80ACB616D731EEC4EBC0
                    Function 00D722A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNELBASE(000001F4), ref: 00D722B1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163515852.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_d70000_whiteee.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                    • Instruction ID: 25eff44ecdf6c3e8b825f44252fcf136bf335487aff89274483f0e2260cb45e9
                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                    • Instruction Fuzzy Hash: A1E0E67494010EDFDB00EFB8D5496AE7FF4EF04301F104161FD05D2281D6309D508A72

                    Non-executed Functions

                    Function 00FB9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F39BB2
                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00FB961A
                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FB965B
                    • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00FB969F
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FB96C9
                    • SendMessageW.USER32 ref: 00FB96F2
                    • GetKeyState.USER32(00000011), ref: 00FB978B
                    • GetKeyState.USER32(00000009), ref: 00FB9798
                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FB97AE
                    • GetKeyState.USER32(00000010), ref: 00FB97B8
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FB97E9
                    • SendMessageW.USER32 ref: 00FB9810
                    • SendMessageW.USER32(?,00001030,?,00FB7E95), ref: 00FB9918
                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00FB992E
                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00FB9941
                    • SetCapture.USER32(?), ref: 00FB994A
                    • ClientToScreen.USER32(?,?), ref: 00FB99AF
                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00FB99BC
                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FB99D6
                    • ReleaseCapture.USER32 ref: 00FB99E1
                    • GetCursorPos.USER32(?), ref: 00FB9A19
                    • ScreenToClient.USER32(?,?), ref: 00FB9A26
                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00FB9A80
                    • SendMessageW.USER32 ref: 00FB9AAE
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00FB9AEB
                    • SendMessageW.USER32 ref: 00FB9B1A
                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00FB9B3B
                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00FB9B4A
                    • GetCursorPos.USER32(?), ref: 00FB9B68
                    • ScreenToClient.USER32(?,?), ref: 00FB9B75
                    • GetParent.USER32(?), ref: 00FB9B93
                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00FB9BFA
                    • SendMessageW.USER32 ref: 00FB9C2B
                    • ClientToScreen.USER32(?,?), ref: 00FB9C84
                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FB9CB4
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00FB9CDE
                    • SendMessageW.USER32 ref: 00FB9D01
                    • ClientToScreen.USER32(?,?), ref: 00FB9D4E
                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00FB9D82
                      • Part of subcall function 00F39944: GetWindowLongW.USER32(?,000000EB), ref: 00F39952
                    • GetWindowLongW.USER32(?,000000F0), ref: 00FB9E05
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                    • String ID: @GUI_DRAGID$F
                    • API String ID: 3429851547-4164748364
                    • Opcode ID: d3d6d835c095ca1c499009fc397046eedbbec1870ea10aed6ac595520d4ca706
                    • Instruction ID: 31988d05ca101e71924b532a5c91de9a0e6f4c24afc4a6b7104dd51e51e0d9a6
                    • Opcode Fuzzy Hash: d3d6d835c095ca1c499009fc397046eedbbec1870ea10aed6ac595520d4ca706
                    • Instruction Fuzzy Hash: DA429C31608245AFD724CF25CC84EEABBE6FF49320F144619F699872A1D7B1E850EF91
                    Function 00FB4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00FB48F3
                    • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00FB4908
                    • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00FB4927
                    • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00FB494B
                    • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00FB495C
                    • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00FB497B
                    • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00FB49AE
                    • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00FB49D4
                    • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00FB4A0F
                    • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00FB4A56
                    • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00FB4A7E
                    • IsMenu.USER32(?), ref: 00FB4A97
                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FB4AF2
                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FB4B20
                    • GetWindowLongW.USER32(?,000000F0), ref: 00FB4B94
                    • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00FB4BE3
                    • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00FB4C82
                    • wsprintfW.USER32 ref: 00FB4CAE
                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FB4CC9
                    • GetWindowTextW.USER32(?,00000000,00000001), ref: 00FB4CF1
                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FB4D13
                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FB4D33
                    • GetWindowTextW.USER32(?,00000000,00000001), ref: 00FB4D5A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                    • String ID: %d/%02d/%02d
                    • API String ID: 4054740463-328681919
                    • Opcode ID: 651b3a528d31aa56bea1c0c4cb09840111f23d4befc2f4d3126402a5c78e869e
                    • Instruction ID: 81553b5f944e119916037cc0beedd155864f12d4332b2ffa350691c0502f2079
                    • Opcode Fuzzy Hash: 651b3a528d31aa56bea1c0c4cb09840111f23d4befc2f4d3126402a5c78e869e
                    • Instruction Fuzzy Hash: B312D071900218ABEB248F26CD49FEE7BB8EF49720F104229F515DB2D2DB74A941EF50
                    Function 00F3F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00F3F998
                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F7F474
                    • IsIconic.USER32(00000000), ref: 00F7F47D
                    • ShowWindow.USER32(00000000,00000009), ref: 00F7F48A
                    • SetForegroundWindow.USER32(00000000), ref: 00F7F494
                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F7F4AA
                    • GetCurrentThreadId.KERNEL32 ref: 00F7F4B1
                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F7F4BD
                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00F7F4CE
                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00F7F4D6
                    • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00F7F4DE
                    • SetForegroundWindow.USER32(00000000), ref: 00F7F4E1
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F7F4F6
                    • keybd_event.USER32(00000012,00000000), ref: 00F7F501
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F7F50B
                    • keybd_event.USER32(00000012,00000000), ref: 00F7F510
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F7F519
                    • keybd_event.USER32(00000012,00000000), ref: 00F7F51E
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F7F528
                    • keybd_event.USER32(00000012,00000000), ref: 00F7F52D
                    • SetForegroundWindow.USER32(00000000), ref: 00F7F530
                    • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00F7F557
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                    • String ID: Shell_TrayWnd
                    • API String ID: 4125248594-2988720461
                    • Opcode ID: 4a3ff44c89f0c1e7578c9cc4c2cd41170d407bc3fc3fb0598c3ac8d6a771a8ea
                    • Instruction ID: 58623df970fbcecaf896ecc2c28c7efa4c994b0e738ac140c2f3be4f460c8058
                    • Opcode Fuzzy Hash: 4a3ff44c89f0c1e7578c9cc4c2cd41170d407bc3fc3fb0598c3ac8d6a771a8ea
                    • Instruction Fuzzy Hash: FD317271E4021CBBEB206BB59C8AFBF7E6DEB44B50F144166FA04E61D1C6B15D00BEA1
                    Function 00F81201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F8170D
                      • Part of subcall function 00F816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F8173A
                      • Part of subcall function 00F816C3: GetLastError.KERNEL32 ref: 00F8174A
                    • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00F81286
                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00F812A8
                    • CloseHandle.KERNEL32(?), ref: 00F812B9
                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F812D1
                    • GetProcessWindowStation.USER32 ref: 00F812EA
                    • SetProcessWindowStation.USER32(00000000), ref: 00F812F4
                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F81310
                      • Part of subcall function 00F810BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F811FC), ref: 00F810D4
                      • Part of subcall function 00F810BF: CloseHandle.KERNEL32(?,?,00F811FC), ref: 00F810E9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                    • String ID: $default$winsta0
                    • API String ID: 22674027-1027155976
                    • Opcode ID: 5332ef6c68165bcad8a5677fd7ac04922bdc172c59e9de87ac2baee7c53a1e3a
                    • Instruction ID: e0c8e387ab0e21d9dd2353350f493b4444b332a03f96f5cd12202d0f3e4b52c2
                    • Opcode Fuzzy Hash: 5332ef6c68165bcad8a5677fd7ac04922bdc172c59e9de87ac2baee7c53a1e3a
                    • Instruction Fuzzy Hash: 53818871900209ABDF20EFA4DC89FEE7BBDFF05714F144229F911A62A0D7348956EB60
                    Function 00F80B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F81114
                      • Part of subcall function 00F810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F80B9B,?,?,?), ref: 00F81120
                      • Part of subcall function 00F810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F80B9B,?,?,?), ref: 00F8112F
                      • Part of subcall function 00F810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F80B9B,?,?,?), ref: 00F81136
                      • Part of subcall function 00F810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F8114D
                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F80BCC
                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F80C00
                    • GetLengthSid.ADVAPI32(?), ref: 00F80C17
                    • GetAce.ADVAPI32(?,00000000,?), ref: 00F80C51
                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F80C6D
                    • GetLengthSid.ADVAPI32(?), ref: 00F80C84
                    • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F80C8C
                    • HeapAlloc.KERNEL32(00000000), ref: 00F80C93
                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F80CB4
                    • CopySid.ADVAPI32(00000000), ref: 00F80CBB
                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F80CEA
                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F80D0C
                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F80D1E
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F80D45
                    • HeapFree.KERNEL32(00000000), ref: 00F80D4C
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F80D55
                    • HeapFree.KERNEL32(00000000), ref: 00F80D5C
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F80D65
                    • HeapFree.KERNEL32(00000000), ref: 00F80D6C
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00F80D78
                    • HeapFree.KERNEL32(00000000), ref: 00F80D7F
                      • Part of subcall function 00F81193: GetProcessHeap.KERNEL32(00000008,00F80BB1,?,00000000,?,00F80BB1,?), ref: 00F811A1
                      • Part of subcall function 00F81193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F80BB1,?), ref: 00F811A8
                      • Part of subcall function 00F81193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F80BB1,?), ref: 00F811B7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                    • String ID:
                    • API String ID: 4175595110-0
                    • Opcode ID: d3b11ea4488710c9ecf65decebdbec14602038e8f0fb6d195ef6971badd997ad
                    • Instruction ID: b8f5dba1e8e3b3991f8722c723f8ee529657037755593c99b7289a6c9d34d7cd
                    • Opcode Fuzzy Hash: d3b11ea4488710c9ecf65decebdbec14602038e8f0fb6d195ef6971badd997ad
                    • Instruction Fuzzy Hash: 39716A7290020AAFDF50AFA5DC84FEEBBB8BF05350F444615E914E7191DB71A909EFA0
                    Function 00F9EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                    Download Yara Rule
                    APIs
                    • OpenClipboard.USER32(00FBCC08), ref: 00F9EB29
                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00F9EB37
                    • GetClipboardData.USER32(0000000D), ref: 00F9EB43
                    • CloseClipboard.USER32 ref: 00F9EB4F
                    • GlobalLock.KERNEL32(00000000), ref: 00F9EB87
                    • CloseClipboard.USER32 ref: 00F9EB91
                    • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00F9EBBC
                    • IsClipboardFormatAvailable.USER32(00000001), ref: 00F9EBC9
                    • GetClipboardData.USER32(00000001), ref: 00F9EBD1
                    • GlobalLock.KERNEL32(00000000), ref: 00F9EBE2
                    • GlobalUnlock.KERNEL32(00000000,?), ref: 00F9EC22
                    • IsClipboardFormatAvailable.USER32(0000000F), ref: 00F9EC38
                    • GetClipboardData.USER32(0000000F), ref: 00F9EC44
                    • GlobalLock.KERNEL32(00000000), ref: 00F9EC55
                    • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00F9EC77
                    • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00F9EC94
                    • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00F9ECD2
                    • GlobalUnlock.KERNEL32(00000000,?,?), ref: 00F9ECF3
                    • CountClipboardFormats.USER32 ref: 00F9ED14
                    • CloseClipboard.USER32 ref: 00F9ED59
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                    • String ID:
                    • API String ID: 420908878-0
                    • Opcode ID: d47ad27b5c6df44265713ca629e7020ca3b6911baa8e6ef986cb5a627ce207bb
                    • Instruction ID: 451046997a26711ddc3481746fc1a0080a3c0207aab125a9c9352b3a816cf5fd
                    • Opcode Fuzzy Hash: d47ad27b5c6df44265713ca629e7020ca3b6911baa8e6ef986cb5a627ce207bb
                    • Instruction Fuzzy Hash: 8161D035204206AFE700EF24DC85F6AB7A4EF84714F14461DF456972A2DB71DD05EBA2
                    Function 00F9698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 00F969BE
                    • FindClose.KERNEL32(00000000), ref: 00F96A12
                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F96A4E
                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F96A75
                      • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F96AB2
                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F96ADF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                    • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                    • API String ID: 3830820486-3289030164
                    • Opcode ID: 5d83818cecd6a97290bcffd97a7513ba302946069599d196442b9a599b972643
                    • Instruction ID: 1d5a64d43bd3bcdfce7e608ff5e462b4efb59a110c06478ccf430b832192a08d
                    • Opcode Fuzzy Hash: 5d83818cecd6a97290bcffd97a7513ba302946069599d196442b9a599b972643
                    • Instruction Fuzzy Hash: 4ED16172908314AEC710EB60DD91EAFB7ECAF88704F44491DF585C7191EB78DA08DBA2
                    Function 00F99642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00F99663
                    • GetFileAttributesW.KERNEL32(?), ref: 00F996A1
                    • SetFileAttributesW.KERNEL32(?,?), ref: 00F996BB
                    • FindNextFileW.KERNEL32(00000000,?), ref: 00F996D3
                    • FindClose.KERNEL32(00000000), ref: 00F996DE
                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00F996FA
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F9974A
                    • SetCurrentDirectoryW.KERNEL32(00FE6B7C), ref: 00F99768
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F99772
                    • FindClose.KERNEL32(00000000), ref: 00F9977F
                    • FindClose.KERNEL32(00000000), ref: 00F9978F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                    • String ID: *.*
                    • API String ID: 1409584000-438819550
                    • Opcode ID: 075f08cb47178dd4558ba113435e765d842d1390a260f8dedcad3a93d5f0d15e
                    • Instruction ID: fd135d91897213130085760bca146cc847d565911c56adb19efdcd75c5152084
                    • Opcode Fuzzy Hash: 075f08cb47178dd4558ba113435e765d842d1390a260f8dedcad3a93d5f0d15e
                    • Instruction Fuzzy Hash: 3731E33290520D6BEF14AFF9DC48ADF37AC9F49320F15425AF914E20A0DBB4DA40AE61
                    Function 00F9979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00F997BE
                    • FindNextFileW.KERNEL32(00000000,?), ref: 00F99819
                    • FindClose.KERNEL32(00000000), ref: 00F99824
                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00F99840
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F99890
                    • SetCurrentDirectoryW.KERNEL32(00FE6B7C), ref: 00F998AE
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F998B8
                    • FindClose.KERNEL32(00000000), ref: 00F998C5
                    • FindClose.KERNEL32(00000000), ref: 00F998D5
                      • Part of subcall function 00F8DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F8DB00
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                    • String ID: *.*
                    • API String ID: 2640511053-438819550
                    • Opcode ID: 0c5353e6e4c12b9ed0801b3e84f4fcc422bf3d6dd72f6f39709c4ccbb8d7d15b
                    • Instruction ID: 299f15e3189ba1eb6bdedc5031c95a3ae95d2c7c0e6c902da7d6091750c4e4b6
                    • Opcode Fuzzy Hash: 0c5353e6e4c12b9ed0801b3e84f4fcc422bf3d6dd72f6f39709c4ccbb8d7d15b
                    • Instruction Fuzzy Hash: E931F63190421D6BEF20EFB9DC48ADE37AC9F46330F55415DE810E20A1DBB0DA44EE60
                    Function 00F98195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetLocalTime.KERNEL32(?), ref: 00F98257
                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00F98267
                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00F98273
                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F98310
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F98324
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F98356
                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F9838C
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F98395
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CurrentDirectoryTime$File$Local$System
                    • String ID: *.*
                    • API String ID: 1464919966-438819550
                    • Opcode ID: 2c2b78109ff5184d99116959ddc557495a628097f56cd06c2455eccf3cf04404
                    • Instruction ID: c997c5b4d5cea325e3127b66c11a5399fd00c5e10eb70ef93fca5b1509eee1de
                    • Opcode Fuzzy Hash: 2c2b78109ff5184d99116959ddc557495a628097f56cd06c2455eccf3cf04404
                    • Instruction Fuzzy Hash: 6F6179725083059FDB10EF60D8819AEB3E8FF89360F04492EF989C7251DB35E946DB92
                    Function 00F8D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F23A97,?,?,00F22E7F,?,?,?,00000000), ref: 00F23AC2
                      • Part of subcall function 00F8E199: GetFileAttributesW.KERNEL32(?,00F8CF95), ref: 00F8E19A
                    • FindFirstFileW.KERNEL32(?,?), ref: 00F8D122
                    • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00F8D1DD
                    • MoveFileW.KERNEL32(?,?), ref: 00F8D1F0
                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 00F8D20D
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F8D237
                      • Part of subcall function 00F8D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00F8D21C,?,?), ref: 00F8D2B2
                    • FindClose.KERNEL32(00000000,?,?,?), ref: 00F8D253
                    • FindClose.KERNEL32(00000000), ref: 00F8D264
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                    • String ID: \*.*
                    • API String ID: 1946585618-1173974218
                    • Opcode ID: 28716bf5b54b51fcaa0f64a954ca0641e84aced6938512ea7c48344899e7a004
                    • Instruction ID: 951172c9645c1f0708716d49738efc139912929b33bd5d8ca48b70270e89e15b
                    • Opcode Fuzzy Hash: 28716bf5b54b51fcaa0f64a954ca0641e84aced6938512ea7c48344899e7a004
                    • Instruction Fuzzy Hash: 50615A31C0511DABCF05FBA0EE929EDB7B9AF15300F644165E402B7191EB38AF09EB60
                    Function 00F9ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                    • String ID:
                    • API String ID: 1737998785-0
                    • Opcode ID: 04489e96c245cd8e1fb3ca42ed25054a4a0b0dd84bac06fe02aa6a73e44125a3
                    • Instruction ID: ace9be1c466bcf06575bc5f9feebd5b16edf8dea63c6c435a80a1e3b61f83b94
                    • Opcode Fuzzy Hash: 04489e96c245cd8e1fb3ca42ed25054a4a0b0dd84bac06fe02aa6a73e44125a3
                    • Instruction Fuzzy Hash: 7B417B35604615AFEB20DF15E888F1ABBA5FF44328F158199E4198BA62C735EC41EBD0
                    Function 00F8E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F816C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F8170D
                      • Part of subcall function 00F816C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F8173A
                      • Part of subcall function 00F816C3: GetLastError.KERNEL32 ref: 00F8174A
                    • ExitWindowsEx.USER32(?,00000000), ref: 00F8E932
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                    • String ID: $ $@$SeShutdownPrivilege
                    • API String ID: 2234035333-3163812486
                    • Opcode ID: 3df3506afc2455365faa774766a0a407ad25da8c72ae8746986bdf59081b15d3
                    • Instruction ID: 8190633d80e8d0dddc426b331f8201735451c22697fd686ddbecb51a8fec01fb
                    • Opcode Fuzzy Hash: 3df3506afc2455365faa774766a0a407ad25da8c72ae8746986bdf59081b15d3
                    • Instruction Fuzzy Hash: E501D673A10215ABEB6436B49C86FFF725CAB14760F154521F813E21E2D6E49C40B7E0
                    Function 00FA1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                    Download Yara Rule
                    APIs
                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00FA1276
                    • WSAGetLastError.WSOCK32 ref: 00FA1283
                    • bind.WSOCK32(00000000,?,00000010), ref: 00FA12BA
                    • WSAGetLastError.WSOCK32 ref: 00FA12C5
                    • closesocket.WSOCK32(00000000), ref: 00FA12F4
                    • listen.WSOCK32(00000000,00000005), ref: 00FA1303
                    • WSAGetLastError.WSOCK32 ref: 00FA130D
                    • closesocket.WSOCK32(00000000), ref: 00FA133C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ErrorLast$closesocket$bindlistensocket
                    • String ID:
                    • API String ID: 540024437-0
                    • Opcode ID: eff2b741c1acbac1118fe8b523fc45e17702f8f192e4bc44930af6a3b6048f0d
                    • Instruction ID: 49bb44363143d1217ba9f1d4267bd504b6e721ab007776e141481d7606cfbadb
                    • Opcode Fuzzy Hash: eff2b741c1acbac1118fe8b523fc45e17702f8f192e4bc44930af6a3b6048f0d
                    • Instruction Fuzzy Hash: 8241B371A002149FD710EF24D4C9B2ABBE5BF46328F198188E8569F2D6C775EC81DBE1
                    Function 00F5B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00F5B9D4
                    • _free.LIBCMT ref: 00F5B9F8
                    • _free.LIBCMT ref: 00F5BB7F
                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00FC3700), ref: 00F5BB91
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00FF121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00F5BC09
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00FF1270,000000FF,?,0000003F,00000000,?), ref: 00F5BC36
                    • _free.LIBCMT ref: 00F5BD4B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _free$ByteCharMultiWide$InformationTimeZone
                    • String ID:
                    • API String ID: 314583886-0
                    • Opcode ID: 0980afef69c01453b5a64fc583e9764f307543f555b3ba684918b765761ae046
                    • Instruction ID: 4b75191a798d622d6086f4a3c61c4741c873af12cb6f2401779b992ce8bbcb5f
                    • Opcode Fuzzy Hash: 0980afef69c01453b5a64fc583e9764f307543f555b3ba684918b765761ae046
                    • Instruction Fuzzy Hash: 14C12871D04209AFDB20DF698C45BBA7BB8EF42322F14419AEE90D7251E7349E49F750
                    Function 00F8D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F23A97,?,?,00F22E7F,?,?,?,00000000), ref: 00F23AC2
                      • Part of subcall function 00F8E199: GetFileAttributesW.KERNEL32(?,00F8CF95), ref: 00F8E19A
                    • FindFirstFileW.KERNEL32(?,?), ref: 00F8D420
                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 00F8D470
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F8D481
                    • FindClose.KERNEL32(00000000), ref: 00F8D498
                    • FindClose.KERNEL32(00000000), ref: 00F8D4A1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                    • String ID: \*.*
                    • API String ID: 2649000838-1173974218
                    • Opcode ID: e010d355a88b3c3bf07c726b43097bdf762573541127f97acd48079bfb660d1b
                    • Instruction ID: cb0b6accfb3799b1fcde47824b6e00202532372cfb71066a621af438742c6838
                    • Opcode Fuzzy Hash: e010d355a88b3c3bf07c726b43097bdf762573541127f97acd48079bfb660d1b
                    • Instruction Fuzzy Hash: 44317E714083559BC304FF64DC968EFB7A8BE91314F844A2DF4D193191EB34AA09EBA3
                    Function 00F5E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: __floor_pentium4
                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                    • API String ID: 4168288129-2761157908
                    • Opcode ID: 2d3e79a5e559855455012afa06a428d4fd30ea96d9d4bffac1d3423bd47daf15
                    • Instruction ID: 3f11049aa5774efd851a16d9eaa418128b5e3293ddcf664801ef012c757a354c
                    • Opcode Fuzzy Hash: 2d3e79a5e559855455012afa06a428d4fd30ea96d9d4bffac1d3423bd47daf15
                    • Instruction Fuzzy Hash: 14C28072E046288FDB29CF28DD407E9B7B5EB44316F1441EAD94DE7240E778AE899F40
                    Function 00F9648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                    Download Yara Rule
                    APIs
                    • _wcslen.LIBCMT ref: 00F964DC
                    • CoInitialize.OLE32(00000000), ref: 00F96639
                    • CoCreateInstance.OLE32(00FBFCF8,00000000,00000001,00FBFB68,?), ref: 00F96650
                    • CoUninitialize.OLE32 ref: 00F968D4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CreateInitializeInstanceUninitialize_wcslen
                    • String ID: .lnk
                    • API String ID: 886957087-24824748
                    • Opcode ID: 1b8b11ac51766257a688331dcd7064b66e428ac6745b6250c3a4371745f16580
                    • Instruction ID: 48609cd18c5e25000d4d62e1d8b3c8bee6a69a5536ecbde1f074a764a879c82d
                    • Opcode Fuzzy Hash: 1b8b11ac51766257a688331dcd7064b66e428ac6745b6250c3a4371745f16580
                    • Instruction Fuzzy Hash: EFD14671508211AFD704EF24D891A6BB7E8FF98304F04496DF595CB2A1EB70ED09DBA2
                    Function 00FA22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32(?,?,00000000), ref: 00FA22E8
                      • Part of subcall function 00F9E4EC: GetWindowRect.USER32(?,?), ref: 00F9E504
                    • GetDesktopWindow.USER32 ref: 00FA2312
                    • GetWindowRect.USER32(00000000), ref: 00FA2319
                    • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00FA2355
                    • GetCursorPos.USER32(?), ref: 00FA2381
                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00FA23DF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Window$Rectmouse_event$CursorDesktopForeground
                    • String ID:
                    • API String ID: 2387181109-0
                    • Opcode ID: 56e51a49baa076f9441df4fffde18538b4f16c3c658b509a86d170571c27dc7c
                    • Instruction ID: 64d2f7afbdd1de37d3a2e3e4729a51f924f06913ecae77513880726e8744dcb0
                    • Opcode Fuzzy Hash: 56e51a49baa076f9441df4fffde18538b4f16c3c658b509a86d170571c27dc7c
                    • Instruction Fuzzy Hash: C031AF72604319AFDB20DF58CC45B9BB7A9FF86314F000A19F98597191DB74E908DBD2
                    Function 00F99B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                    • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00F99B78
                    • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00F99C8B
                      • Part of subcall function 00F93874: GetInputState.USER32 ref: 00F938CB
                      • Part of subcall function 00F93874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F93966
                    • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00F99BA8
                    • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00F99C75
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                    • String ID: *.*
                    • API String ID: 1972594611-438819550
                    • Opcode ID: dddcbc0fe02b48ba789acb80a026e6675cbb84be1d6658b168ec206c2f6e0ba3
                    • Instruction ID: 43c703567d7c65b144c4acd1e7f418f39da9fcb567e5e9772978fc0ad3afd009
                    • Opcode Fuzzy Hash: dddcbc0fe02b48ba789acb80a026e6675cbb84be1d6658b168ec206c2f6e0ba3
                    • Instruction Fuzzy Hash: 5E419E71D0820A9FDF14DF68CC85AEEBBB8EF05310F24415AE805A2191EB749F44EFA0
                    Function 00F3997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F39BB2
                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 00F39A4E
                    • GetSysColor.USER32(0000000F), ref: 00F39B23
                    • SetBkColor.GDI32(?,00000000), ref: 00F39B36
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Color$LongProcWindow
                    • String ID:
                    • API String ID: 3131106179-0
                    • Opcode ID: f5f0cd0c9dab46e8b321fc957fa11450c3c11f51a0fd9eb78fd416d6bce081de
                    • Instruction ID: 2ef734a22eed5c486a1aada3826185b77dde6a05ae1666abe65bd4792c25a9b6
                    • Opcode Fuzzy Hash: f5f0cd0c9dab46e8b321fc957fa11450c3c11f51a0fd9eb78fd416d6bce081de
                    • Instruction Fuzzy Hash: 43A12D7251C504EEEB28AA3D8C59F7B355DEB82370F14430AF502C6695CAED9D01F672
                    Function 00FA1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00FA304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FA307A
                      • Part of subcall function 00FA304E: _wcslen.LIBCMT ref: 00FA309B
                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00FA185D
                    • WSAGetLastError.WSOCK32 ref: 00FA1884
                    • bind.WSOCK32(00000000,?,00000010), ref: 00FA18DB
                    • WSAGetLastError.WSOCK32 ref: 00FA18E6
                    • closesocket.WSOCK32(00000000), ref: 00FA1915
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                    • String ID:
                    • API String ID: 1601658205-0
                    • Opcode ID: 41586b20cff3603bafd14fca7a3d3d37f8bd2469a789b9bcbb7a76b87c88be8e
                    • Instruction ID: af677b4c19437f6eaffb3652854be12cbfa6b209ffc700e37293153c9a548549
                    • Opcode Fuzzy Hash: 41586b20cff3603bafd14fca7a3d3d37f8bd2469a789b9bcbb7a76b87c88be8e
                    • Instruction Fuzzy Hash: 5851A171A002109FDB10EF24D896F2A77E5AB49718F188158F9059F2C3CA79AD41DBE1
                    Function 00FB1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                    • String ID:
                    • API String ID: 292994002-0
                    • Opcode ID: 167d258ffff3e7536dd037b34f638a122c89c79a965bffc82fa75ad851d10930
                    • Instruction ID: 136d117d9a8a2e03be261fad476be2f19fa4e7bc3bb3ad2ed635408b85e65c9f
                    • Opcode Fuzzy Hash: 167d258ffff3e7536dd037b34f638a122c89c79a965bffc82fa75ad851d10930
                    • Instruction Fuzzy Hash: F921A271B402155FD7208F1BC8A4BEA7BA5BF89324B588058E8498B251CB75DC42EFD0
                    Function 00F28060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                    • API String ID: 0-1546025612
                    • Opcode ID: 09a290d6986466eeebee4d56017d6a348a0903b6dbd7de9a94a089a38cc5a726
                    • Instruction ID: 02aaeafb5e181e8911bf8f96d4bd9eb9961e0e09440ac406ca62c799568d4175
                    • Opcode Fuzzy Hash: 09a290d6986466eeebee4d56017d6a348a0903b6dbd7de9a94a089a38cc5a726
                    • Instruction Fuzzy Hash: 01A2B271E0122ACBDF24CF58D8417ADB7B1BF54760F2481AAE815A7385DB349D82EF90
                    Function 00FAA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00FAA6AC
                    • Process32FirstW.KERNEL32(00000000,?), ref: 00FAA6BA
                      • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                    • Process32NextW.KERNEL32(00000000,?), ref: 00FAA79C
                    • CloseHandle.KERNEL32(00000000), ref: 00FAA7AB
                      • Part of subcall function 00F3CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00F63303,?), ref: 00F3CE8A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                    • String ID:
                    • API String ID: 1991900642-0
                    • Opcode ID: 324dde27fbb627f2c7de0ebf7cf27a7ce20d72b1780804da75f848560d647d91
                    • Instruction ID: 3341a4913819cfdca9c3fe6f8d6739e8ffa965c959fd623e78c2cfc5f6c1fe37
                    • Opcode Fuzzy Hash: 324dde27fbb627f2c7de0ebf7cf27a7ce20d72b1780804da75f848560d647d91
                    • Instruction Fuzzy Hash: DC516CB1908310AFD310EF24DC86A6BBBE8FF89754F40492DF58597292EB34D904DB92
                    Function 00F8AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00F8AAAC
                    • SetKeyboardState.USER32(00000080), ref: 00F8AAC8
                    • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00F8AB36
                    • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00F8AB88
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: KeyboardState$InputMessagePostSend
                    • String ID:
                    • API String ID: 432972143-0
                    • Opcode ID: cab36e8fe37b7827f3559fef8349db7ffa21147b12e709e4012fb77966c961f0
                    • Instruction ID: 20784453e38f90d9e85da834e71c94a5eadbc6967482fff986be84e163788f8e
                    • Opcode Fuzzy Hash: cab36e8fe37b7827f3559fef8349db7ffa21147b12e709e4012fb77966c961f0
                    • Instruction Fuzzy Hash: B3312830E40608AEFF35EB64CC45BFA7BA6EB84320F08421BF085561D1D3798981E7A2
                    Function 00F9CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetReadFile.WININET(?,?,00000400,?), ref: 00F9CE89
                    • GetLastError.KERNEL32(?,00000000), ref: 00F9CEEA
                    • SetEvent.KERNEL32(?,?,00000000), ref: 00F9CEFE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ErrorEventFileInternetLastRead
                    • String ID:
                    • API String ID: 234945975-0
                    • Opcode ID: 721dcc05885f192445d21f6d9843ac81c62bdf3acd3a0f9ec41efc11b388648d
                    • Instruction ID: a930dfd03237ffcdf8666e6adfa1e2f30ae554a3dc560ade8fc988f0fc55cddd
                    • Opcode Fuzzy Hash: 721dcc05885f192445d21f6d9843ac81c62bdf3acd3a0f9ec41efc11b388648d
                    • Instruction Fuzzy Hash: 44219D719007059BEB20DF65C988BA77BF8EB50368F10442EE546D2151E774EE04AFA0
                    Function 00F88298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F882AA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: lstrlen
                    • String ID: ($|
                    • API String ID: 1659193697-1631851259
                    • Opcode ID: 50278723df1ad07411a9c18b56a34150d6a147e69ea4fe28f11c76fe3f512b58
                    • Instruction ID: eb39489d8f00cd45b70e3a41c316e7982b5f1f311be5a161bf1357d8fa8a1af8
                    • Opcode Fuzzy Hash: 50278723df1ad07411a9c18b56a34150d6a147e69ea4fe28f11c76fe3f512b58
                    • Instruction Fuzzy Hash: F6324975A006059FC728DF59C480AAAB7F0FF48760B55C46EE49ADB3A1EB70E942DB40
                    Function 00F95C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 00F95CC1
                    • FindNextFileW.KERNEL32(00000000,?), ref: 00F95D17
                    • FindClose.KERNEL32(?), ref: 00F95D5F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Find$File$CloseFirstNext
                    • String ID:
                    • API String ID: 3541575487-0
                    • Opcode ID: a7a9fab4d829902f5465c4cfc07c331c972bc2de8fd6ebee99ea02ff357f017f
                    • Instruction ID: abeabad20b86d46ee041ebfa81a2f7deb290f3556827c4243738eeebd8dcaf30
                    • Opcode Fuzzy Hash: a7a9fab4d829902f5465c4cfc07c331c972bc2de8fd6ebee99ea02ff357f017f
                    • Instruction Fuzzy Hash: E251BC34A046019FDB15DF28D894A9AB7E4FF49324F14855EE95A8B3A2CB30ED04DF91
                    Function 00F52622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsDebuggerPresent.KERNEL32 ref: 00F5271A
                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F52724
                    • UnhandledExceptionFilter.KERNEL32(?), ref: 00F52731
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                    • String ID:
                    • API String ID: 3906539128-0
                    • Opcode ID: 931b35a8f28a9918990a9b0d0e48cec980ccb75f0dcd980b1d49ec67a0b7911f
                    • Instruction ID: 7d028e433d2f9c0ab29b491ec656d49fdc7b3ecf8d89c1ebc061510fc5bfd64f
                    • Opcode Fuzzy Hash: 931b35a8f28a9918990a9b0d0e48cec980ccb75f0dcd980b1d49ec67a0b7911f
                    • Instruction Fuzzy Hash: 9C31D87491121C9BCB61DF64DC88BDDBBB8AF08310F5042EAE90CA7261E7349F859F85
                    Function 00F951CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 00F951DA
                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00F95238
                    • SetErrorMode.KERNEL32(00000000), ref: 00F952A1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ErrorMode$DiskFreeSpace
                    • String ID:
                    • API String ID: 1682464887-0
                    • Opcode ID: ff11db67a1254f2e106e9586cbd6867cd39d59ac2985483003a39953701e181f
                    • Instruction ID: 20c69271e0b27b6b299ad7248cd64de28126156c1c281172be6ac6ff62a18ae5
                    • Opcode Fuzzy Hash: ff11db67a1254f2e106e9586cbd6867cd39d59ac2985483003a39953701e181f
                    • Instruction Fuzzy Hash: D2313075A00518DFDB00DF54D8C4EADBBB4FF49314F088099E905AB362DB35E855DBA0
                    Function 00F816C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F3FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F40668
                      • Part of subcall function 00F3FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F40685
                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F8170D
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F8173A
                    • GetLastError.KERNEL32 ref: 00F8174A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                    • String ID:
                    • API String ID: 577356006-0
                    • Opcode ID: 5919c55f25fc6ae5568b8ef4e2b0aae5c96be169b2f3bc0a26ea876662123163
                    • Instruction ID: 4dc844d49069e1343f44e7e53db3f9ec3e25f774be8e6aed454aa600e720e8fb
                    • Opcode Fuzzy Hash: 5919c55f25fc6ae5568b8ef4e2b0aae5c96be169b2f3bc0a26ea876662123163
                    • Instruction Fuzzy Hash: BF1182B2804208AFD718AF54DCC6DABB7BDFB44764B20862EF05656241EB70BC469B60
                    Function 00F8D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F8D608
                    • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00F8D645
                    • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F8D650
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CloseControlCreateDeviceFileHandle
                    • String ID:
                    • API String ID: 33631002-0
                    • Opcode ID: 9a94926d4a1ae67cf8f4bf1a32c858721642afd276f3446600c70c8edf98c51d
                    • Instruction ID: b2157122699afd785cca8a87013fb05e23abc7348716101dc4dd36f483e8d24d
                    • Opcode Fuzzy Hash: 9a94926d4a1ae67cf8f4bf1a32c858721642afd276f3446600c70c8edf98c51d
                    • Instruction Fuzzy Hash: 7A113C75E05228BBDB109F99AC85FAFBBBCEB45B60F108125F904E7290D6704A059BA1
                    Function 00F81663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                    Download Yara Rule
                    APIs
                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00F8168C
                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F816A1
                    • FreeSid.ADVAPI32(?), ref: 00F816B1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: AllocateCheckFreeInitializeMembershipToken
                    • String ID:
                    • API String ID: 3429775523-0
                    • Opcode ID: bc6988f266e6e1495833688483b46892ceebcbba130816b887bf922891a57ff8
                    • Instruction ID: 23111864273c3b6257b95046360c6c34e9853abd8abb5c9dee034deb178bd15f
                    • Opcode Fuzzy Hash: bc6988f266e6e1495833688483b46892ceebcbba130816b887bf922891a57ff8
                    • Instruction Fuzzy Hash: EBF0F47195030DFBDB00EFE49C89AAEBBBCFB08644F504665E501E2181E774AA449BA0
                    Function 00F44CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(00F528E9,?,00F44CBE,00F528E9,00FE88B8,0000000C,00F44E15,00F528E9,00000002,00000000,?,00F528E9), ref: 00F44D09
                    • TerminateProcess.KERNEL32(00000000,?,00F44CBE,00F528E9,00FE88B8,0000000C,00F44E15,00F528E9,00000002,00000000,?,00F528E9), ref: 00F44D10
                    • ExitProcess.KERNEL32 ref: 00F44D22
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Process$CurrentExitTerminate
                    • String ID:
                    • API String ID: 1703294689-0
                    • Opcode ID: 044dd6e60393634a02e3903701c1bbf8a3da4b3a24cce574537a095ba4289f72
                    • Instruction ID: 9c1c86f37c0a273ca63a557d194ce9ef8e5878e743a0220b876b24f1c81511ea
                    • Opcode Fuzzy Hash: 044dd6e60393634a02e3903701c1bbf8a3da4b3a24cce574537a095ba4289f72
                    • Instruction Fuzzy Hash: 0DE0B631800149ABCF11AF54DD49A593FB9EB41791B544118FD45AA222CB39ED42EE80
                    Function 00F5C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID: /
                    • API String ID: 0-2043925204
                    • Opcode ID: 845998db76b5b177eb9d4cec8eea387f00c622bbf9254ea7bfd000a70f17219b
                    • Instruction ID: 554f7b863b6678558beb1dfa26c0d3220867708fc23dcffee5bfe7718e6f3ae3
                    • Opcode Fuzzy Hash: 845998db76b5b177eb9d4cec8eea387f00c622bbf9254ea7bfd000a70f17219b
                    • Instruction Fuzzy Hash: DF4126729003186FCB209FB9CC89EBB77B8EB84325F504269FE06C7180E6709D859B90
                    Function 00F7D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    • GetUserNameW.ADVAPI32(?,?), ref: 00F7D28C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: NameUser
                    • String ID: X64
                    • API String ID: 2645101109-893830106
                    • Opcode ID: 6da4ff1910995acdc1934e6c602a5540ec61a2aafe2582b2ace82c1bfaf40bd1
                    • Instruction ID: c91d87330b3bb537ef243f15e597019986b4be05a0e1eec15e371b1a0382662e
                    • Opcode Fuzzy Hash: 6da4ff1910995acdc1934e6c602a5540ec61a2aafe2582b2ace82c1bfaf40bd1
                    • Instruction Fuzzy Hash: 14D0C9B580111DEBCB94DB90ECC8EDEB37CBB04345F104252F506E2000DB309549AF10
                    Function 00F4CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                    • Instruction ID: 35a14923dc98218f273d01919280d5c2c4cee03ea5cfa8d9800e43a88d938ee0
                    • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                    • Instruction Fuzzy Hash: 56023D72E012199FDF54CFA9C8806ADFBF1FF88324F258169D919E7380D731AA419B94
                    Function 00F968EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 00F96918
                    • FindClose.KERNEL32(00000000), ref: 00F96961
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Find$CloseFileFirst
                    • String ID:
                    • API String ID: 2295610775-0
                    • Opcode ID: 7ccc20e39cd83b9495357c4b319fe6e345347af643905606157d53555301bd29
                    • Instruction ID: 9601cdb90a0e00ecef9a6efe4c5521941307e7b611e26648af2535c15472c718
                    • Opcode Fuzzy Hash: 7ccc20e39cd83b9495357c4b319fe6e345347af643905606157d53555301bd29
                    • Instruction Fuzzy Hash: 961190316042109FDB10DF29D885A1ABBE5FF89328F15C699E4698F6A2C734EC05DBD1
                    Function 00F937B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00FA4891,?,?,00000035,?), ref: 00F937E4
                    • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00FA4891,?,?,00000035,?), ref: 00F937F4
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ErrorFormatLastMessage
                    • String ID:
                    • API String ID: 3479602957-0
                    • Opcode ID: ac0a80578f473e98e47fec5fc9fd94c28a18c037ddf355e12f19d5367737a4e1
                    • Instruction ID: 5f3e2401e95d04a63d23b099e8a4efc97da00ac52e7813874c932d8010cf84e0
                    • Opcode Fuzzy Hash: ac0a80578f473e98e47fec5fc9fd94c28a18c037ddf355e12f19d5367737a4e1
                    • Instruction Fuzzy Hash: A2F0EC716042292AEB2017A55C4DFDB369DEFC4761F000265F509D2191D5605904D6F1
                    Function 00F8B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00F8B25D
                    • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00F8B270
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: InputSendkeybd_event
                    • String ID:
                    • API String ID: 3536248340-0
                    • Opcode ID: 6c966f8df11bfa9ab93533ad51193f2e0dfeedb8b5d9affc2fdf8237d6b47439
                    • Instruction ID: 2bba066013d0924533c5bea8a8bd79777861228c0a79deb5fb5bd0310683e3bd
                    • Opcode Fuzzy Hash: 6c966f8df11bfa9ab93533ad51193f2e0dfeedb8b5d9affc2fdf8237d6b47439
                    • Instruction Fuzzy Hash: 23F06D7180424DABDB059FA0C805BEE7BB0FF04305F008009F951A5191C7798201AF94
                    Function 00F810BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F811FC), ref: 00F810D4
                    • CloseHandle.KERNEL32(?,?,00F811FC), ref: 00F810E9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: AdjustCloseHandlePrivilegesToken
                    • String ID:
                    • API String ID: 81990902-0
                    • Opcode ID: 1f5fc90c7c10ba38a34bc6c493a937badec9cb870324376fca8cd6eb3a8bf2b9
                    • Instruction ID: f0925801ca95378b5200bc4adb731cb49141a3feaf6eacffbee1b8e83464afe1
                    • Opcode Fuzzy Hash: 1f5fc90c7c10ba38a34bc6c493a937badec9cb870324376fca8cd6eb3a8bf2b9
                    • Instruction Fuzzy Hash: 9BE0BF72418610AFF7252B51FC09E7777E9EB04320F14892DF5A5804B5DB626C91EB50
                    Function 00F2CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                    Download Yara Rule
                    Strings
                    • Variable is not of type 'Object'., xrefs: 00F70C40
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID: Variable is not of type 'Object'.
                    • API String ID: 0-1840281001
                    • Opcode ID: e2f7d15fdd1200fdb519845ed732227711cd53f62ecf0cc0628f52f0c4398310
                    • Instruction ID: 19e00d12fe6051391225acb4dd9ef76eabd6019e92c3e71409c7cf551c1343bc
                    • Opcode Fuzzy Hash: e2f7d15fdd1200fdb519845ed732227711cd53f62ecf0cc0628f52f0c4398310
                    • Instruction Fuzzy Hash: DA32A171D00228DBCF14DF90E981BEDB7B5BF05314F54805AE80AAB281DB75AD45EBA1
                    Function 00F5676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00F56766,?,?,00000008,?,?,00F5FEFE,00000000), ref: 00F56998
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ExceptionRaise
                    • String ID:
                    • API String ID: 3997070919-0
                    • Opcode ID: ba0fe2cbd89d1104abc70246c46ce5f39002e2a64d93fcab36b1d7cb9c6718e9
                    • Instruction ID: 69a5ef5dbe0ac39e2a4f9b76505f5a647fb9698a8c516ba164072c7f3f508c5e
                    • Opcode Fuzzy Hash: ba0fe2cbd89d1104abc70246c46ce5f39002e2a64d93fcab36b1d7cb9c6718e9
                    • Instruction Fuzzy Hash: 46B18D32A10608CFD714CF28C486B647BE0FF05366F658658EDA9CF2A2C735D989DB40
                    Function 00F3B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID: 0-3916222277
                    • Opcode ID: f691e001273456588f5e4e13bb556d8f43749808b68cfea37d9e158be7a83fe1
                    • Instruction ID: c4543240a4b9d1b54f4ad59e86494994da8b6a099d79a8b16149e7025da8970a
                    • Opcode Fuzzy Hash: f691e001273456588f5e4e13bb556d8f43749808b68cfea37d9e158be7a83fe1
                    • Instruction Fuzzy Hash: 56125F71D002299BCB14CF58C891BEEB7B5FF48720F14819AE949EB251DB349E81EF91
                    Function 00F9EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • BlockInput.USER32(00000001), ref: 00F9EABD
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: BlockInput
                    • String ID:
                    • API String ID: 3456056419-0
                    • Opcode ID: 204a72abde76e9842cbc0dc7ffa9c4d7e3893c627e2529c2f1d38bd79529dbe1
                    • Instruction ID: 71e439db0a4e22c7094d468bf6216f69cbc5cc3c3a17e20f5bfa4398449296ac
                    • Opcode Fuzzy Hash: 204a72abde76e9842cbc0dc7ffa9c4d7e3893c627e2529c2f1d38bd79529dbe1
                    • Instruction Fuzzy Hash: 98E04F322002149FD710EF59E845E9AF7E9AF98770F048426FC49CB361DB74E8419BE0
                    Function 00F409D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00F403EE), ref: 00F409DA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: cb9ded820e7c78230cda12785ebc037364dd1f8fe8162f29781b625af53bb6e6
                    • Instruction ID: 879bd8735370d08353c0c083e132511fe6911f61b14fd5461b6e9a760263e447
                    • Opcode Fuzzy Hash: cb9ded820e7c78230cda12785ebc037364dd1f8fe8162f29781b625af53bb6e6
                    • Instruction Fuzzy Hash:
                    Function 00F4781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID: 0
                    • API String ID: 0-4108050209
                    • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                    • Instruction ID: 56db24b41f250f2114f61132472cb0599075160ee13a061b2d860da0baea0fe0
                    • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                    • Instruction Fuzzy Hash: 24515772E0C7455ADB38B56888597BF7F899B12360F280909DC82D7382C719DE46F352
                    Function 00F56DD9 Relevance: .6, Instructions: 637COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cbfe989db4a6f85da8612d13c477af4b3a9a47964c8f12acc290d0ee249d9324
                    • Instruction ID: de9912d45bb40691264cbba86e9c7cd1fa4d91da811d282d4be19fb68c74d05a
                    • Opcode Fuzzy Hash: cbfe989db4a6f85da8612d13c477af4b3a9a47964c8f12acc290d0ee249d9324
                    • Instruction Fuzzy Hash: 45323322D29F054DD723A634DD22335A649AFB73D6F14C737EC1AB69A5EF29C4836100
                    Function 00F3CC39 Relevance: .6, Instructions: 635COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ca86ed1bfe3fa9655196ad750472ac9f981fb570bfc4b5f22120872775d9b476
                    • Instruction ID: e3feb5376fa62094852c81748c4eaecbbf6377b768cf0056b010e9de8d8f8531
                    • Opcode Fuzzy Hash: ca86ed1bfe3fa9655196ad750472ac9f981fb570bfc4b5f22120872775d9b476
                    • Instruction Fuzzy Hash: 9632F232E001858BDF28CE29C49467D77A1EB45360F28C56FD95EAB291D634DD82FBC2
                    Function 00F27920 Relevance: .6, Instructions: 563COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 853104582bb8d8fb91c68c559f808cff834201f58cdad9acf6e4f55bb05ec050
                    • Instruction ID: 4b1a4dea35d01b363861eb0e984436a6931a675e2b25495fa643787a86c490cc
                    • Opcode Fuzzy Hash: 853104582bb8d8fb91c68c559f808cff834201f58cdad9acf6e4f55bb05ec050
                    • Instruction Fuzzy Hash: 9722E271E0461ADFDF14DF64D881AAEB3F2FF44710F144129E812AB291EB3AAD54EB50
                    Function 00F291C0 Relevance: .5, Instructions: 475COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8e9ff2329f55def49a27321d399ee79c4b4ecf708f5d2b93d04f71ae71345964
                    • Instruction ID: 2071fe32dcdde3b557c84b837d990b8cc8157ee0225ca944931d6bcdac3b136d
                    • Opcode Fuzzy Hash: 8e9ff2329f55def49a27321d399ee79c4b4ecf708f5d2b93d04f71ae71345964
                    • Instruction Fuzzy Hash: 4902C7B1E0021AEFDB04DF54D881AAEB7B5FF44310F108169E806DB391EB75AE54EB91
                    Function 00F59EEE Relevance: .3, Instructions: 294COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cea2ae04f19268d5b78006581606ad4eef730e05ce30a8dfee9e2d939b0185cb
                    • Instruction ID: 72740e4ff921dee1f3430d908456ddcb7c3c8e3b9b08f411531f8a315e24ab6c
                    • Opcode Fuzzy Hash: cea2ae04f19268d5b78006581606ad4eef730e05ce30a8dfee9e2d939b0185cb
                    • Instruction Fuzzy Hash: A5B12420D2AF844DD32396398932336B75CAFBB6D5F91D31BFC1675D22EB2686835140
                    Function 00F47A4A Relevance: .2, Instructions: 237COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 96da4a6adf67f66489c7edba7000c06ab9b7b557941570e0f2eca41b1fb3b8a7
                    • Instruction ID: 2fa199981992db7d549c3b63a1cc26a45e46ea719a1bc9358a1e6fad325ad845
                    • Opcode Fuzzy Hash: 96da4a6adf67f66489c7edba7000c06ab9b7b557941570e0f2eca41b1fb3b8a7
                    • Instruction Fuzzy Hash: B661B972A0870956DA34BA288C91BBE3F84DFC1360F10091AED83DB295DB199E43F355
                    Function 00F47CA7 Relevance: .2, Instructions: 237COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 84122555b43642c27f7b12af34e723b2a531a98225887a178e267a51d3a61bc8
                    • Instruction ID: 8a0343aa1734bec8a51e552072b95f3f78da1375336eee776c3aa6ee48e11cb5
                    • Opcode Fuzzy Hash: 84122555b43642c27f7b12af34e723b2a531a98225887a178e267a51d3a61bc8
                    • Instruction Fuzzy Hash: 4161AB32E1C74966DE38BA284C51BBF3FA4DF42764F100A59ED43DB281EB16AD42B251
                    Function 00D73600 Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163515852.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_d70000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                    • Instruction ID: 6402d56d371d8b4a81b9b089792fbd4ac758f4f98d4cf379777255929c8bbe84
                    • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                    • Instruction Fuzzy Hash: 2D41B3B1D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB50
                    Function 00F92046 Relevance: .1, Instructions: 72COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8de84356970a558a44a5441ea0f0b0de5b3b3225b581690b3681e51a3026f580
                    • Instruction ID: 6b4bb00a4c89342f58ded0bb99c412c1cd0a55e48cdf4ac6d9837560d657cdb2
                    • Opcode Fuzzy Hash: 8de84356970a558a44a5441ea0f0b0de5b3b3225b581690b3681e51a3026f580
                    • Instruction Fuzzy Hash: 4A21BB327205158BDB68CF79C81367E73E9AB54320F15862EE4A7D37D1DE39A904DB80
                    Function 00D734F0 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163515852.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_d70000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                    • Instruction ID: 133665de5ed7f04ac2afcdcf5cee439d17fb91e821d20e849c9b983fd59407d9
                    • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                    • Instruction Fuzzy Hash: 4A019278A00109EFCB48DF98C5909AEF7F5FB48310F248699E809A7701E730AE41DB90
                    Function 00D73490 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163515852.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_d70000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                    • Instruction ID: 2fd001ca0ef6bf6f583e018fe5eb39bc1c2cf94ea6347830e2ecb6f3b09dc63e
                    • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                    • Instruction Fuzzy Hash: 05019278A00109EFCB49DF98C5909AEF7F5FB48310F248599E909A7701E730AE41EB90
                    Function 00D71E70 Relevance: .0, Instructions: 6COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163515852.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_d70000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                    • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                    • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                    • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                    Function 00FA2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteObject.GDI32(00000000), ref: 00FA2B30
                    • DeleteObject.GDI32(00000000), ref: 00FA2B43
                    • DestroyWindow.USER32 ref: 00FA2B52
                    • GetDesktopWindow.USER32 ref: 00FA2B6D
                    • GetWindowRect.USER32(00000000), ref: 00FA2B74
                    • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00FA2CA3
                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00FA2CB1
                    • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FA2CF8
                    • GetClientRect.USER32(00000000,?), ref: 00FA2D04
                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00FA2D40
                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FA2D62
                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FA2D75
                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FA2D80
                    • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FA2D89
                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FA2D98
                    • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FA2DA1
                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FA2DA8
                    • GlobalFree.KERNEL32(00000000), ref: 00FA2DB3
                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FA2DC5
                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00FBFC38,00000000), ref: 00FA2DDB
                    • GlobalFree.KERNEL32(00000000), ref: 00FA2DEB
                    • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00FA2E11
                    • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00FA2E30
                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FA2E52
                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FA303F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                    • String ID: $AutoIt v3$DISPLAY$static
                    • API String ID: 2211948467-2373415609
                    • Opcode ID: 947254e9847aeaa9e72baa4a057efb9803acbfb2a18f469f5c942ba8218e60e8
                    • Instruction ID: 3967800effb624a8a6de343041a17dca3cc1a753eb94951a476dc142e9b3aafb
                    • Opcode Fuzzy Hash: 947254e9847aeaa9e72baa4a057efb9803acbfb2a18f469f5c942ba8218e60e8
                    • Instruction Fuzzy Hash: A0024E71A00219AFDB14DF68CC89EAE7BB9FF49720F048158F915AB2A1C7749D01EF60
                    Function 00FB70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                    Download Yara Rule
                    APIs
                    • SetTextColor.GDI32(?,00000000), ref: 00FB712F
                    • GetSysColorBrush.USER32(0000000F), ref: 00FB7160
                    • GetSysColor.USER32(0000000F), ref: 00FB716C
                    • SetBkColor.GDI32(?,000000FF), ref: 00FB7186
                    • SelectObject.GDI32(?,?), ref: 00FB7195
                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00FB71C0
                    • GetSysColor.USER32(00000010), ref: 00FB71C8
                    • CreateSolidBrush.GDI32(00000000), ref: 00FB71CF
                    • FrameRect.USER32(?,?,00000000), ref: 00FB71DE
                    • DeleteObject.GDI32(00000000), ref: 00FB71E5
                    • InflateRect.USER32(?,000000FE,000000FE), ref: 00FB7230
                    • FillRect.USER32(?,?,?), ref: 00FB7262
                    • GetWindowLongW.USER32(?,000000F0), ref: 00FB7284
                      • Part of subcall function 00FB73E8: GetSysColor.USER32(00000012), ref: 00FB7421
                      • Part of subcall function 00FB73E8: SetTextColor.GDI32(?,?), ref: 00FB7425
                      • Part of subcall function 00FB73E8: GetSysColorBrush.USER32(0000000F), ref: 00FB743B
                      • Part of subcall function 00FB73E8: GetSysColor.USER32(0000000F), ref: 00FB7446
                      • Part of subcall function 00FB73E8: GetSysColor.USER32(00000011), ref: 00FB7463
                      • Part of subcall function 00FB73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FB7471
                      • Part of subcall function 00FB73E8: SelectObject.GDI32(?,00000000), ref: 00FB7482
                      • Part of subcall function 00FB73E8: SetBkColor.GDI32(?,00000000), ref: 00FB748B
                      • Part of subcall function 00FB73E8: SelectObject.GDI32(?,?), ref: 00FB7498
                      • Part of subcall function 00FB73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00FB74B7
                      • Part of subcall function 00FB73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FB74CE
                      • Part of subcall function 00FB73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00FB74DB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                    • String ID:
                    • API String ID: 4124339563-0
                    • Opcode ID: 48a02d99a42a7f0d37d33cd5ef48f52196759239b7f181efcbaa1070eb9a791c
                    • Instruction ID: 4277e910076a50b7e11f1922f7bd2f0722bb9ba6940ec8c1eb0ccf9e2cc40b47
                    • Opcode Fuzzy Hash: 48a02d99a42a7f0d37d33cd5ef48f52196759239b7f181efcbaa1070eb9a791c
                    • Instruction Fuzzy Hash: E1A1A472408305AFD710AF65DC88E9B77A9FF89320F140B19F9A2961E1D731E944EFA1
                    Function 00FA2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(00000000), ref: 00FA273E
                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00FA286A
                    • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00FA28A9
                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00FA28B9
                    • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00FA2900
                    • GetClientRect.USER32(00000000,?), ref: 00FA290C
                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00FA2955
                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00FA2964
                    • GetStockObject.GDI32(00000011), ref: 00FA2974
                    • SelectObject.GDI32(00000000,00000000), ref: 00FA2978
                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00FA2988
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FA2991
                    • DeleteDC.GDI32(00000000), ref: 00FA299A
                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00FA29C6
                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 00FA29DD
                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00FA2A1D
                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00FA2A31
                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 00FA2A42
                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00FA2A77
                    • GetStockObject.GDI32(00000011), ref: 00FA2A82
                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00FA2A8D
                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00FA2A97
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                    • API String ID: 2910397461-517079104
                    • Opcode ID: b498dd16201ca3ced12748cb0e31e9fe3b173a40314e30803cd943d188040811
                    • Instruction ID: 53c4373eb2515f07c105feaa44bf5bc2734694479ac605afb86905b4a8d6a369
                    • Opcode Fuzzy Hash: b498dd16201ca3ced12748cb0e31e9fe3b173a40314e30803cd943d188040811
                    • Instruction Fuzzy Hash: D2B13CB1A00219AFEB14DF68DC86EAB7BA9FF49710F004215F915EB290D774ED40DBA0
                    Function 00F94ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 00F94AED
                    • GetDriveTypeW.KERNEL32(?,00FBCB68,?,\\.\,00FBCC08), ref: 00F94BCA
                    • SetErrorMode.KERNEL32(00000000,00FBCB68,?,\\.\,00FBCC08), ref: 00F94D36
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ErrorMode$DriveType
                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                    • API String ID: 2907320926-4222207086
                    • Opcode ID: 239019bbfcae1d512bd1ea5f511962779c0fa7eec610b35565834e5425810ad2
                    • Instruction ID: 41bf63b35904fbfc3ae3ccc3c6a92daf03681829b3289dbf0d06a871ad32413b
                    • Opcode Fuzzy Hash: 239019bbfcae1d512bd1ea5f511962779c0fa7eec610b35565834e5425810ad2
                    • Instruction Fuzzy Hash: B961E43160514A9FDF24DF26CE82E6DB7A0AF68354B244056F806EB291DB35FD42FB42
                    Function 00FB73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetSysColor.USER32(00000012), ref: 00FB7421
                    • SetTextColor.GDI32(?,?), ref: 00FB7425
                    • GetSysColorBrush.USER32(0000000F), ref: 00FB743B
                    • GetSysColor.USER32(0000000F), ref: 00FB7446
                    • CreateSolidBrush.GDI32(?), ref: 00FB744B
                    • GetSysColor.USER32(00000011), ref: 00FB7463
                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FB7471
                    • SelectObject.GDI32(?,00000000), ref: 00FB7482
                    • SetBkColor.GDI32(?,00000000), ref: 00FB748B
                    • SelectObject.GDI32(?,?), ref: 00FB7498
                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00FB74B7
                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FB74CE
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00FB74DB
                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FB752A
                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00FB7554
                    • InflateRect.USER32(?,000000FD,000000FD), ref: 00FB7572
                    • DrawFocusRect.USER32(?,?), ref: 00FB757D
                    • GetSysColor.USER32(00000011), ref: 00FB758E
                    • SetTextColor.GDI32(?,00000000), ref: 00FB7596
                    • DrawTextW.USER32(?,00FB70F5,000000FF,?,00000000), ref: 00FB75A8
                    • SelectObject.GDI32(?,?), ref: 00FB75BF
                    • DeleteObject.GDI32(?), ref: 00FB75CA
                    • SelectObject.GDI32(?,?), ref: 00FB75D0
                    • DeleteObject.GDI32(?), ref: 00FB75D5
                    • SetTextColor.GDI32(?,?), ref: 00FB75DB
                    • SetBkColor.GDI32(?,?), ref: 00FB75E5
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                    • String ID:
                    • API String ID: 1996641542-0
                    • Opcode ID: cc69dfce971171cc97981b74d12c484f6b9f7900f2b89c24a078266de48f2b40
                    • Instruction ID: dec36c8093acb84eeee3c84cd3b1ae67656042a5b676baf5f17d36f1383df8fc
                    • Opcode Fuzzy Hash: cc69dfce971171cc97981b74d12c484f6b9f7900f2b89c24a078266de48f2b40
                    • Instruction Fuzzy Hash: 31617F72D00218AFDB11AFA4DC88EEE7F79EB48320F144211F915BB2A1D7709940EF90
                    Function 00FB0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetCursorPos.USER32(?), ref: 00FB1128
                    • GetDesktopWindow.USER32 ref: 00FB113D
                    • GetWindowRect.USER32(00000000), ref: 00FB1144
                    • GetWindowLongW.USER32(?,000000F0), ref: 00FB1199
                    • DestroyWindow.USER32(?), ref: 00FB11B9
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FB11ED
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FB120B
                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FB121D
                    • SendMessageW.USER32(00000000,00000421,?,?), ref: 00FB1232
                    • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00FB1245
                    • IsWindowVisible.USER32(00000000), ref: 00FB12A1
                    • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00FB12BC
                    • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00FB12D0
                    • GetWindowRect.USER32(00000000,?), ref: 00FB12E8
                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00FB130E
                    • GetMonitorInfoW.USER32(00000000,?), ref: 00FB1328
                    • CopyRect.USER32(?,?), ref: 00FB133F
                    • SendMessageW.USER32(00000000,00000412,00000000), ref: 00FB13AA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                    • String ID: ($0$tooltips_class32
                    • API String ID: 698492251-4156429822
                    • Opcode ID: 7bdada09c5fa29c8f487fbf0e4a1b56fee8dc98f0ff2caf08d3a20018a901193
                    • Instruction ID: 893cd538ce043e8a4892e3f49c8c3ae41b91f1918eb32daea84c1338d056bc64
                    • Opcode Fuzzy Hash: 7bdada09c5fa29c8f487fbf0e4a1b56fee8dc98f0ff2caf08d3a20018a901193
                    • Instruction Fuzzy Hash: D1B1BC71608340AFD700DF25C885BABBBE4FF88350F448918F9999B2A1D771E844EF91
                    Function 00FB0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?), ref: 00FB02E5
                    • _wcslen.LIBCMT ref: 00FB031F
                    • _wcslen.LIBCMT ref: 00FB0389
                    • _wcslen.LIBCMT ref: 00FB03F1
                    • _wcslen.LIBCMT ref: 00FB0475
                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00FB04C5
                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FB0504
                      • Part of subcall function 00F3F9F2: _wcslen.LIBCMT ref: 00F3F9FD
                      • Part of subcall function 00F8223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F82258
                      • Part of subcall function 00F8223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F8228A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _wcslen$MessageSend$BuffCharUpper
                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                    • API String ID: 1103490817-719923060
                    • Opcode ID: a0b132aeaae69b2c0c5f97609a108f1721887cab9a16986da4a8c725e876e336
                    • Instruction ID: 7512a187b06f5db04b15d019805c2e5c49c9ccceb638d1c637b5765f205afba5
                    • Opcode Fuzzy Hash: a0b132aeaae69b2c0c5f97609a108f1721887cab9a16986da4a8c725e876e336
                    • Instruction Fuzzy Hash: 6AE1B0316083418FC714EF26C9519ABB3E6BF88324F14496CF8969B2A5DB34ED45EF81
                    Function 00F38891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F38968
                    • GetSystemMetrics.USER32(00000007), ref: 00F38970
                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F3899B
                    • GetSystemMetrics.USER32(00000008), ref: 00F389A3
                    • GetSystemMetrics.USER32(00000004), ref: 00F389C8
                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F389E5
                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F389F5
                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F38A28
                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F38A3C
                    • GetClientRect.USER32(00000000,000000FF), ref: 00F38A5A
                    • GetStockObject.GDI32(00000011), ref: 00F38A76
                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00F38A81
                      • Part of subcall function 00F3912D: GetCursorPos.USER32(?), ref: 00F39141
                      • Part of subcall function 00F3912D: ScreenToClient.USER32(00000000,?), ref: 00F3915E
                      • Part of subcall function 00F3912D: GetAsyncKeyState.USER32(00000001), ref: 00F39183
                      • Part of subcall function 00F3912D: GetAsyncKeyState.USER32(00000002), ref: 00F3919D
                    • SetTimer.USER32(00000000,00000000,00000028,00F390FC), ref: 00F38AA8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                    • String ID: AutoIt v3 GUI
                    • API String ID: 1458621304-248962490
                    • Opcode ID: 004adf9d1954ec7b9861afce5a382443cb2b767e5b0b2b46ce6f934f354d5ce4
                    • Instruction ID: d2a10ba6efbbcd770d1fb8fa2e3af0c4c211c92dc6afbc24f4ef6658f1e428d6
                    • Opcode Fuzzy Hash: 004adf9d1954ec7b9861afce5a382443cb2b767e5b0b2b46ce6f934f354d5ce4
                    • Instruction Fuzzy Hash: 4EB15C71A00209DFDB14DF68CC85BAA3BB5FF48364F104229FA15E7290DB74A841EF91
                    Function 00F80D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F810F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F81114
                      • Part of subcall function 00F810F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F80B9B,?,?,?), ref: 00F81120
                      • Part of subcall function 00F810F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F80B9B,?,?,?), ref: 00F8112F
                      • Part of subcall function 00F810F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F80B9B,?,?,?), ref: 00F81136
                      • Part of subcall function 00F810F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F8114D
                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F80DF5
                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F80E29
                    • GetLengthSid.ADVAPI32(?), ref: 00F80E40
                    • GetAce.ADVAPI32(?,00000000,?), ref: 00F80E7A
                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F80E96
                    • GetLengthSid.ADVAPI32(?), ref: 00F80EAD
                    • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F80EB5
                    • HeapAlloc.KERNEL32(00000000), ref: 00F80EBC
                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F80EDD
                    • CopySid.ADVAPI32(00000000), ref: 00F80EE4
                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F80F13
                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F80F35
                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F80F47
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F80F6E
                    • HeapFree.KERNEL32(00000000), ref: 00F80F75
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F80F7E
                    • HeapFree.KERNEL32(00000000), ref: 00F80F85
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F80F8E
                    • HeapFree.KERNEL32(00000000), ref: 00F80F95
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00F80FA1
                    • HeapFree.KERNEL32(00000000), ref: 00F80FA8
                      • Part of subcall function 00F81193: GetProcessHeap.KERNEL32(00000008,00F80BB1,?,00000000,?,00F80BB1,?), ref: 00F811A1
                      • Part of subcall function 00F81193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F80BB1,?), ref: 00F811A8
                      • Part of subcall function 00F81193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F80BB1,?), ref: 00F811B7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                    • String ID:
                    • API String ID: 4175595110-0
                    • Opcode ID: c52cd55c64820cd0e2ddb39364fb04cc5e01c3433940214e02473ae747abdece
                    • Instruction ID: 0630e4f9fae484e51b0fd3763a8af5d674ceaa8ce520456c12afaa5fac4df8a2
                    • Opcode Fuzzy Hash: c52cd55c64820cd0e2ddb39364fb04cc5e01c3433940214e02473ae747abdece
                    • Instruction Fuzzy Hash: 55715E7190020AABDB60AFA5DC45FEFBBB8FF04350F448215FA59E6191DB319909DFA0
                    Function 00FAC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FAC4BD
                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00FBCC08,00000000,?,00000000,?,?), ref: 00FAC544
                    • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00FAC5A4
                    • _wcslen.LIBCMT ref: 00FAC5F4
                    • _wcslen.LIBCMT ref: 00FAC66F
                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00FAC6B2
                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00FAC7C1
                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00FAC84D
                    • RegCloseKey.ADVAPI32(?), ref: 00FAC881
                    • RegCloseKey.ADVAPI32(00000000), ref: 00FAC88E
                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00FAC960
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                    • API String ID: 9721498-966354055
                    • Opcode ID: d7786bf85894a4e3dc49c50ee3d65c062e8b86f12eaee5dc5f0a5cbb84ec1fe4
                    • Instruction ID: 2f2b0e4c4be7e8f4876602ce4e755cb15e61e91ce1a6fb1f44e78fe7320c802a
                    • Opcode Fuzzy Hash: d7786bf85894a4e3dc49c50ee3d65c062e8b86f12eaee5dc5f0a5cbb84ec1fe4
                    • Instruction Fuzzy Hash: BB126B756042119FD714EF14D881A2AB7E5FF89724F08885CF84A9B3A2DB39FD41EB81
                    Function 00FB091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?), ref: 00FB09C6
                    • _wcslen.LIBCMT ref: 00FB0A01
                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FB0A54
                    • _wcslen.LIBCMT ref: 00FB0A8A
                    • _wcslen.LIBCMT ref: 00FB0B06
                    • _wcslen.LIBCMT ref: 00FB0B81
                      • Part of subcall function 00F3F9F2: _wcslen.LIBCMT ref: 00F3F9FD
                      • Part of subcall function 00F82BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F82BFA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _wcslen$MessageSend$BuffCharUpper
                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                    • API String ID: 1103490817-4258414348
                    • Opcode ID: 03941a4045bc4553d60c525e7a5b46a8d0389bed8fe5bdf0b9d7d075b4792452
                    • Instruction ID: 81d57c68257ef2f5f7ae8b72416a7aa3e09e9342deadad9d4b24ab6b8d946402
                    • Opcode Fuzzy Hash: 03941a4045bc4553d60c525e7a5b46a8d0389bed8fe5bdf0b9d7d075b4792452
                    • Instruction Fuzzy Hash: 73E18D326083118FC714EF26C85096AB7E1BF98324B14895DF8969B3A2DB34ED45EB81
                    Function 00FAC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _wcslen$BuffCharUpper
                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                    • API String ID: 1256254125-909552448
                    • Opcode ID: 742c474bb753782ba766d67bc0c5d1a78be44f04d447c4acbf82d8f314aa9d61
                    • Instruction ID: 1f31341cf6546470ed4eb61cd964b62df4a4f9062c3792256c1f606c59678171
                    • Opcode Fuzzy Hash: 742c474bb753782ba766d67bc0c5d1a78be44f04d447c4acbf82d8f314aa9d61
                    • Instruction Fuzzy Hash: 077106B3E0416A8BCB20DE79CC516BA3395AFA27B4F110124F8569B285E639CD45B3E0
                    Function 00FB833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                    Download Yara Rule
                    APIs
                    • _wcslen.LIBCMT ref: 00FB835A
                    • _wcslen.LIBCMT ref: 00FB836E
                    • _wcslen.LIBCMT ref: 00FB8391
                    • _wcslen.LIBCMT ref: 00FB83B4
                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00FB83F2
                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00FB5BF2), ref: 00FB844E
                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FB8487
                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00FB84CA
                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FB8501
                    • FreeLibrary.KERNEL32(?), ref: 00FB850D
                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FB851D
                    • DestroyIcon.USER32(?,?,?,?,?,00FB5BF2), ref: 00FB852C
                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00FB8549
                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00FB8555
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                    • String ID: .dll$.exe$.icl
                    • API String ID: 799131459-1154884017
                    • Opcode ID: c9b8cd7b6d177cc689a4e979514712e81e06d001e7063800baa855a531594b41
                    • Instruction ID: 25d7e2ed44aece9057aa490ca8ab72d9f3e4dcf5e9b8a6f8c31cd7be4c97e6cb
                    • Opcode Fuzzy Hash: c9b8cd7b6d177cc689a4e979514712e81e06d001e7063800baa855a531594b41
                    • Instruction Fuzzy Hash: A961CE71900219BAEB24DF65CC81BFF7BACBB44760F104609F815E61D1DF78A941EBA0
                    Function 00F27778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                    • API String ID: 0-1645009161
                    • Opcode ID: 891bc948c64bf0544770de11d4ba5e9b52bf9551161c75b98442c0e82b3703e9
                    • Instruction ID: c5f8a0d05aa44d0b6acab457bb7e4379efe0ace539704d9ff9280f205b668e63
                    • Opcode Fuzzy Hash: 891bc948c64bf0544770de11d4ba5e9b52bf9551161c75b98442c0e82b3703e9
                    • Instruction Fuzzy Hash: 14811871A04325BBDB20BF61EC42FEE3BA8AF15750F044024F904AB192EB74D945F791
                    Function 00F93E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?), ref: 00F93EF8
                    • _wcslen.LIBCMT ref: 00F93F03
                    • _wcslen.LIBCMT ref: 00F93F5A
                    • _wcslen.LIBCMT ref: 00F93F98
                    • GetDriveTypeW.KERNEL32(?), ref: 00F93FD6
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F9401E
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F94059
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F94087
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: SendString_wcslen$BuffCharDriveLowerType
                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                    • API String ID: 1839972693-4113822522
                    • Opcode ID: a064361d993be8e11af4c715f4d3a97cfa72d55449c05efdc6910003682d615f
                    • Instruction ID: fafc9a11f68839134e28bdd8c2bf539e3a57a80c663867dd2a3e2859798e45d4
                    • Opcode Fuzzy Hash: a064361d993be8e11af4c715f4d3a97cfa72d55449c05efdc6910003682d615f
                    • Instruction Fuzzy Hash: 9A71F232A042158FDB10EF24C88096BB7F4EFA4768F10492DF895D7261EB34ED46EB91
                    Function 00F85A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • LoadIconW.USER32(00000063), ref: 00F85A2E
                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00F85A40
                    • SetWindowTextW.USER32(?,?), ref: 00F85A57
                    • GetDlgItem.USER32(?,000003EA), ref: 00F85A6C
                    • SetWindowTextW.USER32(00000000,?), ref: 00F85A72
                    • GetDlgItem.USER32(?,000003E9), ref: 00F85A82
                    • SetWindowTextW.USER32(00000000,?), ref: 00F85A88
                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00F85AA9
                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00F85AC3
                    • GetWindowRect.USER32(?,?), ref: 00F85ACC
                    • _wcslen.LIBCMT ref: 00F85B33
                    • SetWindowTextW.USER32(?,?), ref: 00F85B6F
                    • GetDesktopWindow.USER32 ref: 00F85B75
                    • GetWindowRect.USER32(00000000), ref: 00F85B7C
                    • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00F85BD3
                    • GetClientRect.USER32(?,?), ref: 00F85BE0
                    • PostMessageW.USER32(?,00000005,00000000,?), ref: 00F85C05
                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00F85C2F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                    • String ID:
                    • API String ID: 895679908-0
                    • Opcode ID: 909aab225a9595fa6230a8636460138083d6b3cbd2a70382a41bfa98159a6bf6
                    • Instruction ID: 26ef06e74832e243401649f923a48fff8a6f0a7855e130ebbe77df2bb32bdad4
                    • Opcode Fuzzy Hash: 909aab225a9595fa6230a8636460138083d6b3cbd2a70382a41bfa98159a6bf6
                    • Instruction Fuzzy Hash: 9D716E31900B09AFDB20EFA8CD85EAEBBF5FF48B14F104618E546A25A0D775E944EF50
                    Function 00F400C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                    Download Yara Rule
                    APIs
                    • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00F400C6
                      • Part of subcall function 00F400ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00FF070C,00000FA0,DD965F39,?,?,?,?,00F623B3,000000FF), ref: 00F4011C
                      • Part of subcall function 00F400ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00F623B3,000000FF), ref: 00F40127
                      • Part of subcall function 00F400ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00F623B3,000000FF), ref: 00F40138
                      • Part of subcall function 00F400ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00F4014E
                      • Part of subcall function 00F400ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00F4015C
                      • Part of subcall function 00F400ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00F4016A
                      • Part of subcall function 00F400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F40195
                      • Part of subcall function 00F400ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F401A0
                    • ___scrt_fastfail.LIBCMT ref: 00F400E7
                      • Part of subcall function 00F400A3: __onexit.LIBCMT ref: 00F400A9
                    Strings
                    • WakeAllConditionVariable, xrefs: 00F40162
                    • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00F40122
                    • kernel32.dll, xrefs: 00F40133
                    • InitializeConditionVariable, xrefs: 00F40148
                    • SleepConditionVariableCS, xrefs: 00F40154
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                    • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                    • API String ID: 66158676-1714406822
                    • Opcode ID: 52b1a38ba65dd490d6ea64c170971cedf67a1d31843d9ba86b62de3f5567ac24
                    • Instruction ID: 33c877da72e55f9b799532a1ac56e53268c51d1f5c5ddc58b98b30ebf9d1ca8e
                    • Opcode Fuzzy Hash: 52b1a38ba65dd490d6ea64c170971cedf67a1d31843d9ba86b62de3f5567ac24
                    • Instruction Fuzzy Hash: BF21F933E447156BD7106B68AC85B6A3B98DF49B61F000236FE01E3292DFB4D800BED1
                    Function 00F830F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _wcslen
                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                    • API String ID: 176396367-1603158881
                    • Opcode ID: 20d23211f35b5faa4bc83525120822b1d730abd6b6c48f602dec78c20b31a5cf
                    • Instruction ID: eb760626eba30e35791a46987094a7398f47e436628a50bae6f654e0df1715a7
                    • Opcode Fuzzy Hash: 20d23211f35b5faa4bc83525120822b1d730abd6b6c48f602dec78c20b31a5cf
                    • Instruction Fuzzy Hash: D3E1C532E00516ABCB14EF68C8517EEBBB0BF54F20F548129E456F7260DB74AE85B790
                    Function 00F944C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(00000000,00000000,00FBCC08), ref: 00F94527
                    • _wcslen.LIBCMT ref: 00F9453B
                    • _wcslen.LIBCMT ref: 00F94599
                    • _wcslen.LIBCMT ref: 00F945F4
                    • _wcslen.LIBCMT ref: 00F9463F
                    • _wcslen.LIBCMT ref: 00F946A7
                      • Part of subcall function 00F3F9F2: _wcslen.LIBCMT ref: 00F3F9FD
                    • GetDriveTypeW.KERNEL32(?,00FE6BF0,00000061), ref: 00F94743
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _wcslen$BuffCharDriveLowerType
                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                    • API String ID: 2055661098-1000479233
                    • Opcode ID: 781e16e8b4d6d6424c21657609ac18c6587ded681d8142399d06d347989aa874
                    • Instruction ID: 59e5aefa8aceac1f6d8b64ea39bb16983aaabfddf58e6980ded0de160423b5fc
                    • Opcode Fuzzy Hash: 781e16e8b4d6d6424c21657609ac18c6587ded681d8142399d06d347989aa874
                    • Instruction Fuzzy Hash: 44B10171A083029FDB10DF28C890E6AB7E5BFB5760F50491DF496C7291D734E846EB92
                    Function 00FAAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                    Download Yara Rule
                    APIs
                    • _wcslen.LIBCMT ref: 00FAB198
                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FAB1B0
                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FAB1D4
                    • _wcslen.LIBCMT ref: 00FAB200
                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FAB214
                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FAB236
                    • _wcslen.LIBCMT ref: 00FAB332
                      • Part of subcall function 00F905A7: GetStdHandle.KERNEL32(000000F6), ref: 00F905C6
                    • _wcslen.LIBCMT ref: 00FAB34B
                    • _wcslen.LIBCMT ref: 00FAB366
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FAB3B6
                    • GetLastError.KERNEL32(00000000), ref: 00FAB407
                    • CloseHandle.KERNEL32(?), ref: 00FAB439
                    • CloseHandle.KERNEL32(00000000), ref: 00FAB44A
                    • CloseHandle.KERNEL32(00000000), ref: 00FAB45C
                    • CloseHandle.KERNEL32(00000000), ref: 00FAB46E
                    • CloseHandle.KERNEL32(?), ref: 00FAB4E3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                    • String ID:
                    • API String ID: 2178637699-0
                    • Opcode ID: 7a36ee343fb3a238edeb7347ef1dec2a9d0cbd30fa328d9400380b4283a314e0
                    • Instruction ID: a3b544b740921ab17082c77cd4432ae86e904b8bcbd60563eec26e38b1b5b55b
                    • Opcode Fuzzy Hash: 7a36ee343fb3a238edeb7347ef1dec2a9d0cbd30fa328d9400380b4283a314e0
                    • Instruction Fuzzy Hash: E6F1B2719043409FC714EF24C891B6FBBE5AF86320F18855DF8959B2A2CB35EC44EB52
                    Function 00F2326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetMenuItemCount.USER32(00FF1990), ref: 00F62F8D
                    • GetMenuItemCount.USER32(00FF1990), ref: 00F6303D
                    • GetCursorPos.USER32(?), ref: 00F63081
                    • SetForegroundWindow.USER32(00000000), ref: 00F6308A
                    • TrackPopupMenuEx.USER32(00FF1990,00000000,?,00000000,00000000,00000000), ref: 00F6309D
                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F630A9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                    • String ID: 0
                    • API String ID: 36266755-4108050209
                    • Opcode ID: c1231d5f3fd22b07eaa7466782ba019858d910bddc8237272bf4830b5e552f5d
                    • Instruction ID: 50548e1f4532926c02a239c9b4b2ebdab0f90192c809637c89ce991058e5d3fe
                    • Opcode Fuzzy Hash: c1231d5f3fd22b07eaa7466782ba019858d910bddc8237272bf4830b5e552f5d
                    • Instruction Fuzzy Hash: 5F713871A40215BEEB218F24DC89FAABF69FF05334F200216F5246A1E0C7B5A910FB91
                    Function 00FB6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(?,?), ref: 00FB6DEB
                      • Part of subcall function 00F26B57: _wcslen.LIBCMT ref: 00F26B6A
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00FB6E5F
                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00FB6E81
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FB6E94
                    • DestroyWindow.USER32(?), ref: 00FB6EB5
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F20000,00000000), ref: 00FB6EE4
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FB6EFD
                    • GetDesktopWindow.USER32 ref: 00FB6F16
                    • GetWindowRect.USER32(00000000), ref: 00FB6F1D
                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FB6F35
                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00FB6F4D
                      • Part of subcall function 00F39944: GetWindowLongW.USER32(?,000000EB), ref: 00F39952
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                    • String ID: 0$tooltips_class32
                    • API String ID: 2429346358-3619404913
                    • Opcode ID: 3fcc63d7ab0f78ea94667266cd14cf0281cfa0d6b8bc393301f8187a2f0590fb
                    • Instruction ID: 21b1ee875483bc9c68ed9dceb080db70a9a5f0eb68bb59907f8e533d765df5fb
                    • Opcode Fuzzy Hash: 3fcc63d7ab0f78ea94667266cd14cf0281cfa0d6b8bc393301f8187a2f0590fb
                    • Instruction Fuzzy Hash: DE716671904244AFDB21CF19DC84EBABBE9BB89310F04051DF989C7261D7B4E905EF56
                    Function 00FB911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F39BB2
                    • DragQueryPoint.SHELL32(?,?), ref: 00FB9147
                      • Part of subcall function 00FB7674: ClientToScreen.USER32(?,?), ref: 00FB769A
                      • Part of subcall function 00FB7674: GetWindowRect.USER32(?,?), ref: 00FB7710
                      • Part of subcall function 00FB7674: PtInRect.USER32(?,?,00FB8B89), ref: 00FB7720
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00FB91B0
                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FB91BB
                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FB91DE
                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FB9225
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00FB923E
                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00FB9255
                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00FB9277
                    • DragFinish.SHELL32(?), ref: 00FB927E
                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00FB9371
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                    • API String ID: 221274066-3440237614
                    • Opcode ID: cdfb2dc12e17eb1a6992dc3d7a1877d5ce4195c48a6a62fc9653d09aea236163
                    • Instruction ID: d6851be945adcd1bb1e7c941001faa8e6bf6d89c42eee5fe125191cb762401e2
                    • Opcode Fuzzy Hash: cdfb2dc12e17eb1a6992dc3d7a1877d5ce4195c48a6a62fc9653d09aea236163
                    • Instruction Fuzzy Hash: AF617B71108305AFD701DF61DC85DAFBBE9EF88350F000A1DF595931A1DBB09A49EBA2
                    Function 00F9C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F9C4B0
                    • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00F9C4C3
                    • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00F9C4D7
                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00F9C4F0
                    • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00F9C533
                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00F9C549
                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F9C554
                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F9C584
                    • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00F9C5DC
                    • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00F9C5F0
                    • InternetCloseHandle.WININET(00000000), ref: 00F9C5FB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                    • String ID:
                    • API String ID: 3800310941-3916222277
                    • Opcode ID: 2a43b0d1dee507f7d79d678893f182c97c0699413455a5697b39088583ab1819
                    • Instruction ID: a2697d64bd4740b6b94d937839669b8798f5a93c1ec7734a3b544e1e259fef56
                    • Opcode Fuzzy Hash: 2a43b0d1dee507f7d79d678893f182c97c0699413455a5697b39088583ab1819
                    • Instruction Fuzzy Hash: 7E5139B1600209BFEF219F65CD88AAB7BFCFB08754F144519F94696250DB34EA44AFA0
                    Function 00FB856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00FB8592
                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FB85A2
                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FB85AD
                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FB85BA
                    • GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FB85C8
                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FB85D7
                    • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FB85E0
                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FB85E7
                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FB85F8
                    • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00FBFC38,?), ref: 00FB8611
                    • GlobalFree.KERNEL32(00000000), ref: 00FB8621
                    • GetObjectW.GDI32(?,00000018,?), ref: 00FB8641
                    • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00FB8671
                    • DeleteObject.GDI32(?), ref: 00FB8699
                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FB86AF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                    • String ID:
                    • API String ID: 3840717409-0
                    • Opcode ID: 6ab6039c6d4a1be3e885031fa80b82967fe6686eea86c5fda0e1fae7ec8d2d93
                    • Instruction ID: 1c618b6ed4f576520d97fa3b6f702861309911d5d9b2e8eaa1c989191e32ed56
                    • Opcode Fuzzy Hash: 6ab6039c6d4a1be3e885031fa80b82967fe6686eea86c5fda0e1fae7ec8d2d93
                    • Instruction Fuzzy Hash: AF411975600209AFDB119FA5CC88EAB7BBDEF89761F144159F909E7260DB309D01EF60
                    Function 00F914BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(00000000), ref: 00F91502
                    • VariantCopy.OLEAUT32(?,?), ref: 00F9150B
                    • VariantClear.OLEAUT32(?), ref: 00F91517
                    • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00F915FB
                    • VarR8FromDec.OLEAUT32(?,?), ref: 00F91657
                    • VariantInit.OLEAUT32(?), ref: 00F91708
                    • SysFreeString.OLEAUT32(?), ref: 00F9178C
                    • VariantClear.OLEAUT32(?), ref: 00F917D8
                    • VariantClear.OLEAUT32(?), ref: 00F917E7
                    • VariantInit.OLEAUT32(00000000), ref: 00F91823
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                    • String ID: %4d%02d%02d%02d%02d%02d$Default
                    • API String ID: 1234038744-3931177956
                    • Opcode ID: 098ef2e117ec374b1e48240f31c3fb73eb1548b1a7bf1f4b647e3ce6e07c48ab
                    • Instruction ID: dccd6ef1e56764f91bfb90eff5d1f747808ea57a3afecac984c4c7b56799d1d7
                    • Opcode Fuzzy Hash: 098ef2e117ec374b1e48240f31c3fb73eb1548b1a7bf1f4b647e3ce6e07c48ab
                    • Instruction Fuzzy Hash: 9CD10032A00116DBEF009F65E884B7DB7B5BF44710F1A8066F446AB290DB38DD45FBA2
                    Function 00FAB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                      • Part of subcall function 00FAC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FAB6AE,?,?), ref: 00FAC9B5
                      • Part of subcall function 00FAC998: _wcslen.LIBCMT ref: 00FAC9F1
                      • Part of subcall function 00FAC998: _wcslen.LIBCMT ref: 00FACA68
                      • Part of subcall function 00FAC998: _wcslen.LIBCMT ref: 00FACA9E
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FAB6F4
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FAB772
                    • RegDeleteValueW.ADVAPI32(?,?), ref: 00FAB80A
                    • RegCloseKey.ADVAPI32(?), ref: 00FAB87E
                    • RegCloseKey.ADVAPI32(?), ref: 00FAB89C
                    • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00FAB8F2
                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FAB904
                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00FAB922
                    • FreeLibrary.KERNEL32(00000000), ref: 00FAB983
                    • RegCloseKey.ADVAPI32(00000000), ref: 00FAB994
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                    • String ID: RegDeleteKeyExW$advapi32.dll
                    • API String ID: 146587525-4033151799
                    • Opcode ID: c0319f9baa173c9b16e4c9adce794ee582504f41559a797156fa408dbeda86ad
                    • Instruction ID: 90b63b59a30a0f9d7550840c3c30d444b991dd488b01e3f6d8baa79bf4fbb789
                    • Opcode Fuzzy Hash: c0319f9baa173c9b16e4c9adce794ee582504f41559a797156fa408dbeda86ad
                    • Instruction Fuzzy Hash: ABC19E71608201AFD710DF14C894F2ABBE5BF89318F14855CF49A8B2A3CB75EC46EB91
                    Function 00FA255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetDC.USER32(00000000), ref: 00FA25D8
                    • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00FA25E8
                    • CreateCompatibleDC.GDI32(?), ref: 00FA25F4
                    • SelectObject.GDI32(00000000,?), ref: 00FA2601
                    • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00FA266D
                    • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00FA26AC
                    • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00FA26D0
                    • SelectObject.GDI32(?,?), ref: 00FA26D8
                    • DeleteObject.GDI32(?), ref: 00FA26E1
                    • DeleteDC.GDI32(?), ref: 00FA26E8
                    • ReleaseDC.USER32(00000000,?), ref: 00FA26F3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                    • String ID: (
                    • API String ID: 2598888154-3887548279
                    • Opcode ID: 966a888a504e99bd801a7ba60bb61fe71089552e4691aba1e3bcc85681d23712
                    • Instruction ID: e6f464ee0240d95115acccdd13381202a428bf8966687533354d2a14d487bc4f
                    • Opcode Fuzzy Hash: 966a888a504e99bd801a7ba60bb61fe71089552e4691aba1e3bcc85681d23712
                    • Instruction Fuzzy Hash: 6661D2B5E00219EFCF04CFA8DD84AAEBBB5FF48310F208529E955A7250D774A941DFA0
                    Function 00F5DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___free_lconv_mon.LIBCMT ref: 00F5DAA1
                      • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D659
                      • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D66B
                      • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D67D
                      • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D68F
                      • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D6A1
                      • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D6B3
                      • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D6C5
                      • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D6D7
                      • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D6E9
                      • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D6FB
                      • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D70D
                      • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D71F
                      • Part of subcall function 00F5D63C: _free.LIBCMT ref: 00F5D731
                    • _free.LIBCMT ref: 00F5DA96
                      • Part of subcall function 00F529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000), ref: 00F529DE
                      • Part of subcall function 00F529C8: GetLastError.KERNEL32(00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000,00000000), ref: 00F529F0
                    • _free.LIBCMT ref: 00F5DAB8
                    • _free.LIBCMT ref: 00F5DACD
                    • _free.LIBCMT ref: 00F5DAD8
                    • _free.LIBCMT ref: 00F5DAFA
                    • _free.LIBCMT ref: 00F5DB0D
                    • _free.LIBCMT ref: 00F5DB1B
                    • _free.LIBCMT ref: 00F5DB26
                    • _free.LIBCMT ref: 00F5DB5E
                    • _free.LIBCMT ref: 00F5DB65
                    • _free.LIBCMT ref: 00F5DB82
                    • _free.LIBCMT ref: 00F5DB9A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                    • String ID:
                    • API String ID: 161543041-0
                    • Opcode ID: 66d1da93a26f943a4c5673647408e5f198fa42be106dc91619d57c94412fc4bd
                    • Instruction ID: a0bdbf602bf3ae12d03747e62ee5f240c5dcb811ac8db21a9b88e72dc878fa89
                    • Opcode Fuzzy Hash: 66d1da93a26f943a4c5673647408e5f198fa42be106dc91619d57c94412fc4bd
                    • Instruction Fuzzy Hash: 12317E31A05304AFDB31AA39EC41B9677E9FF41322F114519FA48E7292DB39AC48F720
                    Function 00F8365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetClassNameW.USER32(?,?,00000100), ref: 00F8369C
                    • _wcslen.LIBCMT ref: 00F836A7
                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F83797
                    • GetClassNameW.USER32(?,?,00000400), ref: 00F8380C
                    • GetDlgCtrlID.USER32(?), ref: 00F8385D
                    • GetWindowRect.USER32(?,?), ref: 00F83882
                    • GetParent.USER32(?), ref: 00F838A0
                    • ScreenToClient.USER32(00000000), ref: 00F838A7
                    • GetClassNameW.USER32(?,?,00000100), ref: 00F83921
                    • GetWindowTextW.USER32(?,?,00000400), ref: 00F8395D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                    • String ID: %s%u
                    • API String ID: 4010501982-679674701
                    • Opcode ID: b4e9e9de93600fd649a61f76243ff1e78c845502ebe704b68c2ffe7e4dcc4c3f
                    • Instruction ID: a6f4d6e4297d7fef52491e61b870fc86b299bb91252f88b209650742a4f4a497
                    • Opcode Fuzzy Hash: b4e9e9de93600fd649a61f76243ff1e78c845502ebe704b68c2ffe7e4dcc4c3f
                    • Instruction Fuzzy Hash: A291E671604606AFD714EF24C885FEAF7A9FF44B10F004629F999C21A0DB34EA45EB91
                    Function 00F84954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                    Download Yara Rule
                    APIs
                    • GetClassNameW.USER32(?,?,00000400), ref: 00F84994
                    • GetWindowTextW.USER32(?,?,00000400), ref: 00F849DA
                    • _wcslen.LIBCMT ref: 00F849EB
                    • CharUpperBuffW.USER32(?,00000000), ref: 00F849F7
                    • _wcsstr.LIBVCRUNTIME ref: 00F84A2C
                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00F84A64
                    • GetWindowTextW.USER32(?,?,00000400), ref: 00F84A9D
                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00F84AE6
                    • GetClassNameW.USER32(?,?,00000400), ref: 00F84B20
                    • GetWindowRect.USER32(?,?), ref: 00F84B8B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                    • String ID: ThumbnailClass
                    • API String ID: 1311036022-1241985126
                    • Opcode ID: f92c321bd9bd719fbdc5b3060d6fd05a74ede028cbf4e72709a57e9ddc7d73c6
                    • Instruction ID: 117062845a31fc25f56a00a7f5a44ac629fa4595ee5c1bf58a744c03b6e9a3be
                    • Opcode Fuzzy Hash: f92c321bd9bd719fbdc5b3060d6fd05a74ede028cbf4e72709a57e9ddc7d73c6
                    • Instruction Fuzzy Hash: 1191C03150820A9FDB04EF14C981FEA77E9FF84324F04846AFD859A096DB34ED45EBA1
                    Function 00FB8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F39BB2
                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FB8D5A
                    • GetFocus.USER32 ref: 00FB8D6A
                    • GetDlgCtrlID.USER32(00000000), ref: 00FB8D75
                    • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00FB8E1D
                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00FB8ECF
                    • GetMenuItemCount.USER32(?), ref: 00FB8EEC
                    • GetMenuItemID.USER32(?,00000000), ref: 00FB8EFC
                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00FB8F2E
                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00FB8F70
                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FB8FA1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                    • String ID: 0
                    • API String ID: 1026556194-4108050209
                    • Opcode ID: 60f0729a338d3852c5c79b8fd71b5eddae52abd978a04b150ea9efd4a87d407a
                    • Instruction ID: 7cde950a4a44dbf34365edc4e2f45c821882eaf187b4450b3499df4d347da348
                    • Opcode Fuzzy Hash: 60f0729a338d3852c5c79b8fd71b5eddae52abd978a04b150ea9efd4a87d407a
                    • Instruction Fuzzy Hash: 26817D719043059BDB20DF15D884AEBBBEDFBC83A4F140619F98597291DB70D902EFA1
                    Function 00F8DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                    Download Yara Rule
                    APIs
                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00F8DC20
                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00F8DC46
                    • _wcslen.LIBCMT ref: 00F8DC50
                    • _wcsstr.LIBVCRUNTIME ref: 00F8DCA0
                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00F8DCBC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                    • API String ID: 1939486746-1459072770
                    • Opcode ID: 86e16d44bd24b31c597d9c238d58a85a4e02b4e6f2fd214c333ac96c1560ce7f
                    • Instruction ID: 26e070e6c052a5e4926ab593650a510e1e2694a7149b7745af8379445b03be43
                    • Opcode Fuzzy Hash: 86e16d44bd24b31c597d9c238d58a85a4e02b4e6f2fd214c333ac96c1560ce7f
                    • Instruction Fuzzy Hash: AD41E032A402057ADB14B675DC47EFF7B6CEF52760F104069FD00E6182EAA8DA01BBA5
                    Function 00FACC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FACC64
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00FACC8D
                    • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FACD48
                      • Part of subcall function 00FACC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00FACCAA
                      • Part of subcall function 00FACC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00FACCBD
                      • Part of subcall function 00FACC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FACCCF
                      • Part of subcall function 00FACC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FACD05
                      • Part of subcall function 00FACC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FACD28
                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00FACCF3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                    • String ID: RegDeleteKeyExW$advapi32.dll
                    • API String ID: 2734957052-4033151799
                    • Opcode ID: 9bc5d48e00535c9c40d82682194761edab6d4f462117539682ce825fc857a795
                    • Instruction ID: 950778eec097584dc51556c72518726d505339aa3010cb672d0c92321939f3d2
                    • Opcode Fuzzy Hash: 9bc5d48e00535c9c40d82682194761edab6d4f462117539682ce825fc857a795
                    • Instruction Fuzzy Hash: DA316BB190112CBBDB209B55DC88EEFBB7CEF16760F000165F916E2240DA749A45AAE0
                    Function 00F93D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F93D40
                    • _wcslen.LIBCMT ref: 00F93D6D
                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00F93D9D
                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00F93DBE
                    • RemoveDirectoryW.KERNEL32(?), ref: 00F93DCE
                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00F93E55
                    • CloseHandle.KERNEL32(00000000), ref: 00F93E60
                    • CloseHandle.KERNEL32(00000000), ref: 00F93E6B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                    • String ID: :$\$\??\%s
                    • API String ID: 1149970189-3457252023
                    • Opcode ID: d73b2589f39bde622b686085f548f256a744fcb9ebdb42cc898c4d163b7fc12e
                    • Instruction ID: 676e7135a56fb6806cef7f10af0ad385e07360c07afdea09068a01fe02079b18
                    • Opcode Fuzzy Hash: d73b2589f39bde622b686085f548f256a744fcb9ebdb42cc898c4d163b7fc12e
                    • Instruction Fuzzy Hash: D831A17690420DABEB209FA0DC89FEB37BCEF88710F1041B6F615D6160EB749744AB64
                    Function 00F8E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • timeGetTime.WINMM ref: 00F8E6B4
                      • Part of subcall function 00F3E551: timeGetTime.WINMM(?,?,00F8E6D4), ref: 00F3E555
                    • Sleep.KERNEL32(0000000A), ref: 00F8E6E1
                    • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00F8E705
                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00F8E727
                    • SetActiveWindow.USER32 ref: 00F8E746
                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F8E754
                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00F8E773
                    • Sleep.KERNEL32(000000FA), ref: 00F8E77E
                    • IsWindow.USER32 ref: 00F8E78A
                    • EndDialog.USER32(00000000), ref: 00F8E79B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                    • String ID: BUTTON
                    • API String ID: 1194449130-3405671355
                    • Opcode ID: cb48c18e25285675b47dd45213e4df599fc26db77d5b3587f65564511eb74a61
                    • Instruction ID: 8057e7578c4878f1a34ff3686e3b1f178a491c479aac76e5ea0b4356b4cd103d
                    • Opcode Fuzzy Hash: cb48c18e25285675b47dd45213e4df599fc26db77d5b3587f65564511eb74a61
                    • Instruction Fuzzy Hash: 80215BB420020CAFEB106F20ECCAE7A3B6EBB54B58B140525F515C21B1DBB5AC00FF64
                    Function 00F8E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F8EA5D
                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F8EA73
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F8EA84
                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F8EA96
                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F8EAA7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: SendString$_wcslen
                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                    • API String ID: 2420728520-1007645807
                    • Opcode ID: 508dd63b126616ee58c59dab34cbef859e56c92c7987e0ffd9ad6477463d5e5b
                    • Instruction ID: fbe6449210141b4ffb8b8993174bde00b49a116231d81f2ed0caac7853b91a25
                    • Opcode Fuzzy Hash: 508dd63b126616ee58c59dab34cbef859e56c92c7987e0ffd9ad6477463d5e5b
                    • Instruction Fuzzy Hash: A3118231A5026D79D724E762DC4ADFF7A7CEBD1F50F000425B401E20D1DAB45A45E6B1
                    Function 00F85CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,00000001), ref: 00F85CE2
                    • GetWindowRect.USER32(00000000,?), ref: 00F85CFB
                    • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00F85D59
                    • GetDlgItem.USER32(?,00000002), ref: 00F85D69
                    • GetWindowRect.USER32(00000000,?), ref: 00F85D7B
                    • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00F85DCF
                    • GetDlgItem.USER32(?,000003E9), ref: 00F85DDD
                    • GetWindowRect.USER32(00000000,?), ref: 00F85DEF
                    • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00F85E31
                    • GetDlgItem.USER32(?,000003EA), ref: 00F85E44
                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F85E5A
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00F85E67
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Window$ItemMoveRect$Invalidate
                    • String ID:
                    • API String ID: 3096461208-0
                    • Opcode ID: df3f9cacaf7b729c99d35841e626211d6d3100fc938209270263e41abf772025
                    • Instruction ID: 9f2ee135cbff54065629311d28312bf5a5956925182d7f46ff6b6bb9f9e94523
                    • Opcode Fuzzy Hash: df3f9cacaf7b729c99d35841e626211d6d3100fc938209270263e41abf772025
                    • Instruction Fuzzy Hash: B3510F71E00609AFDF18DF68DD89AAE7BB5AB48710F148229F915E7290D7709D04DB50
                    Function 00F38BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F38F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F38BE8,?,00000000,?,?,?,?,00F38BBA,00000000,?), ref: 00F38FC5
                    • DestroyWindow.USER32(?), ref: 00F38C81
                    • KillTimer.USER32(00000000,?,?,?,?,00F38BBA,00000000,?), ref: 00F38D1B
                    • DestroyAcceleratorTable.USER32(00000000), ref: 00F76973
                    • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00F38BBA,00000000,?), ref: 00F769A1
                    • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00F38BBA,00000000,?), ref: 00F769B8
                    • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00F38BBA,00000000), ref: 00F769D4
                    • DeleteObject.GDI32(00000000), ref: 00F769E6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                    • String ID:
                    • API String ID: 641708696-0
                    • Opcode ID: cfc86abdb6f1db4041c6472c5a9c6b017f0787a72e6775e71ed94e3a21241f37
                    • Instruction ID: 18f27b1a7065ffab4f53fe66c79264d717e2f3ba409ef5c8d844f6a2bd8115f6
                    • Opcode Fuzzy Hash: cfc86abdb6f1db4041c6472c5a9c6b017f0787a72e6775e71ed94e3a21241f37
                    • Instruction Fuzzy Hash: AA61AB31902B08DFDB359F24CA48B2677B1FF403B2F149519E04697560CB79A882FFA1
                    Function 00F39838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F39944: GetWindowLongW.USER32(?,000000EB), ref: 00F39952
                    • GetSysColor.USER32(0000000F), ref: 00F39862
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ColorLongWindow
                    • String ID:
                    • API String ID: 259745315-0
                    • Opcode ID: c29b0c7062656c041d77f60d690bfbb313b8ed6d6cc976abdda92410146ede4c
                    • Instruction ID: 1e3501592cb0695f64c0f6f7f0bd30f2a9439fa1f1dd7ecfbf9666e5573277b1
                    • Opcode Fuzzy Hash: c29b0c7062656c041d77f60d690bfbb313b8ed6d6cc976abdda92410146ede4c
                    • Instruction Fuzzy Hash: E841C131508644AFDB209F3C9C84BBA3BA5AB46330F584605F9A6972E1C7F19C41FF61
                    Function 00F896E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00F6F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00F89717
                    • LoadStringW.USER32(00000000,?,00F6F7F8,00000001), ref: 00F89720
                      • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                    • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00F6F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00F89742
                    • LoadStringW.USER32(00000000,?,00F6F7F8,00000001), ref: 00F89745
                    • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00F89866
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: HandleLoadModuleString$Message_wcslen
                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                    • API String ID: 747408836-2268648507
                    • Opcode ID: 173f2f8013365a2e8c6fa012012fcd562e89b951b537ce227f98d2d35e2a2b19
                    • Instruction ID: 6d40f284321dd0aa53cf68c2b388243228760e5044ed88313dfff7dd7270235b
                    • Opcode Fuzzy Hash: 173f2f8013365a2e8c6fa012012fcd562e89b951b537ce227f98d2d35e2a2b19
                    • Instruction Fuzzy Hash: D241307280422DAACF04FBE0ED96DEE7778AF54340F540425F505B2092EB796F48EB61
                    Function 00F806DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F26B57: _wcslen.LIBCMT ref: 00F26B6A
                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F807A2
                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F807BE
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F807DA
                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F80804
                    • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00F8082C
                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F80837
                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F8083C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                    • API String ID: 323675364-22481851
                    • Opcode ID: dd5a8c9301f956e08588b567a59563d4c2d4b4c21129e13f83ea7a7c3dde7732
                    • Instruction ID: 13acff9438c10faa60e6d5321a94643550bc92460027e3ea3fc7e093f11fb888
                    • Opcode Fuzzy Hash: dd5a8c9301f956e08588b567a59563d4c2d4b4c21129e13f83ea7a7c3dde7732
                    • Instruction Fuzzy Hash: B5410672C1022DABDF15EBA4EC958EEB778BF04750F444129F901A7161EB749E48EFA0
                    Function 00FA3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 00FA3C5C
                    • CoInitialize.OLE32(00000000), ref: 00FA3C8A
                    • CoUninitialize.OLE32 ref: 00FA3C94
                    • _wcslen.LIBCMT ref: 00FA3D2D
                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00FA3DB1
                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00FA3ED5
                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00FA3F0E
                    • CoGetObject.OLE32(?,00000000,00FBFB98,?), ref: 00FA3F2D
                    • SetErrorMode.KERNEL32(00000000), ref: 00FA3F40
                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00FA3FC4
                    • VariantClear.OLEAUT32(?), ref: 00FA3FD8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                    • String ID:
                    • API String ID: 429561992-0
                    • Opcode ID: 79a1e147e3d099fa0f71a5c10ff50d87db63836789857cabf2915e61cf1d885d
                    • Instruction ID: 7195ef24c0b76b159529423db29c9e34c1cbef453b525c7129b9a23b3bf0d6ce
                    • Opcode Fuzzy Hash: 79a1e147e3d099fa0f71a5c10ff50d87db63836789857cabf2915e61cf1d885d
                    • Instruction Fuzzy Hash: F0C146B1A083059FD700DF68C88492BB7E9FF8A754F14491DF98A9B251DB30EE05DB92
                    Function 00F97A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 00F97AF3
                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F97B8F
                    • SHGetDesktopFolder.SHELL32(?), ref: 00F97BA3
                    • CoCreateInstance.OLE32(00FBFD08,00000000,00000001,00FE6E6C,?), ref: 00F97BEF
                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F97C74
                    • CoTaskMemFree.OLE32(?,?), ref: 00F97CCC
                    • SHBrowseForFolderW.SHELL32(?), ref: 00F97D57
                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F97D7A
                    • CoTaskMemFree.OLE32(00000000), ref: 00F97D81
                    • CoTaskMemFree.OLE32(00000000), ref: 00F97DD6
                    • CoUninitialize.OLE32 ref: 00F97DDC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                    • String ID:
                    • API String ID: 2762341140-0
                    • Opcode ID: ff3bdbca6174ae472a470d40a810f12aa5c17568d1acb2bb9d60b7d574da9d7e
                    • Instruction ID: b1a99fd262532169545f5cd2799824ae3d66d6baeaa23a4ea1475d1a6514e66b
                    • Opcode Fuzzy Hash: ff3bdbca6174ae472a470d40a810f12aa5c17568d1acb2bb9d60b7d574da9d7e
                    • Instruction Fuzzy Hash: 73C14975A04219AFDB14DFA4C884DAEBBF9FF48314B148199E81ADB261C730EE41DF90
                    Function 00FB541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00FB5504
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FB5515
                    • CharNextW.USER32(00000158), ref: 00FB5544
                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00FB5585
                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00FB559B
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FB55AC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSend$CharNext
                    • String ID:
                    • API String ID: 1350042424-0
                    • Opcode ID: 6bac55024201c9e0f9f97d0bf453fe72933363b3ce314d3523e5d649c3d1cd7c
                    • Instruction ID: 828b0ce5f14e91421f1eb4fd5cdf44c402f850c9e42f1adb525a5eadbad4c8ce
                    • Opcode Fuzzy Hash: 6bac55024201c9e0f9f97d0bf453fe72933363b3ce314d3523e5d649c3d1cd7c
                    • Instruction Fuzzy Hash: 8C616B35900608EFDF20DF56CC84BFE7BB9EB09B25F144145F525AA290D7788A80EF60
                    Function 00F7FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                    Download Yara Rule
                    APIs
                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F7FAAF
                    • SafeArrayAllocData.OLEAUT32(?), ref: 00F7FB08
                    • VariantInit.OLEAUT32(?), ref: 00F7FB1A
                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00F7FB3A
                    • VariantCopy.OLEAUT32(?,?), ref: 00F7FB8D
                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00F7FBA1
                    • VariantClear.OLEAUT32(?), ref: 00F7FBB6
                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00F7FBC3
                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F7FBCC
                    • VariantClear.OLEAUT32(?), ref: 00F7FBDE
                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F7FBE9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                    • String ID:
                    • API String ID: 2706829360-0
                    • Opcode ID: 011bec13991f5a83073f892bce7a3ae880530a8a1c1f44655e8ba9aeae0874dd
                    • Instruction ID: 049ceb1407e726456666c7e30067d04d17ef66ecfab945c0381b30b7b0e51e1f
                    • Opcode Fuzzy Hash: 011bec13991f5a83073f892bce7a3ae880530a8a1c1f44655e8ba9aeae0874dd
                    • Instruction Fuzzy Hash: C1416535900219DFCF00DF68DC949AEBBB9FF48354F00C065E956A7261C734AA45DFA1
                    Function 00F89C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?), ref: 00F89CA1
                    • GetAsyncKeyState.USER32(000000A0), ref: 00F89D22
                    • GetKeyState.USER32(000000A0), ref: 00F89D3D
                    • GetAsyncKeyState.USER32(000000A1), ref: 00F89D57
                    • GetKeyState.USER32(000000A1), ref: 00F89D6C
                    • GetAsyncKeyState.USER32(00000011), ref: 00F89D84
                    • GetKeyState.USER32(00000011), ref: 00F89D96
                    • GetAsyncKeyState.USER32(00000012), ref: 00F89DAE
                    • GetKeyState.USER32(00000012), ref: 00F89DC0
                    • GetAsyncKeyState.USER32(0000005B), ref: 00F89DD8
                    • GetKeyState.USER32(0000005B), ref: 00F89DEA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: State$Async$Keyboard
                    • String ID:
                    • API String ID: 541375521-0
                    • Opcode ID: 0ac6e8a1ab910a10052530d310524075abdb43ad5107a0e019feafb94cdf1e0a
                    • Instruction ID: b4732d1f4c1b8bcb8473f68a99b2b926ff8b59d9043650ac9b2949209b26bafc
                    • Opcode Fuzzy Hash: 0ac6e8a1ab910a10052530d310524075abdb43ad5107a0e019feafb94cdf1e0a
                    • Instruction Fuzzy Hash: CE41BA34E0C7CA6DFF31A760C8443F6BEA06B12364F0C805AD9C6565C1DBE559C4EBA5
                    Function 00FA055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • WSAStartup.WSOCK32(00000101,?), ref: 00FA05BC
                    • inet_addr.WSOCK32(?), ref: 00FA061C
                    • gethostbyname.WSOCK32(?), ref: 00FA0628
                    • IcmpCreateFile.IPHLPAPI ref: 00FA0636
                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00FA06C6
                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00FA06E5
                    • IcmpCloseHandle.IPHLPAPI(?), ref: 00FA07B9
                    • WSACleanup.WSOCK32 ref: 00FA07BF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                    • String ID: Ping
                    • API String ID: 1028309954-2246546115
                    • Opcode ID: a88c714fa8f1f7c94e20bf6d489a0682cc98fed12865b143af48402f35ff40ce
                    • Instruction ID: 57a02fa6a38d7e3cbf17cbbf5f7452e25ab097db7e9853d726b4583a1286238a
                    • Opcode Fuzzy Hash: a88c714fa8f1f7c94e20bf6d489a0682cc98fed12865b143af48402f35ff40ce
                    • Instruction Fuzzy Hash: 7991A1B59042019FD720CF15E889F1ABBE0AF45328F1885A9F4699B7A2CB34FC45DF91
                    Function 00FA8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _wcslen$BuffCharLower
                    • String ID: cdecl$none$stdcall$winapi
                    • API String ID: 707087890-567219261
                    • Opcode ID: 9b41d3f88887882cf95159076ef5522b4564e26453589506a6da5330a73c4f48
                    • Instruction ID: 599afd69b3939c11603cb9ec09a0c52b54e32260cf0c47357e84fd764971bdce
                    • Opcode Fuzzy Hash: 9b41d3f88887882cf95159076ef5522b4564e26453589506a6da5330a73c4f48
                    • Instruction Fuzzy Hash: 5E51C6B1E00116DBCF14DFA8C8805BEB7A5BF653A4B204229E416E72C0DFB4DD42E790
                    Function 00FA372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32 ref: 00FA3774
                    • CoUninitialize.OLE32 ref: 00FA377F
                    • CoCreateInstance.OLE32(?,00000000,00000017,00FBFB78,?), ref: 00FA37D9
                    • IIDFromString.OLE32(?,?), ref: 00FA384C
                    • VariantInit.OLEAUT32(?), ref: 00FA38E4
                    • VariantClear.OLEAUT32(?), ref: 00FA3936
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                    • API String ID: 636576611-1287834457
                    • Opcode ID: 5129e72637dff8d36265070f24af9c8ea5f9cd9a9563b47341b6b3faabc76e43
                    • Instruction ID: c53584b666714d3aa27d48f7138aa1befe512010d296644f81a66f519610a3ca
                    • Opcode Fuzzy Hash: 5129e72637dff8d36265070f24af9c8ea5f9cd9a9563b47341b6b3faabc76e43
                    • Instruction Fuzzy Hash: 0861B1B1608311AFD310DF54D889F6BB7E4EF4A710F100919F5859B291C774EE48EB92
                    Function 00F93388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                    Download Yara Rule
                    APIs
                    • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00F933CF
                      • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                    • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00F933F0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: LoadString$_wcslen
                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                    • API String ID: 4099089115-3080491070
                    • Opcode ID: 9badd378a90e3cc4c9e04ba222131bfa57f88415082603af90f3186f62049a6e
                    • Instruction ID: c5f46c8592cc928f182e0d7d45ba47ee3a0ee96e2dacf26cd3b611415a9c3f13
                    • Opcode Fuzzy Hash: 9badd378a90e3cc4c9e04ba222131bfa57f88415082603af90f3186f62049a6e
                    • Instruction Fuzzy Hash: C151AE72C0021AAADF15EBA0DD42EEEB778AF18740F144065F105B2092EB796F58FF61
                    Function 00F8B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _wcslen$BuffCharUpper
                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                    • API String ID: 1256254125-769500911
                    • Opcode ID: 30e007b80d96b974719b72072d42ee73389902f4e1c37940f2d5b8ac3d0fdd96
                    • Instruction ID: b481dc34736d062de1fb29a48ac03170bb063e211b394eb6780545890ac4b050
                    • Opcode Fuzzy Hash: 30e007b80d96b974719b72072d42ee73389902f4e1c37940f2d5b8ac3d0fdd96
                    • Instruction Fuzzy Hash: 3541A532E0112B9BCB207F7D8C905FE7BA5AF607A4B254169E825D7284FB35CD81E790
                    Function 00F95393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 00F953A0
                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00F95416
                    • GetLastError.KERNEL32 ref: 00F95420
                    • SetErrorMode.KERNEL32(00000000,READY), ref: 00F954A7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Error$Mode$DiskFreeLastSpace
                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                    • API String ID: 4194297153-14809454
                    • Opcode ID: 14562f10f5504160846e2a7e3dbae6661f2f11f884351e291f1a2adcddbae10c
                    • Instruction ID: 4ffc134fd728f076bac67b9a292631a28347b636e12acd0d894fa05b31f82e31
                    • Opcode Fuzzy Hash: 14562f10f5504160846e2a7e3dbae6661f2f11f884351e291f1a2adcddbae10c
                    • Instruction Fuzzy Hash: B431F435E002089FEB52DF6CC898BAABBB4FF44715F148065E405DB292D771DD82EB90
                    Function 00FB3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                    Download Yara Rule
                    APIs
                    • CreateMenu.USER32 ref: 00FB3C79
                    • SetMenu.USER32(?,00000000), ref: 00FB3C88
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FB3D10
                    • IsMenu.USER32(?), ref: 00FB3D24
                    • CreatePopupMenu.USER32 ref: 00FB3D2E
                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FB3D5B
                    • DrawMenuBar.USER32 ref: 00FB3D63
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Menu$CreateItem$DrawInfoInsertPopup
                    • String ID: 0$F
                    • API String ID: 161812096-3044882817
                    • Opcode ID: c194fa0c46166df4fb4b9f6b178221b4f4a7128c03bbbc3d86aef8e631c063c4
                    • Instruction ID: d592fee756b10156e1999e139b3ec9dbf4b209afe95846adcffccbb0650f4ab9
                    • Opcode Fuzzy Hash: c194fa0c46166df4fb4b9f6b178221b4f4a7128c03bbbc3d86aef8e631c063c4
                    • Instruction Fuzzy Hash: 4C415A79A01209EFDB24CFA5D884AEA7BB5FF49350F140129F946A7360D770AA10EF94
                    Function 00F81EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                      • Part of subcall function 00F83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F83CCA
                    • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00F81F64
                    • GetDlgCtrlID.USER32 ref: 00F81F6F
                    • GetParent.USER32 ref: 00F81F8B
                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00F81F8E
                    • GetDlgCtrlID.USER32(?), ref: 00F81F97
                    • GetParent.USER32(?), ref: 00F81FAB
                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00F81FAE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSend$CtrlParent$ClassName_wcslen
                    • String ID: ComboBox$ListBox
                    • API String ID: 711023334-1403004172
                    • Opcode ID: 80fd80f14b5d91f878a0c898cce39956d6e050a76e291caca5d5c24d4387f2c3
                    • Instruction ID: d16d4fc8ea56e887596424b04a80235597f880a12e662f31078e59ca68e47092
                    • Opcode Fuzzy Hash: 80fd80f14b5d91f878a0c898cce39956d6e050a76e291caca5d5c24d4387f2c3
                    • Instruction Fuzzy Hash: 8D21C575D00118BBCF04AFA0DC95DEEBBB9FF09310F000215F955672A1DB785905EB60
                    Function 00FB3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FB3A9D
                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FB3AA0
                    • GetWindowLongW.USER32(?,000000F0), ref: 00FB3AC7
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FB3AEA
                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FB3B62
                    • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00FB3BAC
                    • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00FB3BC7
                    • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00FB3BE2
                    • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00FB3BF6
                    • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00FB3C13
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSend$LongWindow
                    • String ID:
                    • API String ID: 312131281-0
                    • Opcode ID: e1fd5ef2057a3b0a4c38f3293fe007921df79a3ea8f6f7bce4fd5497f39c7464
                    • Instruction ID: 48ae1aef90223e0fe58e48d792ba94d06e9275f3e0035011148d3aed35a749fe
                    • Opcode Fuzzy Hash: e1fd5ef2057a3b0a4c38f3293fe007921df79a3ea8f6f7bce4fd5497f39c7464
                    • Instruction Fuzzy Hash: 60616975940248AFDB20DFA8CC81EEE77F8AF49710F104199FA15A72A1C7B4AA45EF50
                    Function 00F52C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00F52C94
                      • Part of subcall function 00F529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000), ref: 00F529DE
                      • Part of subcall function 00F529C8: GetLastError.KERNEL32(00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000,00000000), ref: 00F529F0
                    • _free.LIBCMT ref: 00F52CA0
                    • _free.LIBCMT ref: 00F52CAB
                    • _free.LIBCMT ref: 00F52CB6
                    • _free.LIBCMT ref: 00F52CC1
                    • _free.LIBCMT ref: 00F52CCC
                    • _free.LIBCMT ref: 00F52CD7
                    • _free.LIBCMT ref: 00F52CE2
                    • _free.LIBCMT ref: 00F52CED
                    • _free.LIBCMT ref: 00F52CFB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 77dce6ddcbcbfc1e77561064bd7d2fe8c8cfbd4256edc27db7e97b119a48b0d2
                    • Instruction ID: af237a842eb8f141af3e89b51e8281628fedb8088428f607338e60bc00e414e5
                    • Opcode Fuzzy Hash: 77dce6ddcbcbfc1e77561064bd7d2fe8c8cfbd4256edc27db7e97b119a48b0d2
                    • Instruction Fuzzy Hash: A311B476100108AFCB42EF58DC42CDD3BB5BF06351F4146A4FA486B322D635EA54BB90
                    Function 00F21410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                    Download Yara Rule
                    APIs
                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F21459
                    • OleUninitialize.OLE32(?,00000000), ref: 00F214F8
                    • UnregisterHotKey.USER32(?), ref: 00F216DD
                    • DestroyWindow.USER32(?), ref: 00F624B9
                    • FreeLibrary.KERNEL32(?), ref: 00F6251E
                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F6254B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                    • String ID: close all
                    • API String ID: 469580280-3243417748
                    • Opcode ID: f8cd49947262452b386055821ad0d4c5cb435dac19ee14e4d5ab2f136b593b11
                    • Instruction ID: b01f624b24f446ebe9f5e66b3c61b6ec6af5e6bfc7d63111b173ff6d47c689c1
                    • Opcode Fuzzy Hash: f8cd49947262452b386055821ad0d4c5cb435dac19ee14e4d5ab2f136b593b11
                    • Instruction Fuzzy Hash: CFD1B231B01222CFDB29EF15D899B69F7A0BF15710F1442ADE44A6B252CB31EC12EF95
                    Function 00F97DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F97FAD
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F97FC1
                    • GetFileAttributesW.KERNEL32(?), ref: 00F97FEB
                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00F98005
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F98017
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F98060
                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F980B0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CurrentDirectory$AttributesFile
                    • String ID: *.*
                    • API String ID: 769691225-438819550
                    • Opcode ID: e8561734233914544a13531ee6f2c0043330c4b919d20e810b0d1723ec46bb88
                    • Instruction ID: 2119d7958941e522c21caf51836a766857825f32bae8797bb12710eee8f51e07
                    • Opcode Fuzzy Hash: e8561734233914544a13531ee6f2c0043330c4b919d20e810b0d1723ec46bb88
                    • Instruction Fuzzy Hash: 8E81C2729183459BEF20FF14C844AAEB3E8BF89360F14485EF885D7250DB74DD49AB92
                    Function 00F25BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                    Download Yara Rule
                    APIs
                    • SetWindowLongW.USER32(?,000000EB), ref: 00F25C7A
                      • Part of subcall function 00F25D0A: GetClientRect.USER32(?,?), ref: 00F25D30
                      • Part of subcall function 00F25D0A: GetWindowRect.USER32(?,?), ref: 00F25D71
                      • Part of subcall function 00F25D0A: ScreenToClient.USER32(?,?), ref: 00F25D99
                    • GetDC.USER32 ref: 00F646F5
                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F64708
                    • SelectObject.GDI32(00000000,00000000), ref: 00F64716
                    • SelectObject.GDI32(00000000,00000000), ref: 00F6472B
                    • ReleaseDC.USER32(?,00000000), ref: 00F64733
                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F647C4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                    • String ID: U
                    • API String ID: 4009187628-3372436214
                    • Opcode ID: 6c2d766748cdce930a4c9dd0e5c0e01aed0d604324b797eb41d9e6d9efe9846a
                    • Instruction ID: 04e094721d3a230ca996ba8609f3e1025d3cc94b91c7d8cd3afedd0859f4dd96
                    • Opcode Fuzzy Hash: 6c2d766748cdce930a4c9dd0e5c0e01aed0d604324b797eb41d9e6d9efe9846a
                    • Instruction Fuzzy Hash: 3371FF31800209DFCF21AF64C984AFA7BB6FF4A364F144269ED555A2A6D335A841FF60
                    Function 00F9359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                    Download Yara Rule
                    APIs
                    • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00F935E4
                      • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                    • LoadStringW.USER32(00FF2390,?,00000FFF,?), ref: 00F9360A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: LoadString$_wcslen
                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                    • API String ID: 4099089115-2391861430
                    • Opcode ID: bf2f66edc10ed2b6efedefdd63a0da944ca29cdbd728156abeea92899a666364
                    • Instruction ID: 61529080c406f3c37775a4e16dac2b12a9264a1832b582e7e161a1211c9b267a
                    • Opcode Fuzzy Hash: bf2f66edc10ed2b6efedefdd63a0da944ca29cdbd728156abeea92899a666364
                    • Instruction Fuzzy Hash: 23518F72C0421AAADF14EBE0DC42EEEBB78AF14300F144125F105B21A1DB795B98FFA1
                    Function 00FB8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F39BB2
                      • Part of subcall function 00F3912D: GetCursorPos.USER32(?), ref: 00F39141
                      • Part of subcall function 00F3912D: ScreenToClient.USER32(00000000,?), ref: 00F3915E
                      • Part of subcall function 00F3912D: GetAsyncKeyState.USER32(00000001), ref: 00F39183
                      • Part of subcall function 00F3912D: GetAsyncKeyState.USER32(00000002), ref: 00F3919D
                    • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00FB8B6B
                    • ImageList_EndDrag.COMCTL32 ref: 00FB8B71
                    • ReleaseCapture.USER32 ref: 00FB8B77
                    • SetWindowTextW.USER32(?,00000000), ref: 00FB8C12
                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00FB8C25
                    • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00FB8CFF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                    • String ID: @GUI_DRAGFILE$@GUI_DROPID
                    • API String ID: 1924731296-2107944366
                    • Opcode ID: c318d08c268233e6badc767cadf014c960a21a4f0686725c59addfc4568173b2
                    • Instruction ID: 597f2a21089d4e1a1bdd3d9a8cdbe11b627d3316e17490eb8ae4bf5590157cf7
                    • Opcode Fuzzy Hash: c318d08c268233e6badc767cadf014c960a21a4f0686725c59addfc4568173b2
                    • Instruction Fuzzy Hash: D0519EB1504304AFD710EF11DC95FAA77E8FB88750F00062DF955A72A1CBB5A904EFA2
                    Function 00F9C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F9C272
                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F9C29A
                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F9C2CA
                    • GetLastError.KERNEL32 ref: 00F9C322
                    • SetEvent.KERNEL32(?), ref: 00F9C336
                    • InternetCloseHandle.WININET(00000000), ref: 00F9C341
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                    • String ID:
                    • API String ID: 3113390036-3916222277
                    • Opcode ID: 474e4cba0b8c8ad8af19b3f37a6a0e2229beceaeaaed10d791e5f33088d7250f
                    • Instruction ID: b909ccfb2b0f2d377be44a55faf5a8e2237afe637f5ca0df775eb2ed393266ea
                    • Opcode Fuzzy Hash: 474e4cba0b8c8ad8af19b3f37a6a0e2229beceaeaaed10d791e5f33088d7250f
                    • Instruction Fuzzy Hash: A7314CB1A00608AFEB219F65CC88EAB7BFCEB49754B14851EF446D2211DB34DD04ABE1
                    Function 00F8989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F63AAF,?,?,Bad directive syntax error,00FBCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00F898BC
                    • LoadStringW.USER32(00000000,?,00F63AAF,?), ref: 00F898C3
                      • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00F89987
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: HandleLoadMessageModuleString_wcslen
                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                    • API String ID: 858772685-4153970271
                    • Opcode ID: 80e45f68798f74c193548c57dd25568586c7c00b848825bf7852bea6705236ff
                    • Instruction ID: f20c5a6a8b8f221fda018bd9d53fb85de57911f79d210348a9e9d67c94387333
                    • Opcode Fuzzy Hash: 80e45f68798f74c193548c57dd25568586c7c00b848825bf7852bea6705236ff
                    • Instruction Fuzzy Hash: 62218271C0421EABCF15EF90DC06EEE7735BF18300F084425F515620A1DB799A18FB51
                    Function 00F8209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32 ref: 00F820AB
                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00F820C0
                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F8214D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ClassMessageNameParentSend
                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                    • API String ID: 1290815626-3381328864
                    • Opcode ID: 92cac54bc33e6e7794e70d2530d41a3ad1e09a3855c2fa0200eb38dabbf68a1c
                    • Instruction ID: eeb32902aad82d23f0b024aacab04e82c2011b93c5e4171ccda90469cee56537
                    • Opcode Fuzzy Hash: 92cac54bc33e6e7794e70d2530d41a3ad1e09a3855c2fa0200eb38dabbf68a1c
                    • Instruction Fuzzy Hash: EB11C677A88B06BAF6017621DC0AEE7379DDB05728B300116FB04B51E2FEA9B8417B55
                    Function 00F5CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                    • String ID:
                    • API String ID: 1282221369-0
                    • Opcode ID: 38172f69403fd8876779333f231772b835c1fb6a871edb6e2bcbcb26d2ec4322
                    • Instruction ID: b39d2d5da4669a2f9aaa6c84cc84d6d9fe85b83ad4179b08f538bec2b77f61d4
                    • Opcode Fuzzy Hash: 38172f69403fd8876779333f231772b835c1fb6a871edb6e2bcbcb26d2ec4322
                    • Instruction Fuzzy Hash: 10610771D043046FDB21AFB49C81A6D7BE9AF05722F04416DEF46A7282DB359909F7E0
                    Function 00FB50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00FB5186
                    • ShowWindow.USER32(?,00000000), ref: 00FB51C7
                    • ShowWindow.USER32(?,00000005,?,00000000), ref: 00FB51CD
                    • SetFocus.USER32(?,?,00000005,?,00000000), ref: 00FB51D1
                      • Part of subcall function 00FB6FBA: DeleteObject.GDI32(00000000), ref: 00FB6FE6
                    • GetWindowLongW.USER32(?,000000F0), ref: 00FB520D
                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FB521A
                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00FB524D
                    • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00FB5287
                    • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00FB5296
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                    • String ID:
                    • API String ID: 3210457359-0
                    • Opcode ID: 9f0b53cf4effcf3e7f3e7156ea91e70d643c41b913e741af3765c94c2eca59ce
                    • Instruction ID: e3ade9f36739003217039db5abb7d310fe5537b9d1b1434c39f4588d163f685d
                    • Opcode Fuzzy Hash: 9f0b53cf4effcf3e7f3e7156ea91e70d643c41b913e741af3765c94c2eca59ce
                    • Instruction Fuzzy Hash: B5519331A42A08BFEF249F6ADC46BD93B65FB05B21F144112F515962E0C7BDA980FF40
                    Function 00F38B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00F76890
                    • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00F768A9
                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F768B9
                    • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00F768D1
                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F768F2
                    • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F38874,00000000,00000000,00000000,000000FF,00000000), ref: 00F76901
                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F7691E
                    • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F38874,00000000,00000000,00000000,000000FF,00000000), ref: 00F7692D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Icon$DestroyExtractImageLoadMessageSend
                    • String ID:
                    • API String ID: 1268354404-0
                    • Opcode ID: 3ee2c240a45b128e0fc3cf34599b790121c322bbc6cee6c3b0688e72832b8193
                    • Instruction ID: fc6da4cfdcc503eeddfd9e4d07df48459e5c54ac2f097f14ce8090c86a21dede
                    • Opcode Fuzzy Hash: 3ee2c240a45b128e0fc3cf34599b790121c322bbc6cee6c3b0688e72832b8193
                    • Instruction Fuzzy Hash: D2514970A0070AEFDB20CF24CC95BAA7BB5FF88760F104519F956D72A0DBB4A951EB50
                    Function 00F9C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F9C182
                    • GetLastError.KERNEL32 ref: 00F9C195
                    • SetEvent.KERNEL32(?), ref: 00F9C1A9
                      • Part of subcall function 00F9C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F9C272
                      • Part of subcall function 00F9C253: GetLastError.KERNEL32 ref: 00F9C322
                      • Part of subcall function 00F9C253: SetEvent.KERNEL32(?), ref: 00F9C336
                      • Part of subcall function 00F9C253: InternetCloseHandle.WININET(00000000), ref: 00F9C341
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                    • String ID:
                    • API String ID: 337547030-0
                    • Opcode ID: d5d15a552be159f61c1c576f547fc89ca5be01836d9e4db821811584e4614891
                    • Instruction ID: 755bc1d026c23d75402b7941ca4ee92a92dac365d2370d96863f3c55b8109173
                    • Opcode Fuzzy Hash: d5d15a552be159f61c1c576f547fc89ca5be01836d9e4db821811584e4614891
                    • Instruction Fuzzy Hash: 5F318A71600605AFEF219FA5DC84A67BBF8FF58310B14452EF95A82610DB31E814BFE0
                    Function 00F825A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F83A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F83A57
                      • Part of subcall function 00F83A3D: GetCurrentThreadId.KERNEL32 ref: 00F83A5E
                      • Part of subcall function 00F83A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F825B3), ref: 00F83A65
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F825BD
                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F825DB
                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00F825DF
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F825E9
                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F82601
                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00F82605
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F8260F
                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F82623
                    • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00F82627
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                    • String ID:
                    • API String ID: 2014098862-0
                    • Opcode ID: baf8414372323f79f790fa94ec4a46e9327591d580bb0b4704103f0a4a27800f
                    • Instruction ID: c2f75f6b613e7c624d78c59c3895aa4adf30277813f89553cc0149e216a5cf66
                    • Opcode Fuzzy Hash: baf8414372323f79f790fa94ec4a46e9327591d580bb0b4704103f0a4a27800f
                    • Instruction Fuzzy Hash: A201D471390214BBFB107769DCCAF9A3F59DB4EB12F100102F358AE0E1C9F22444AEA9
                    Function 00F81803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00F81449,?,?,00000000), ref: 00F8180C
                    • HeapAlloc.KERNEL32(00000000,?,00F81449,?,?,00000000), ref: 00F81813
                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F81449,?,?,00000000), ref: 00F81828
                    • GetCurrentProcess.KERNEL32(?,00000000,?,00F81449,?,?,00000000), ref: 00F81830
                    • DuplicateHandle.KERNEL32(00000000,?,00F81449,?,?,00000000), ref: 00F81833
                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F81449,?,?,00000000), ref: 00F81843
                    • GetCurrentProcess.KERNEL32(00F81449,00000000,?,00F81449,?,?,00000000), ref: 00F8184B
                    • DuplicateHandle.KERNEL32(00000000,?,00F81449,?,?,00000000), ref: 00F8184E
                    • CreateThread.KERNEL32(00000000,00000000,00F81874,00000000,00000000,00000000), ref: 00F81868
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                    • String ID:
                    • API String ID: 1957940570-0
                    • Opcode ID: 6b8c99c04229e3c07d52a98bb33fbee155af4d09c42a686afecdfe838354ab4c
                    • Instruction ID: 45e7114bd2608c5827225d1329246737913b7d2a4e5e6b468471a61cf61c50dd
                    • Opcode Fuzzy Hash: 6b8c99c04229e3c07d52a98bb33fbee155af4d09c42a686afecdfe838354ab4c
                    • Instruction Fuzzy Hash: F301BFB5240308BFE710AFA5DC8DF573BACEB89B11F404511FA05EB192C6709800DF60
                    Function 00FAA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F8D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00F8D501
                      • Part of subcall function 00F8D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00F8D50F
                      • Part of subcall function 00F8D4DC: CloseHandle.KERNEL32(00000000), ref: 00F8D5DC
                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FAA16D
                    • GetLastError.KERNEL32 ref: 00FAA180
                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FAA1B3
                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00FAA268
                    • GetLastError.KERNEL32(00000000), ref: 00FAA273
                    • CloseHandle.KERNEL32(00000000), ref: 00FAA2C4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                    • String ID: SeDebugPrivilege
                    • API String ID: 2533919879-2896544425
                    • Opcode ID: 1d3db64876fa77da8fc892fff7c37bca269f124eeac13808c887aab8e52b2705
                    • Instruction ID: a09132c275764b9821351af7929c41899ce6c6d4fe295a7b52ecfd02c710da7d
                    • Opcode Fuzzy Hash: 1d3db64876fa77da8fc892fff7c37bca269f124eeac13808c887aab8e52b2705
                    • Instruction Fuzzy Hash: 65617F71604242AFD720DF14C894F1ABBE5AF45318F14849CE4668FBA3C776EC49DB92
                    Function 00FB3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00FB3925
                    • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00FB393A
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00FB3954
                    • _wcslen.LIBCMT ref: 00FB3999
                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00FB39C6
                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00FB39F4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSend$Window_wcslen
                    • String ID: SysListView32
                    • API String ID: 2147712094-78025650
                    • Opcode ID: 34a653c8c79c2f28b7820c62b08fb2efb65e458a8d2d77b0ca3e60fed6f95e82
                    • Instruction ID: 437fd0412b4791c5e131ccd30f69569ff6bfc202c38e6e13e4657bf8d0d31d0d
                    • Opcode Fuzzy Hash: 34a653c8c79c2f28b7820c62b08fb2efb65e458a8d2d77b0ca3e60fed6f95e82
                    • Instruction Fuzzy Hash: 0941B271A40218ABEB219F65CC45FEA7BA9EF08360F100126F958E7281D7B5D980EF90
                    Function 00F8BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F8BCFD
                    • IsMenu.USER32(00000000), ref: 00F8BD1D
                    • CreatePopupMenu.USER32 ref: 00F8BD53
                    • GetMenuItemCount.USER32(01505208), ref: 00F8BDA4
                    • InsertMenuItemW.USER32(01505208,?,00000001,00000030), ref: 00F8BDCC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Menu$Item$CountCreateInfoInsertPopup
                    • String ID: 0$2
                    • API String ID: 93392585-3793063076
                    • Opcode ID: 524803369a68fad285934faabae98a8be52d8a5f9e4cfc7d1644e67fab4add1e
                    • Instruction ID: ebf5db49cad27a97549dcfdda077cc0de8db218175515fc9eedff648e632839e
                    • Opcode Fuzzy Hash: 524803369a68fad285934faabae98a8be52d8a5f9e4cfc7d1644e67fab4add1e
                    • Instruction Fuzzy Hash: 8451AF72A00209EBDF20EFA8D8C8BEEBBF4AF45324F144219E851D7291D7749945EB61
                    Function 00F8C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadIconW.USER32(00000000,00007F03), ref: 00F8C913
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: IconLoad
                    • String ID: blank$info$question$stop$warning
                    • API String ID: 2457776203-404129466
                    • Opcode ID: f12378fc7fc0f0c28395068fcbc5a5c47b1c46d829d3b93c4f02e528fcf961e2
                    • Instruction ID: 2feac820c8119ddcb21b39f749835c5b6bf7cf396ff3ddc7d52c3b4108027bb6
                    • Opcode Fuzzy Hash: f12378fc7fc0f0c28395068fcbc5a5c47b1c46d829d3b93c4f02e528fcf961e2
                    • Instruction Fuzzy Hash: 0511EE32A8970ABAA7017B559C82DDB7B9CDF15764B20006BF500E5281EB7CAD4073F5
                    Function 00F8ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _wcslen$LocalTime
                    • String ID:
                    • API String ID: 952045576-0
                    • Opcode ID: 329dafba768fca8827cd548d63c70f58793aa26515f8d4ee8c23e18081fdff54
                    • Instruction ID: e11495c1d3762ed278cee45ae440af9e114dce5a2bae35e7069d14e107ad6a84
                    • Opcode Fuzzy Hash: 329dafba768fca8827cd548d63c70f58793aa26515f8d4ee8c23e18081fdff54
                    • Instruction Fuzzy Hash: 36418566C1011875CB11FBF48C8AACFBBA8AF45710F508566E914F3121FB78E355E3A6
                    Function 00F3F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                    Download Yara Rule
                    APIs
                    • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F7682C,00000004,00000000,00000000), ref: 00F3F953
                    • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00F7682C,00000004,00000000,00000000), ref: 00F7F3D1
                    • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F7682C,00000004,00000000,00000000), ref: 00F7F454
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ShowWindow
                    • String ID:
                    • API String ID: 1268545403-0
                    • Opcode ID: c404d9ae1f345ed0b069795f18e71e8848ff42cbb978ed049bfdc34781f5a6ff
                    • Instruction ID: 1a6760cce092a92128ace31e50255311d5d80ec2eda07786f5ec0f270d3c70fb
                    • Opcode Fuzzy Hash: c404d9ae1f345ed0b069795f18e71e8848ff42cbb978ed049bfdc34781f5a6ff
                    • Instruction Fuzzy Hash: 75412931E09640BBC7389B29CCC876B7B92BF56330F14813DE08B56660C672A888FB51
                    Function 00FB2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteObject.GDI32(00000000), ref: 00FB2D1B
                    • GetDC.USER32(00000000), ref: 00FB2D23
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FB2D2E
                    • ReleaseDC.USER32(00000000,00000000), ref: 00FB2D3A
                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00FB2D76
                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00FB2D87
                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00FB5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00FB2DC2
                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00FB2DE1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                    • String ID:
                    • API String ID: 3864802216-0
                    • Opcode ID: 1bae4597dd4ae8c5528974e19327261af84e3ed49cc63cb8b09127e2a580be1a
                    • Instruction ID: 55eed22eddcd5baf618ab3c0e3b4c8d2a6efe70f6370befc4d730587950a08ae
                    • Opcode Fuzzy Hash: 1bae4597dd4ae8c5528974e19327261af84e3ed49cc63cb8b09127e2a580be1a
                    • Instruction Fuzzy Hash: 1E31A972201218BBEB208F14CC8AFEB3BA9EF49721F044155FE089A291C6B58C40DBA0
                    Function 00F85622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _memcmp
                    • String ID:
                    • API String ID: 2931989736-0
                    • Opcode ID: 34f3c89f6f2590ac09f53c993035ac67775a53e5c1d14bed37bf7bca2fbcd749
                    • Instruction ID: 6e34397edcad331dda5a0508aa5f28621cf791fc9b76ca1ba952a74946331bcd
                    • Opcode Fuzzy Hash: 34f3c89f6f2590ac09f53c993035ac67775a53e5c1d14bed37bf7bca2fbcd749
                    • Instruction Fuzzy Hash: 3C21F9B2A50A0977D6147921CD82FFB375CBF20B94F444020FD059A581F724EE54B7A6
                    Function 00FA4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID: NULL Pointer assignment$Not an Object type
                    • API String ID: 0-572801152
                    • Opcode ID: 1c0103fc4ba805b2840e9fe76ae64308fa488fe60b3421d7933ae6a3807bb773
                    • Instruction ID: a6fe33ddce6d216d369128ea3710a75ec6c91ddc67711906f1d3368fe98667f8
                    • Opcode Fuzzy Hash: 1c0103fc4ba805b2840e9fe76ae64308fa488fe60b3421d7933ae6a3807bb773
                    • Instruction Fuzzy Hash: 2DD1B1B1E0070AAFDF10CFA8C880BAEB7B5BF49754F148069E915AB281E770DD45DB90
                    Function 00F61522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                    Download Yara Rule
                    APIs
                    • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00F617FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00F615CE
                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00F617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F61651
                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00F617FB,?,00F617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F616E4
                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00F617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F616FB
                      • Part of subcall function 00F53820: RtlAllocateHeap.NTDLL(00000000,?,00FF1444,?,00F3FDF5,?,?,00F2A976,00000010,00FF1440,00F213FC,?,00F213C6,?,00F21129), ref: 00F53852
                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00F617FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F61777
                    • __freea.LIBCMT ref: 00F617A2
                    • __freea.LIBCMT ref: 00F617AE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                    • String ID:
                    • API String ID: 2829977744-0
                    • Opcode ID: a7cb26b7bae18076865b8cdc3bc886a505af6b9628881ff1fd25b60d072dff49
                    • Instruction ID: d876ace07b07957e6fd595c1db5afebdeb621443886e668bcbe1982da0bd888f
                    • Opcode Fuzzy Hash: a7cb26b7bae18076865b8cdc3bc886a505af6b9628881ff1fd25b60d072dff49
                    • Instruction Fuzzy Hash: 0D91B372E002169BDF208E74CC91AEEBBB5BF49720F1C4659E902E7191DB35DD44EBA0
                    Function 00FA4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Variant$ClearInit
                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                    • API String ID: 2610073882-625585964
                    • Opcode ID: feacb22af4dd1758c15b16a76b09f0aa5d4b66aa871ae83da4449046775c46bf
                    • Instruction ID: a8bbb61db811e8a3aa1e0e6a7b39cd190284759ca4ec74058c6da436d69cd4f8
                    • Opcode Fuzzy Hash: feacb22af4dd1758c15b16a76b09f0aa5d4b66aa871ae83da4449046775c46bf
                    • Instruction Fuzzy Hash: 059182B1E00255ABDF20CFA5DC44FAEB7B8EF86720F108559F505AB281D7B0A945DFA0
                    Function 00F91187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                    Download Yara Rule
                    APIs
                    • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00F9125C
                    • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00F91284
                    • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00F912A8
                    • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F912D8
                    • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F9135F
                    • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F913C4
                    • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F91430
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ArraySafe$Data$Access$UnaccessVartype
                    • String ID:
                    • API String ID: 2550207440-0
                    • Opcode ID: 07b190dfea33e1373df717b670524d28b5970706e49e690442bf7ca8a58a3c52
                    • Instruction ID: 3ba0907d0ad6502d9f6c75a40bacd036d5dc7128b7b0cb18693e288577873f3e
                    • Opcode Fuzzy Hash: 07b190dfea33e1373df717b670524d28b5970706e49e690442bf7ca8a58a3c52
                    • Instruction Fuzzy Hash: 1991D276E0021AAFEF00DF98C884BBE77B5FF45325F104129E900EB291D778A945EB90
                    Function 00F3948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ObjectSelect$BeginCreatePath
                    • String ID:
                    • API String ID: 3225163088-0
                    • Opcode ID: 0e19bc8e7dd12e79496b2c46a87be79bff06aefb8471eaedc5554795737c9067
                    • Instruction ID: 61d6356da7234add7dd521833349f9c6e34ecb6ab2fd504406728ac857dcea20
                    • Opcode Fuzzy Hash: 0e19bc8e7dd12e79496b2c46a87be79bff06aefb8471eaedc5554795737c9067
                    • Instruction Fuzzy Hash: 91911671D04219AFCB50DFA9CC84AEEBBB8FF49320F148159E515B7251D3B8A981EF60
                    Function 00FA3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 00FA396B
                    • CharUpperBuffW.USER32(?,?), ref: 00FA3A7A
                    • _wcslen.LIBCMT ref: 00FA3A8A
                    • VariantClear.OLEAUT32(?), ref: 00FA3C1F
                      • Part of subcall function 00F90CDF: VariantInit.OLEAUT32(00000000), ref: 00F90D1F
                      • Part of subcall function 00F90CDF: VariantCopy.OLEAUT32(?,?), ref: 00F90D28
                      • Part of subcall function 00F90CDF: VariantClear.OLEAUT32(?), ref: 00F90D34
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                    • API String ID: 4137639002-1221869570
                    • Opcode ID: 858531c5dcf765508646928742f4fe5ee2acc194acb20fb95df20954241b3b03
                    • Instruction ID: 989dc5a5ef26efe7329ccec167432f0dc6d259084726a42edeeeb108cfc74150
                    • Opcode Fuzzy Hash: 858531c5dcf765508646928742f4fe5ee2acc194acb20fb95df20954241b3b03
                    • Instruction Fuzzy Hash: BF917BB5A083059FC700EF24C88196AB7E5FF89314F14892DF8899B351DB34EE05EB92
                    Function 00FA4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F8000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F7FF41,80070057,?,?,?,00F8035E), ref: 00F8002B
                      • Part of subcall function 00F8000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F7FF41,80070057,?,?), ref: 00F80046
                      • Part of subcall function 00F8000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F7FF41,80070057,?,?), ref: 00F80054
                      • Part of subcall function 00F8000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F7FF41,80070057,?), ref: 00F80064
                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00FA4C51
                    • _wcslen.LIBCMT ref: 00FA4D59
                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00FA4DCF
                    • CoTaskMemFree.OLE32(?), ref: 00FA4DDA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                    • String ID: NULL Pointer assignment
                    • API String ID: 614568839-2785691316
                    • Opcode ID: 78b7595d71620629816f35a45f18f7abc28a27d649e6f434ac69d64d7a48b83a
                    • Instruction ID: 7a055e75bd1f630158c25cae3f875e2641b0e73b7ae0b19b245c76094e162721
                    • Opcode Fuzzy Hash: 78b7595d71620629816f35a45f18f7abc28a27d649e6f434ac69d64d7a48b83a
                    • Instruction Fuzzy Hash: 4C9139B1D0022D9FDF14DFA4DC90AEEB7B8BF49310F108169E915A7251DB74AA44EFA0
                    Function 00FB20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetMenu.USER32(?), ref: 00FB2183
                    • GetMenuItemCount.USER32(00000000), ref: 00FB21B5
                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00FB21DD
                    • _wcslen.LIBCMT ref: 00FB2213
                    • GetMenuItemID.USER32(?,?), ref: 00FB224D
                    • GetSubMenu.USER32(?,?), ref: 00FB225B
                      • Part of subcall function 00F83A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F83A57
                      • Part of subcall function 00F83A3D: GetCurrentThreadId.KERNEL32 ref: 00F83A5E
                      • Part of subcall function 00F83A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F825B3), ref: 00F83A65
                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FB22E3
                      • Part of subcall function 00F8E97B: Sleep.KERNEL32 ref: 00F8E9F3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                    • String ID:
                    • API String ID: 4196846111-0
                    • Opcode ID: a8d824a6f4131b6bf6ce260882ed38aba071971c9155dedc084b58bdd1d6e9e4
                    • Instruction ID: fac00a8d1703373a054e41b50d113b52d196ea6f4b7ad082e990822664c50d77
                    • Opcode Fuzzy Hash: a8d824a6f4131b6bf6ce260882ed38aba071971c9155dedc084b58bdd1d6e9e4
                    • Instruction Fuzzy Hash: 0A716E75E00215AFCB50EF69C885AEEB7F5EF48320F148459E816EB351D738AE41AF90
                    Function 00FB7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                    Download Yara Rule
                    APIs
                    • IsWindow.USER32(015051E0), ref: 00FB7F37
                    • IsWindowEnabled.USER32(015051E0), ref: 00FB7F43
                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00FB801E
                    • SendMessageW.USER32(015051E0,000000B0,?,?), ref: 00FB8051
                    • IsDlgButtonChecked.USER32(?,?), ref: 00FB8089
                    • GetWindowLongW.USER32(015051E0,000000EC), ref: 00FB80AB
                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00FB80C3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                    • String ID:
                    • API String ID: 4072528602-0
                    • Opcode ID: 13f28d70e65548ab2e650d34f0da3c3d6478777c6689396b98a17dccafbd4451
                    • Instruction ID: 4eb8b7b8e499806819e1e80a02c2c71fb585ab53471934c7a397222e04f2384d
                    • Opcode Fuzzy Hash: 13f28d70e65548ab2e650d34f0da3c3d6478777c6689396b98a17dccafbd4451
                    • Instruction Fuzzy Hash: 8B71C034A08344AFEB20AF56CC84FFA7BB9EF89390F144059E955572A1CB31A845EF94
                    Function 00F8AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(?), ref: 00F8AEF9
                    • GetKeyboardState.USER32(?), ref: 00F8AF0E
                    • SetKeyboardState.USER32(?), ref: 00F8AF6F
                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00F8AF9D
                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 00F8AFBC
                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00F8AFFD
                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F8B020
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessagePost$KeyboardState$Parent
                    • String ID:
                    • API String ID: 87235514-0
                    • Opcode ID: 8ca521d2b5f686624c9a372710205fbd06fbbee7ae04de958e2df6365811113c
                    • Instruction ID: 45be3414e757e9c37292de62958f3adfd76fe19a41ec05daadabbc0cb5844179
                    • Opcode Fuzzy Hash: 8ca521d2b5f686624c9a372710205fbd06fbbee7ae04de958e2df6365811113c
                    • Instruction Fuzzy Hash: 1151E3A0A047D53DFB3762348C45BFBBEA99B06314F08858AE2E9554C2D3D8ACD4E751
                    Function 00F8ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(00000000), ref: 00F8AD19
                    • GetKeyboardState.USER32(?), ref: 00F8AD2E
                    • SetKeyboardState.USER32(?), ref: 00F8AD8F
                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F8ADBB
                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F8ADD8
                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F8AE17
                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F8AE38
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessagePost$KeyboardState$Parent
                    • String ID:
                    • API String ID: 87235514-0
                    • Opcode ID: b844c0bbb71569e80781d3b68fb989c9e05b4ed43f7ce7e2ca1d4c69c434cb97
                    • Instruction ID: 34885b06fbcf083384da7572499d02d5de70015cd12dde3166a433974d20cd58
                    • Opcode Fuzzy Hash: b844c0bbb71569e80781d3b68fb989c9e05b4ed43f7ce7e2ca1d4c69c434cb97
                    • Instruction Fuzzy Hash: F65118A1D047D53DFB33A3348C95BFABE999B06311F08898AE1D5868C2D394EC94F752
                    Function 00F5542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetConsoleCP.KERNEL32(00F63CD6,?,?,?,?,?,?,?,?,00F55BA3,?,?,00F63CD6,?,?), ref: 00F55470
                    • __fassign.LIBCMT ref: 00F554EB
                    • __fassign.LIBCMT ref: 00F55506
                    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00F63CD6,00000005,00000000,00000000), ref: 00F5552C
                    • WriteFile.KERNEL32(?,00F63CD6,00000000,00F55BA3,00000000,?,?,?,?,?,?,?,?,?,00F55BA3,?), ref: 00F5554B
                    • WriteFile.KERNEL32(?,?,00000001,00F55BA3,00000000,?,?,?,?,?,?,?,?,?,00F55BA3,?), ref: 00F55584
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                    • String ID:
                    • API String ID: 1324828854-0
                    • Opcode ID: 815defb9dfe8ec7b0474f7d28e5347a71f2e871aaff21fb99faaf799c4d79a93
                    • Instruction ID: 8a30e905d5de38d5cf74942393ad18b705a285ebb03fa26b5e29bda2750bab9e
                    • Opcode Fuzzy Hash: 815defb9dfe8ec7b0474f7d28e5347a71f2e871aaff21fb99faaf799c4d79a93
                    • Instruction Fuzzy Hash: 0151F5B1D006099FCB10CFA8DC91AEEBBF9EF08711F18411AFA55E7291E7309A45DB60
                    Function 00F42D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                    Download Yara Rule
                    APIs
                    • _ValidateLocalCookies.LIBCMT ref: 00F42D4B
                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00F42D53
                    • _ValidateLocalCookies.LIBCMT ref: 00F42DE1
                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00F42E0C
                    • _ValidateLocalCookies.LIBCMT ref: 00F42E61
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                    • String ID: csm
                    • API String ID: 1170836740-1018135373
                    • Opcode ID: a8c335a1edc4f21490f4dd89f0b5c992219fa7a09bd5deee5921069ca42d1f71
                    • Instruction ID: e3a14560aad25465b9a90ad0420d2ab3adc76b6d4f00873050caa18974a9feb2
                    • Opcode Fuzzy Hash: a8c335a1edc4f21490f4dd89f0b5c992219fa7a09bd5deee5921069ca42d1f71
                    • Instruction Fuzzy Hash: AD41AB35E00209ABCF10DF68CC85A9EBFB5BF44324F548165FD15AB292DB35AA01EB90
                    Function 00FA10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00FA304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FA307A
                      • Part of subcall function 00FA304E: _wcslen.LIBCMT ref: 00FA309B
                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00FA1112
                    • WSAGetLastError.WSOCK32 ref: 00FA1121
                    • WSAGetLastError.WSOCK32 ref: 00FA11C9
                    • closesocket.WSOCK32(00000000), ref: 00FA11F9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                    • String ID:
                    • API String ID: 2675159561-0
                    • Opcode ID: c19c3c952873216ede1c91be443b10adec0b248140a4853283c1a8f0beb040a9
                    • Instruction ID: 8226c10fed5b801eb9e87ada48c38bd34a966333c0f05c9775c6c6c6a73fb96a
                    • Opcode Fuzzy Hash: c19c3c952873216ede1c91be443b10adec0b248140a4853283c1a8f0beb040a9
                    • Instruction Fuzzy Hash: 67410FB1600218AFDB109F24CC84BAABBE9FF46324F158159F9099F291C774ED41DBE0
                    Function 00F8CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F8DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F8CF22,?), ref: 00F8DDFD
                      • Part of subcall function 00F8DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F8CF22,?), ref: 00F8DE16
                    • lstrcmpiW.KERNEL32(?,?), ref: 00F8CF45
                    • MoveFileW.KERNEL32(?,?), ref: 00F8CF7F
                    • _wcslen.LIBCMT ref: 00F8D005
                    • _wcslen.LIBCMT ref: 00F8D01B
                    • SHFileOperationW.SHELL32(?), ref: 00F8D061
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                    • String ID: \*.*
                    • API String ID: 3164238972-1173974218
                    • Opcode ID: bdfde42a4da1ca6f387dc0c78cf5e16bc7ddc0bc7c16c33b9923763c6f992442
                    • Instruction ID: 172abd0dc40ca25d2b4bcf363c13a8e2e0436903ce51d68758392a613b6135e6
                    • Opcode Fuzzy Hash: bdfde42a4da1ca6f387dc0c78cf5e16bc7ddc0bc7c16c33b9923763c6f992442
                    • Instruction Fuzzy Hash: B5413471D452185FDF12FBA4DD85ADEB7B9AF08380F1000E6E605EB141EB74A644EF60
                    Function 00FB2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FB2E1C
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00FB2E4F
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00FB2E84
                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00FB2EB6
                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00FB2EE0
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00FB2EF1
                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00FB2F0B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: LongWindow$MessageSend
                    • String ID:
                    • API String ID: 2178440468-0
                    • Opcode ID: 124b093b91a7d91774c7b56aae30b1b2b7362bb465a2582d541e3b518610cd75
                    • Instruction ID: f54136e87330ea5cc7d2375e25559f416a83060e7f28fb1b8ba283450dbbeb54
                    • Opcode Fuzzy Hash: 124b093b91a7d91774c7b56aae30b1b2b7362bb465a2582d541e3b518610cd75
                    • Instruction Fuzzy Hash: 9B31F231A04258AFEB618F5ADC84FA537E5FB9A720F150164F9048B2B1CBB1E840EF91
                    Function 00F87726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F87769
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F8778F
                    • SysAllocString.OLEAUT32(00000000), ref: 00F87792
                    • SysAllocString.OLEAUT32(?), ref: 00F877B0
                    • SysFreeString.OLEAUT32(?), ref: 00F877B9
                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00F877DE
                    • SysAllocString.OLEAUT32(?), ref: 00F877EC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                    • String ID:
                    • API String ID: 3761583154-0
                    • Opcode ID: eeb918dd2430143fd9806d4eb8fd4e7352e2dcb998653a4dbcd404fd26d6c3e9
                    • Instruction ID: f480d4157834e9da784ecb3a5c0461356b73c50e6ad738049c4bba7c99c607ea
                    • Opcode Fuzzy Hash: eeb918dd2430143fd9806d4eb8fd4e7352e2dcb998653a4dbcd404fd26d6c3e9
                    • Instruction Fuzzy Hash: 2F21A176A04219AFDB10FFA8CC88EFF73ACEB09764B148125B904DB150D670DD41EBA0
                    Function 00F877FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F87842
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F87868
                    • SysAllocString.OLEAUT32(00000000), ref: 00F8786B
                    • SysAllocString.OLEAUT32 ref: 00F8788C
                    • SysFreeString.OLEAUT32 ref: 00F87895
                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00F878AF
                    • SysAllocString.OLEAUT32(?), ref: 00F878BD
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                    • String ID:
                    • API String ID: 3761583154-0
                    • Opcode ID: 0dfbdff410cfbd294842fe42f3bd7cf60b4129e284b4361f3dd9f43637958983
                    • Instruction ID: 04947de49b038f5631b2700e1528059c4c79970a40ccba1c8f67755ac4132834
                    • Opcode Fuzzy Hash: 0dfbdff410cfbd294842fe42f3bd7cf60b4129e284b4361f3dd9f43637958983
                    • Instruction Fuzzy Hash: 53216731A08208AFDB10FFA8DC88EAB77ACEB097607208125F515CB1A1D774DD41DB74
                    Function 00F904D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(0000000C), ref: 00F904F2
                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F9052E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CreateHandlePipe
                    • String ID: nul
                    • API String ID: 1424370930-2873401336
                    • Opcode ID: 0c73614693c6b08e32e33effbb04c85262042ce9e0a2aed06d85fd767ce84cfc
                    • Instruction ID: a5e1b92b72eaf6e9f94b8b33a24b5d772df92cbeff99098e96275d47eda33c72
                    • Opcode Fuzzy Hash: 0c73614693c6b08e32e33effbb04c85262042ce9e0a2aed06d85fd767ce84cfc
                    • Instruction Fuzzy Hash: D1218075900309AFEF209F29DC44A9A77B8AF44734F644A29F9A1D62E0DB70D940EF60
                    Function 00F905A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(000000F6), ref: 00F905C6
                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F90601
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CreateHandlePipe
                    • String ID: nul
                    • API String ID: 1424370930-2873401336
                    • Opcode ID: 045c5dae1ee8e33877c3ff6b22d82c152ba4e6120ff4b0746d5fd2f13832ad22
                    • Instruction ID: 30d72d801bf379693e195751a661ca449497f8d2a01b861aa69adefae9aeebb1
                    • Opcode Fuzzy Hash: 045c5dae1ee8e33877c3ff6b22d82c152ba4e6120ff4b0746d5fd2f13832ad22
                    • Instruction Fuzzy Hash: 482131759003059FEF209F699C44A9A77E8AF95734F200B19F8A1E72E0DB709960EF60
                    Function 00FB40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F2600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F2604C
                      • Part of subcall function 00F2600E: GetStockObject.GDI32(00000011), ref: 00F26060
                      • Part of subcall function 00F2600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F2606A
                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00FB4112
                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00FB411F
                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00FB412A
                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00FB4139
                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00FB4145
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSend$CreateObjectStockWindow
                    • String ID: Msctls_Progress32
                    • API String ID: 1025951953-3636473452
                    • Opcode ID: 4911d29f08ec2838384401730cdfcc7990eb566ce27d41d8da47e75b8fe8bf51
                    • Instruction ID: 9d453a57bd2c26d88f725e088275821458323eb543da1f52bec630a9324ec6b7
                    • Opcode Fuzzy Hash: 4911d29f08ec2838384401730cdfcc7990eb566ce27d41d8da47e75b8fe8bf51
                    • Instruction Fuzzy Hash: CE11B2B255021DBEEF119F65CC85EE77F5DEF087A8F004111BA18A20A0C676DC21EBA4
                    Function 00F5D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F5D7A3: _free.LIBCMT ref: 00F5D7CC
                    • _free.LIBCMT ref: 00F5D82D
                      • Part of subcall function 00F529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000), ref: 00F529DE
                      • Part of subcall function 00F529C8: GetLastError.KERNEL32(00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000,00000000), ref: 00F529F0
                    • _free.LIBCMT ref: 00F5D838
                    • _free.LIBCMT ref: 00F5D843
                    • _free.LIBCMT ref: 00F5D897
                    • _free.LIBCMT ref: 00F5D8A2
                    • _free.LIBCMT ref: 00F5D8AD
                    • _free.LIBCMT ref: 00F5D8B8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                    • Instruction ID: c1c9034bcaec64ba6238a0d632596cb3498d724c264ee73809417d0f198d4aa7
                    • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                    • Instruction Fuzzy Hash: 9C118171542B04AAD531BFB0DC07FCB7BECAF09702F400825BB99A6992DA28B5097650
                    Function 00F8DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F8DA74
                    • LoadStringW.USER32(00000000), ref: 00F8DA7B
                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F8DA91
                    • LoadStringW.USER32(00000000), ref: 00F8DA98
                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F8DADC
                    Strings
                    • %s (%d) : ==> %s: %s %s, xrefs: 00F8DAB9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: HandleLoadModuleString$Message
                    • String ID: %s (%d) : ==> %s: %s %s
                    • API String ID: 4072794657-3128320259
                    • Opcode ID: 4e00f4c6602f6ff4c8826a5f0595324281977062d23405590e644eb420286dce
                    • Instruction ID: 439d7e4ca888c51730912e9d41b65488c636c56e6304183acbd5a6d87b94380f
                    • Opcode Fuzzy Hash: 4e00f4c6602f6ff4c8826a5f0595324281977062d23405590e644eb420286dce
                    • Instruction Fuzzy Hash: 260162F690020C7FE711ABA49DC9EE7376CEB08701F401591B706E2082EA749E845FB4
                    Function 00F9096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                    Download Yara Rule
                    APIs
                    • InterlockedExchange.KERNEL32(014FE078,014FE078), ref: 00F9097B
                    • EnterCriticalSection.KERNEL32(014FE058,00000000), ref: 00F9098D
                    • TerminateThread.KERNEL32(00000000,000001F6), ref: 00F9099B
                    • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00F909A9
                    • CloseHandle.KERNEL32(00000000), ref: 00F909B8
                    • InterlockedExchange.KERNEL32(014FE078,000001F6), ref: 00F909C8
                    • LeaveCriticalSection.KERNEL32(014FE058), ref: 00F909CF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                    • String ID:
                    • API String ID: 3495660284-0
                    • Opcode ID: cfaab036af863e3ff759a9b94b10c8b4bfdbf64206c275773e2bf2c1fc9bc14c
                    • Instruction ID: 7ab3afad73587a50980d3b7a43983058e685f1d82323e4e2625fa03261f088c9
                    • Opcode Fuzzy Hash: cfaab036af863e3ff759a9b94b10c8b4bfdbf64206c275773e2bf2c1fc9bc14c
                    • Instruction Fuzzy Hash: 12F01D31442516BBEB455F94EEC8AD77A35BF01712F401126F101508A0CB749865EFD0
                    Function 00FA1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                    Download Yara Rule
                    APIs
                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00FA1DC0
                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00FA1DE1
                    • WSAGetLastError.WSOCK32 ref: 00FA1DF2
                    • htons.WSOCK32(?,?,?,?,?), ref: 00FA1EDB
                    • inet_ntoa.WSOCK32(?), ref: 00FA1E8C
                      • Part of subcall function 00F839E8: _strlen.LIBCMT ref: 00F839F2
                      • Part of subcall function 00FA3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00F9EC0C), ref: 00FA3240
                    • _strlen.LIBCMT ref: 00FA1F35
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                    • String ID:
                    • API String ID: 3203458085-0
                    • Opcode ID: e340177ab9c5e30421ba0de146a35d67756aff3808e32184b37a1234a3baf226
                    • Instruction ID: c6db0c4b0181e0dc0c029f744f350106a2dacea82352046a52da274fd2a5b1b9
                    • Opcode Fuzzy Hash: e340177ab9c5e30421ba0de146a35d67756aff3808e32184b37a1234a3baf226
                    • Instruction Fuzzy Hash: B8B1EEB1604340AFC324DF24C885E2A7BA5BF86328F59894CF4565F2E2CB75ED42DB91
                    Function 00F25D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                    Download Yara Rule
                    APIs
                    • GetClientRect.USER32(?,?), ref: 00F25D30
                    • GetWindowRect.USER32(?,?), ref: 00F25D71
                    • ScreenToClient.USER32(?,?), ref: 00F25D99
                    • GetClientRect.USER32(?,?), ref: 00F25ED7
                    • GetWindowRect.USER32(?,?), ref: 00F25EF8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Rect$Client$Window$Screen
                    • String ID:
                    • API String ID: 1296646539-0
                    • Opcode ID: 71e23b6efe3edb979f240b1bf257622ac4540d5cd9e9a6f73f8bad25ee3a6bce
                    • Instruction ID: 86455896bef268add4bf1e57a77f7d468cfebb5e691d63e3509c999e1f7856cb
                    • Opcode Fuzzy Hash: 71e23b6efe3edb979f240b1bf257622ac4540d5cd9e9a6f73f8bad25ee3a6bce
                    • Instruction Fuzzy Hash: 7DB17835A00A5ADBDB14DFB8C4807EEB7F1FF58320F14851AE8A9D7250DB30AA51EB54
                    Function 00F501B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                    Download Yara Rule
                    APIs
                    • __allrem.LIBCMT ref: 00F500BA
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F500D6
                    • __allrem.LIBCMT ref: 00F500ED
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F5010B
                    • __allrem.LIBCMT ref: 00F50122
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F50140
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                    • String ID:
                    • API String ID: 1992179935-0
                    • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                    • Instruction ID: 922e66ca6cca66997b7de849cab636d4a02fdc4fa1ca39585706ac666ac2c7f7
                    • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                    • Instruction Fuzzy Hash: 31810872A00B069BE7209F28CC41B6B77E8AF41335F24423AFE55D66C1EB74D908A791
                    Function 00F561FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00F482D9,00F482D9,?,?,?,00F5644F,00000001,00000001,8BE85006), ref: 00F56258
                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00F5644F,00000001,00000001,8BE85006,?,?,?), ref: 00F562DE
                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00F563D8
                    • __freea.LIBCMT ref: 00F563E5
                      • Part of subcall function 00F53820: RtlAllocateHeap.NTDLL(00000000,?,00FF1444,?,00F3FDF5,?,?,00F2A976,00000010,00FF1440,00F213FC,?,00F213C6,?,00F21129), ref: 00F53852
                    • __freea.LIBCMT ref: 00F563EE
                    • __freea.LIBCMT ref: 00F56413
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                    • String ID:
                    • API String ID: 1414292761-0
                    • Opcode ID: d14bc59d9aa301663996e5ce39c548373be00b67312eb692824f584ad5e93384
                    • Instruction ID: b36ee0ae88990c3799f2a9c35e83a3360154bd4d97bfda616bb4ae0b2594d6ed
                    • Opcode Fuzzy Hash: d14bc59d9aa301663996e5ce39c548373be00b67312eb692824f584ad5e93384
                    • Instruction Fuzzy Hash: EC51E672A00216ABDF258F64CC81FAF77A9EF44761F544629FE25D7240DB34DC48E6A0
                    Function 00FABBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                      • Part of subcall function 00FAC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FAB6AE,?,?), ref: 00FAC9B5
                      • Part of subcall function 00FAC998: _wcslen.LIBCMT ref: 00FAC9F1
                      • Part of subcall function 00FAC998: _wcslen.LIBCMT ref: 00FACA68
                      • Part of subcall function 00FAC998: _wcslen.LIBCMT ref: 00FACA9E
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FABCCA
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FABD25
                    • RegCloseKey.ADVAPI32(00000000), ref: 00FABD6A
                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00FABD99
                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FABDF3
                    • RegCloseKey.ADVAPI32(?), ref: 00FABDFF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                    • String ID:
                    • API String ID: 1120388591-0
                    • Opcode ID: 27e48d69062d23dd6b098e5ddf8850083ee78a57a68568663aa7287f49d5453d
                    • Instruction ID: 2bb48b1f284a403540cea2757a2f2fb31ffe76a321fdf42389f9c8e162b9aec0
                    • Opcode Fuzzy Hash: 27e48d69062d23dd6b098e5ddf8850083ee78a57a68568663aa7287f49d5453d
                    • Instruction Fuzzy Hash: 2781C071608241EFC714DF24C885E2ABBE5FF85318F14896CF4598B2A2CB31ED45EB92
                    Function 00F7F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(00000035), ref: 00F7F7B9
                    • SysAllocString.OLEAUT32(00000001), ref: 00F7F860
                    • VariantCopy.OLEAUT32(00F7FA64,00000000), ref: 00F7F889
                    • VariantClear.OLEAUT32(00F7FA64), ref: 00F7F8AD
                    • VariantCopy.OLEAUT32(00F7FA64,00000000), ref: 00F7F8B1
                    • VariantClear.OLEAUT32(?), ref: 00F7F8BB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Variant$ClearCopy$AllocInitString
                    • String ID:
                    • API String ID: 3859894641-0
                    • Opcode ID: 65b4f409a34de0de7763ac4f5de3f4382ff0e88d5ede5efc9819bb0ad157f1ce
                    • Instruction ID: bfda1790a44cc3293150699ee8232dfbccb720338e25014a521568a596e1c3ac
                    • Opcode Fuzzy Hash: 65b4f409a34de0de7763ac4f5de3f4382ff0e88d5ede5efc9819bb0ad157f1ce
                    • Instruction Fuzzy Hash: C151B531900310BADF20AB65DC95B69B3A4EF45320F24D467E909EF291DB748C48EBA7
                    Function 00F9910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F27620: _wcslen.LIBCMT ref: 00F27625
                      • Part of subcall function 00F26B57: _wcslen.LIBCMT ref: 00F26B6A
                    • GetOpenFileNameW.COMDLG32(00000058), ref: 00F994E5
                    • _wcslen.LIBCMT ref: 00F99506
                    • _wcslen.LIBCMT ref: 00F9952D
                    • GetSaveFileNameW.COMDLG32(00000058), ref: 00F99585
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _wcslen$FileName$OpenSave
                    • String ID: X
                    • API String ID: 83654149-3081909835
                    • Opcode ID: 9bc4f0993c78d7e6047a9f18d4b8bec70a1483eda05342ba8edb0dea6a8b6854
                    • Instruction ID: de44016734966bcd7019cbf4569edb6271a5a48980594ec68dbfbdf2e55bf6cf
                    • Opcode Fuzzy Hash: 9bc4f0993c78d7e6047a9f18d4b8bec70a1483eda05342ba8edb0dea6a8b6854
                    • Instruction Fuzzy Hash: 05E1C4319083509FDB24DF28D881F6AB7E4BF84310F05896DF8899B2A2DB75DD05DB92
                    Function 00F3920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F39BB2
                    • BeginPaint.USER32(?,?,?), ref: 00F39241
                    • GetWindowRect.USER32(?,?), ref: 00F392A5
                    • ScreenToClient.USER32(?,?), ref: 00F392C2
                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F392D3
                    • EndPaint.USER32(?,?,?,?,?), ref: 00F39321
                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00F771EA
                      • Part of subcall function 00F39339: BeginPath.GDI32(00000000), ref: 00F39357
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                    • String ID:
                    • API String ID: 3050599898-0
                    • Opcode ID: 077443772db0868c157b770f01fe2046b82060a4c13ff61ed35a3fd854899c93
                    • Instruction ID: 30d485ad3e3d399ab8d380c084d198f020e2e1d89d74b59e903049c9d9dcc392
                    • Opcode Fuzzy Hash: 077443772db0868c157b770f01fe2046b82060a4c13ff61ed35a3fd854899c93
                    • Instruction Fuzzy Hash: CF41AC71508304AFD721EF24CC84FBB7BA8EF45370F140269F999972A1C7B19845EBA2
                    Function 00F907EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                    Download Yara Rule
                    APIs
                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 00F9080C
                    • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00F90847
                    • EnterCriticalSection.KERNEL32(?), ref: 00F90863
                    • LeaveCriticalSection.KERNEL32(?), ref: 00F908DC
                    • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00F908F3
                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00F90921
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                    • String ID:
                    • API String ID: 3368777196-0
                    • Opcode ID: bdbef90b7144813d589e7541e71e04bd100b3e249506b3de6f364592cc18b345
                    • Instruction ID: c469cdab8d6a5bce70f73ac7ecffd82dc3df58ea0a56f421e6e8bd1d1894b432
                    • Opcode Fuzzy Hash: bdbef90b7144813d589e7541e71e04bd100b3e249506b3de6f364592cc18b345
                    • Instruction Fuzzy Hash: E0415B71A00209EFEF14AF54DC85A6A7778FF04310F1440A9ED04AA297DB34DE65EBA4
                    Function 00FB81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                    Download Yara Rule
                    APIs
                    • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00F7F3AB,00000000,?,?,00000000,?,00F7682C,00000004,00000000,00000000), ref: 00FB824C
                    • EnableWindow.USER32(00000000,00000000), ref: 00FB8272
                    • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00FB82D1
                    • ShowWindow.USER32(00000000,00000004), ref: 00FB82E5
                    • EnableWindow.USER32(00000000,00000001), ref: 00FB830B
                    • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00FB832F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Window$Show$Enable$MessageSend
                    • String ID:
                    • API String ID: 642888154-0
                    • Opcode ID: b03eb49c84a36789e9843e10c2cfdba92f6abd6bca2205950d2625e711be607a
                    • Instruction ID: f64bf47c4b49cca14ab4a2a9bc436137c65cdc659b2bca2cc54f86542b20de7c
                    • Opcode Fuzzy Hash: b03eb49c84a36789e9843e10c2cfdba92f6abd6bca2205950d2625e711be607a
                    • Instruction Fuzzy Hash: EA419734A01644EFDB21DF16CC95BE47BE9BF86764F1842A5E5084F262CB719C42EF90
                    Function 00F84C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                    Download Yara Rule
                    APIs
                    • IsWindowVisible.USER32(?), ref: 00F84C95
                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F84CB2
                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F84CEA
                    • _wcslen.LIBCMT ref: 00F84D08
                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F84D10
                    • _wcsstr.LIBVCRUNTIME ref: 00F84D1A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                    • String ID:
                    • API String ID: 72514467-0
                    • Opcode ID: 9bc676d8128d69d55b73b7408393be034da3f289057c0d312eadae516ae5861c
                    • Instruction ID: 0c842af7963247338532ab7891b57d64838dd0920e46a280cc8a309df85587d7
                    • Opcode Fuzzy Hash: 9bc676d8128d69d55b73b7408393be034da3f289057c0d312eadae516ae5861c
                    • Instruction Fuzzy Hash: 35210B73A04205BBEB15AB35EC49EBB7F9DDF45760F104039F809CA191EA65EC41B7A0
                    Function 00F9581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F23AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F23A97,?,?,00F22E7F,?,?,?,00000000), ref: 00F23AC2
                    • _wcslen.LIBCMT ref: 00F9587B
                    • CoInitialize.OLE32(00000000), ref: 00F95995
                    • CoCreateInstance.OLE32(00FBFCF8,00000000,00000001,00FBFB68,?), ref: 00F959AE
                    • CoUninitialize.OLE32 ref: 00F959CC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                    • String ID: .lnk
                    • API String ID: 3172280962-24824748
                    • Opcode ID: 886a5f550e5bf41c1e60f2dbebac70129ef159b51eb4d72ce10697bc710f092a
                    • Instruction ID: a222624a6df0a6037b34ab13749ee9fd19d675bba4005e32bb136ed956217a5d
                    • Opcode Fuzzy Hash: 886a5f550e5bf41c1e60f2dbebac70129ef159b51eb4d72ce10697bc710f092a
                    • Instruction Fuzzy Hash: F1D17671A087119FDB15DF24C880A2ABBE1FF89B20F14885DF8899B361D735ED05DB92
                    Function 00F8175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F80FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F80FCA
                      • Part of subcall function 00F80FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F80FD6
                      • Part of subcall function 00F80FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F80FE5
                      • Part of subcall function 00F80FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F80FEC
                      • Part of subcall function 00F80FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F81002
                    • GetLengthSid.ADVAPI32(?,00000000,00F81335), ref: 00F817AE
                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F817BA
                    • HeapAlloc.KERNEL32(00000000), ref: 00F817C1
                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 00F817DA
                    • GetProcessHeap.KERNEL32(00000000,00000000,00F81335), ref: 00F817EE
                    • HeapFree.KERNEL32(00000000), ref: 00F817F5
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                    • String ID:
                    • API String ID: 3008561057-0
                    • Opcode ID: 1dc679d7c14dadb5eb63eaa872c1d36e24754f2804226b61675124a80eb4453c
                    • Instruction ID: cca285dd7a10940d2a77a23a9ab303d3189b92f1fb4121bd417059aa17314671
                    • Opcode Fuzzy Hash: 1dc679d7c14dadb5eb63eaa872c1d36e24754f2804226b61675124a80eb4453c
                    • Instruction Fuzzy Hash: 4511AF72900209EFDB10AFA4DC89BEF7BADFB41365F10421DF441A7111C739A945EBA0
                    Function 00F814CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F814FF
                    • OpenProcessToken.ADVAPI32(00000000), ref: 00F81506
                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F81515
                    • CloseHandle.KERNEL32(00000004), ref: 00F81520
                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F8154F
                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 00F81563
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                    • String ID:
                    • API String ID: 1413079979-0
                    • Opcode ID: fcaffc4de2c3e7e3836d4a1936d208b83b958a47c82f3e3b226b1d36c610320d
                    • Instruction ID: b34026378c052a026b29c86fdc394468557b8037626685062501919bd791d3a6
                    • Opcode Fuzzy Hash: fcaffc4de2c3e7e3836d4a1936d208b83b958a47c82f3e3b226b1d36c610320d
                    • Instruction Fuzzy Hash: 7111477250420DABDF11DF98DD49BDB7BADFB48754F084224FA05A2060C3718E61ABA0
                    Function 00F43382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,00F43379,00F42FE5), ref: 00F43390
                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F4339E
                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F433B7
                    • SetLastError.KERNEL32(00000000,?,00F43379,00F42FE5), ref: 00F43409
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ErrorLastValue___vcrt_
                    • String ID:
                    • API String ID: 3852720340-0
                    • Opcode ID: 3edcb6c567a96d713a45aeffaa0325e96ae60825f39b849ff65c21fd624e2e7f
                    • Instruction ID: aaf0a2caba6532bc36b7cf37b1cc23ac8b79b30e84b7cffe5379555de0db6444
                    • Opcode Fuzzy Hash: 3edcb6c567a96d713a45aeffaa0325e96ae60825f39b849ff65c21fd624e2e7f
                    • Instruction Fuzzy Hash: 9F01F733A09326BFA6292B747CC5A673E94EB457797200329FE20C52F1EF114E0279C4
                    Function 00F52D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,00F55686,00F63CD6,?,00000000,?,00F55B6A,?,?,?,?,?,00F4E6D1,?,00FE8A48), ref: 00F52D78
                    • _free.LIBCMT ref: 00F52DAB
                    • _free.LIBCMT ref: 00F52DD3
                    • SetLastError.KERNEL32(00000000,?,?,?,?,00F4E6D1,?,00FE8A48,00000010,00F24F4A,?,?,00000000,00F63CD6), ref: 00F52DE0
                    • SetLastError.KERNEL32(00000000,?,?,?,?,00F4E6D1,?,00FE8A48,00000010,00F24F4A,?,?,00000000,00F63CD6), ref: 00F52DEC
                    • _abort.LIBCMT ref: 00F52DF2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ErrorLast$_free$_abort
                    • String ID:
                    • API String ID: 3160817290-0
                    • Opcode ID: 16678c4c6b528ce2fd80ee658b9b1b037674067b00bc2c82792c9ed72f90648c
                    • Instruction ID: 1f016c3a7385f815efa433fb66d8d8431a312ed0a8f56f33a42762981feb6aa0
                    • Opcode Fuzzy Hash: 16678c4c6b528ce2fd80ee658b9b1b037674067b00bc2c82792c9ed72f90648c
                    • Instruction Fuzzy Hash: 6CF0CD3290590427C29227397C46E5F36756FC37B3F244719FF24921D2DF28880E7560
                    Function 00FB8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F39639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F39693
                      • Part of subcall function 00F39639: SelectObject.GDI32(?,00000000), ref: 00F396A2
                      • Part of subcall function 00F39639: BeginPath.GDI32(?), ref: 00F396B9
                      • Part of subcall function 00F39639: SelectObject.GDI32(?,00000000), ref: 00F396E2
                    • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00FB8A4E
                    • LineTo.GDI32(?,00000003,00000000), ref: 00FB8A62
                    • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00FB8A70
                    • LineTo.GDI32(?,00000000,00000003), ref: 00FB8A80
                    • EndPath.GDI32(?), ref: 00FB8A90
                    • StrokePath.GDI32(?), ref: 00FB8AA0
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                    • String ID:
                    • API String ID: 43455801-0
                    • Opcode ID: f045eb7f2146fb38344c93500b9015550b1783724162fe46a3155db9d20eddd5
                    • Instruction ID: 6940ea5988f342b8d1ee2d75fdd7d69fb39f299175f99bfe0f28216831ed1a70
                    • Opcode Fuzzy Hash: f045eb7f2146fb38344c93500b9015550b1783724162fe46a3155db9d20eddd5
                    • Instruction Fuzzy Hash: 8911097640010DFFDB129F94DC88EAA7F6CEF083A0F008112BA199A1A1C7719D55EFA0
                    Function 00F851FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                    • GetDC.USER32(00000000), ref: 00F85218
                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 00F85229
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F85230
                    • ReleaseDC.USER32(00000000,00000000), ref: 00F85238
                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F8524F
                    • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00F85261
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CapsDevice$Release
                    • String ID:
                    • API String ID: 1035833867-0
                    • Opcode ID: 848793028645283d9f05f96e222399949f982cd067dbd2490943e59289f0c925
                    • Instruction ID: 3ef820420efea580d0de23097c9cc61c2c26a2e886b196ad5d0a27db03d2bca4
                    • Opcode Fuzzy Hash: 848793028645283d9f05f96e222399949f982cd067dbd2490943e59289f0c925
                    • Instruction Fuzzy Hash: 3C016775E00718BBEB106BA99C49E5FBFB9EF44751F044165FA05E7281DA709C00DFA0
                    Function 00F21BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F21BF4
                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00F21BFC
                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F21C07
                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F21C12
                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00F21C1A
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F21C22
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Virtual
                    • String ID:
                    • API String ID: 4278518827-0
                    • Opcode ID: f90ddfca3a649a7bb67af3bcf3915859b4e2f743a80ef65a0819d63e9a1c1220
                    • Instruction ID: 5df69644e24aceadd9e0b154148577e43074889082b9dde1fb3be5c514491560
                    • Opcode Fuzzy Hash: f90ddfca3a649a7bb67af3bcf3915859b4e2f743a80ef65a0819d63e9a1c1220
                    • Instruction Fuzzy Hash: B90144B0902B5ABDE3008F6A8C85A52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5
                    Function 00F8EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                    Download Yara Rule
                    APIs
                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F8EB30
                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F8EB46
                    • GetWindowThreadProcessId.USER32(?,?), ref: 00F8EB55
                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F8EB64
                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F8EB6E
                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F8EB75
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                    • String ID:
                    • API String ID: 839392675-0
                    • Opcode ID: f5db17b92fc5b33e79b0ceea652de4b98826ebb0a9a7f8eb230ed60d1859c730
                    • Instruction ID: 4137a82b268d167cdad6cd23bd551ba3f9fda5a10751f87e270fb4e5037846ff
                    • Opcode Fuzzy Hash: f5db17b92fc5b33e79b0ceea652de4b98826ebb0a9a7f8eb230ed60d1859c730
                    • Instruction Fuzzy Hash: D8F0307254015CBBE7215B529C4DEEF3B7CEFCAB11F000259F641E1091E7A05A01EAF5
                    Function 00F77439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetClientRect.USER32(?), ref: 00F77452
                    • SendMessageW.USER32(?,00001328,00000000,?), ref: 00F77469
                    • GetWindowDC.USER32(?), ref: 00F77475
                    • GetPixel.GDI32(00000000,?,?), ref: 00F77484
                    • ReleaseDC.USER32(?,00000000), ref: 00F77496
                    • GetSysColor.USER32(00000005), ref: 00F774B0
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ClientColorMessagePixelRectReleaseSendWindow
                    • String ID:
                    • API String ID: 272304278-0
                    • Opcode ID: d38e165e711e8dc3aec90a2b9372761d7693b50068bdef6a7abda02928e10d59
                    • Instruction ID: 1113beab4dcbbd590256bb93dae4c41ed374b4250d1cfaa213a99b67c68c59c2
                    • Opcode Fuzzy Hash: d38e165e711e8dc3aec90a2b9372761d7693b50068bdef6a7abda02928e10d59
                    • Instruction Fuzzy Hash: F5018B32800209EFDB10AF64DC48FAA7BB6FF04321F654264F919A20A0CB311E41FF91
                    Function 00F81874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F8187F
                    • UnloadUserProfile.USERENV(?,?), ref: 00F8188B
                    • CloseHandle.KERNEL32(?), ref: 00F81894
                    • CloseHandle.KERNEL32(?), ref: 00F8189C
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00F818A5
                    • HeapFree.KERNEL32(00000000), ref: 00F818AC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                    • String ID:
                    • API String ID: 146765662-0
                    • Opcode ID: 76bd6cb15ac26c14d24cf2007d67f299e12dd1349acc256190ef7d50ea488552
                    • Instruction ID: 640e69d8d407b9372ea40d2fd44ab870e39531d94c4becdc936efd42b79bb1fa
                    • Opcode Fuzzy Hash: 76bd6cb15ac26c14d24cf2007d67f299e12dd1349acc256190ef7d50ea488552
                    • Instruction Fuzzy Hash: 8DE0E576004109BBEB015FA6ED4C90BBF79FF49B22B508321F26591071CB329420EFA0
                    Function 00F8C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F27620: _wcslen.LIBCMT ref: 00F27625
                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F8C6EE
                    • _wcslen.LIBCMT ref: 00F8C735
                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F8C79C
                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F8C7CA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ItemMenu$Info_wcslen$Default
                    • String ID: 0
                    • API String ID: 1227352736-4108050209
                    • Opcode ID: 8210a2e4dbff55e994e8044a754b9fd81783247f43cb177fa4194d9faeef459a
                    • Instruction ID: 153aed76e5bb88c44c1cafb1ccb0530d00d8db43b5e030c3be2befd566f76a22
                    • Opcode Fuzzy Hash: 8210a2e4dbff55e994e8044a754b9fd81783247f43cb177fa4194d9faeef459a
                    • Instruction Fuzzy Hash: 7D51B171A143019BD714AF28CC85BAF77E8AF49320F040A29FA95D31A1DB74D944FBE2
                    Function 00FAAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                    Download Yara Rule
                    APIs
                    • ShellExecuteExW.SHELL32(0000003C), ref: 00FAAEA3
                      • Part of subcall function 00F27620: _wcslen.LIBCMT ref: 00F27625
                    • GetProcessId.KERNEL32(00000000), ref: 00FAAF38
                    • CloseHandle.KERNEL32(00000000), ref: 00FAAF67
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CloseExecuteHandleProcessShell_wcslen
                    • String ID: <$@
                    • API String ID: 146682121-1426351568
                    • Opcode ID: d96af7a1dc3e747c1e23f976219f5a31e0639aeca336f1bd9f6b3f45d1ad7735
                    • Instruction ID: bacecbda88fd3974c8b0cf4b4bf16525b1b5dd1cf050f334cc7994de1c8bde66
                    • Opcode Fuzzy Hash: d96af7a1dc3e747c1e23f976219f5a31e0639aeca336f1bd9f6b3f45d1ad7735
                    • Instruction Fuzzy Hash: 4371ACB1A00628DFCB14EF54D885A9EBBF0FF09310F048499E816AB352C778ED45EB91
                    Function 00F8719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F87206
                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F8723C
                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F8724D
                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F872CF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ErrorMode$AddressCreateInstanceProc
                    • String ID: DllGetClassObject
                    • API String ID: 753597075-1075368562
                    • Opcode ID: 1f16bc7c4c16666601a7f6f499172ae42b6b256b861f591dff6336a08b926586
                    • Instruction ID: 8784e8c4709a4ba42e77b556f673d590499fb18c26b4a325a960dd2f4d049ca8
                    • Opcode Fuzzy Hash: 1f16bc7c4c16666601a7f6f499172ae42b6b256b861f591dff6336a08b926586
                    • Instruction Fuzzy Hash: D7416171A04308EFDB15EF54C884BDA7BA9EF84310F2480A9BD059F25AD7B5D944EFA0
                    Function 00FB3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FB3E35
                    • IsMenu.USER32(?), ref: 00FB3E4A
                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FB3E92
                    • DrawMenuBar.USER32 ref: 00FB3EA5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Menu$Item$DrawInfoInsert
                    • String ID: 0
                    • API String ID: 3076010158-4108050209
                    • Opcode ID: e5d9df40cac56791e38549e1842c55c6da41e6ee3eb53860a4fc464a97d7143e
                    • Instruction ID: 7337a279a0a11b39e1ef05d562929b361d5af5652cae7fbf01e27edb6ead41c1
                    • Opcode Fuzzy Hash: e5d9df40cac56791e38549e1842c55c6da41e6ee3eb53860a4fc464a97d7143e
                    • Instruction Fuzzy Hash: CC413D75A01209EFDB20DF51D884AEA77B9FF45364F04412AF9059B250D770EE45EFA0
                    Function 00F81DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                      • Part of subcall function 00F83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F83CCA
                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F81E66
                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F81E79
                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00F81EA9
                      • Part of subcall function 00F26B57: _wcslen.LIBCMT ref: 00F26B6A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSend$_wcslen$ClassName
                    • String ID: ComboBox$ListBox
                    • API String ID: 2081771294-1403004172
                    • Opcode ID: ea6ea020c3e74d004f0ac532a7b2133dbbde85d4408b4b18ee416e2d0bb94192
                    • Instruction ID: 4e3a9fb65d7ece0f336e6da9719df9e33c1a0e2ef21ea9d00b980ae7f3fb22d9
                    • Opcode Fuzzy Hash: ea6ea020c3e74d004f0ac532a7b2133dbbde85d4408b4b18ee416e2d0bb94192
                    • Instruction Fuzzy Hash: 7321F671A00108AADB14AB64EC56CFFB7BDEF45360F144219F815A71E1DB78590ABB20
                    Function 00FB2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00FB2F8D
                    • LoadLibraryW.KERNEL32(?), ref: 00FB2F94
                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00FB2FA9
                    • DestroyWindow.USER32(?), ref: 00FB2FB1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSend$DestroyLibraryLoadWindow
                    • String ID: SysAnimate32
                    • API String ID: 3529120543-1011021900
                    • Opcode ID: ce884f1c3b4f4d8b6f48d681895bb12e7486df31502eca9b5881ed872dbe3260
                    • Instruction ID: 4e1aa3f676828a7799c3bb51322137e1ed1e6af9def5059d6b3092b578ddd5ce
                    • Opcode Fuzzy Hash: ce884f1c3b4f4d8b6f48d681895bb12e7486df31502eca9b5881ed872dbe3260
                    • Instruction Fuzzy Hash: 81218872A00209ABEB509E66DC84EBB37B9EB59374F100218F950D61A0D771DC51BBA0
                    Function 00F44D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F44D1E,00F528E9,?,00F44CBE,00F528E9,00FE88B8,0000000C,00F44E15,00F528E9,00000002), ref: 00F44D8D
                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F44DA0
                    • FreeLibrary.KERNEL32(00000000,?,?,?,00F44D1E,00F528E9,?,00F44CBE,00F528E9,00FE88B8,0000000C,00F44E15,00F528E9,00000002,00000000), ref: 00F44DC3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: AddressFreeHandleLibraryModuleProc
                    • String ID: CorExitProcess$mscoree.dll
                    • API String ID: 4061214504-1276376045
                    • Opcode ID: 97ddecda3c36f76450b8b26f525654de72bc9bcf00c5e04bb9ee9e42b19cbb92
                    • Instruction ID: 2c1b31ce1e76aeb6a54389e2df078939a1e9ccda9af6f69750c83f472d78ffde
                    • Opcode Fuzzy Hash: 97ddecda3c36f76450b8b26f525654de72bc9bcf00c5e04bb9ee9e42b19cbb92
                    • Instruction Fuzzy Hash: 3BF0313594020CABDB159F94DC49B9EBFB5EF44751F040159FD05A2150CB749941EED1
                    Function 00F24E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F24EDD,?,00FF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F24E9C
                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F24EAE
                    • FreeLibrary.KERNEL32(00000000,?,?,00F24EDD,?,00FF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F24EC0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Library$AddressFreeLoadProc
                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                    • API String ID: 145871493-3689287502
                    • Opcode ID: 261f4c61ba628c6fbb3357949b0dd2ac622e9041f6495601ccb6d3e15c7c0113
                    • Instruction ID: 63070fe59ae6e8e305a8864317dc87e75dd59edf68b6eb6ae5401a34abef872a
                    • Opcode Fuzzy Hash: 261f4c61ba628c6fbb3357949b0dd2ac622e9041f6495601ccb6d3e15c7c0113
                    • Instruction Fuzzy Hash: C5E08635E02A325BA2311B29FC1CA5F7558AF81F727060215FC00E3200DBE0DD0268E1
                    Function 00F24E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F63CDE,?,00FF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F24E62
                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F24E74
                    • FreeLibrary.KERNEL32(00000000,?,?,00F63CDE,?,00FF1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F24E87
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Library$AddressFreeLoadProc
                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                    • API String ID: 145871493-1355242751
                    • Opcode ID: 89700fb15f60eba1921fff8f7eac37fe4e992fdb158560e636b9fe5b254d1818
                    • Instruction ID: 668b9a0eadb6c16cc761c2b7b8b84fd916b58c7c645015987da8d8bc85d2fb02
                    • Opcode Fuzzy Hash: 89700fb15f60eba1921fff8f7eac37fe4e992fdb158560e636b9fe5b254d1818
                    • Instruction Fuzzy Hash: 11D01235902A32576A221B29BC1CD8F7A18AF85B653064615F905B7124CFA0DD02B9E1
                    Function 00FAA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcessId.KERNEL32 ref: 00FAA427
                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00FAA435
                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00FAA468
                    • CloseHandle.KERNEL32(?), ref: 00FAA63D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Process$CloseCountersCurrentHandleOpen
                    • String ID:
                    • API String ID: 3488606520-0
                    • Opcode ID: 7c3cd127402baa294107407f128c3c7988a48f465daf7ecd7053a47004726466
                    • Instruction ID: 0e58a1250b2cf1aea104e67fc4be2922ae76728edb073f2b09a592913f0f71e9
                    • Opcode Fuzzy Hash: 7c3cd127402baa294107407f128c3c7988a48f465daf7ecd7053a47004726466
                    • Instruction Fuzzy Hash: FCA1A1B16043009FD720DF24D886F2AB7E5AF88724F14881DF95A9B392DB74EC45DB92
                    Function 00F5BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00FC3700), ref: 00F5BB91
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00FF121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00F5BC09
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00FF1270,000000FF,?,0000003F,00000000,?), ref: 00F5BC36
                    • _free.LIBCMT ref: 00F5BB7F
                      • Part of subcall function 00F529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000), ref: 00F529DE
                      • Part of subcall function 00F529C8: GetLastError.KERNEL32(00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000,00000000), ref: 00F529F0
                    • _free.LIBCMT ref: 00F5BD4B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                    • String ID:
                    • API String ID: 1286116820-0
                    • Opcode ID: f8a1c9ee9cf09777b33a7cec558fdfdf37d51bcd89af2df52de16e7b38fba2f8
                    • Instruction ID: fc7cfc09bf23fc825c4eda0b1e9f10def3b2e54edf5d86182f82a8bbea67b266
                    • Opcode Fuzzy Hash: f8a1c9ee9cf09777b33a7cec558fdfdf37d51bcd89af2df52de16e7b38fba2f8
                    • Instruction Fuzzy Hash: 7851E971D0020DEFC710DFA59C859BAB7BCBF41321B10026AEA50E71A1EB705D49FB90
                    Function 00F8E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F8DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F8CF22,?), ref: 00F8DDFD
                      • Part of subcall function 00F8DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F8CF22,?), ref: 00F8DE16
                      • Part of subcall function 00F8E199: GetFileAttributesW.KERNEL32(?,00F8CF95), ref: 00F8E19A
                    • lstrcmpiW.KERNEL32(?,?), ref: 00F8E473
                    • MoveFileW.KERNEL32(?,?), ref: 00F8E4AC
                    • _wcslen.LIBCMT ref: 00F8E5EB
                    • _wcslen.LIBCMT ref: 00F8E603
                    • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00F8E650
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                    • String ID:
                    • API String ID: 3183298772-0
                    • Opcode ID: 89d381ce9436c68673219b9bdf9027cf3fc9d281df2db92223140a16e7da0b5c
                    • Instruction ID: b6d45496ffe48e2cbe7ce93890853d608bc7bfd1b52aa8e97b8ba7a4a4c41326
                    • Opcode Fuzzy Hash: 89d381ce9436c68673219b9bdf9027cf3fc9d281df2db92223140a16e7da0b5c
                    • Instruction Fuzzy Hash: 045184B24083455BC724EBA0DC819DF77DCAF84350F00492EF589D3191EF78E6889B66
                    Function 00FAB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                      • Part of subcall function 00FAC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FAB6AE,?,?), ref: 00FAC9B5
                      • Part of subcall function 00FAC998: _wcslen.LIBCMT ref: 00FAC9F1
                      • Part of subcall function 00FAC998: _wcslen.LIBCMT ref: 00FACA68
                      • Part of subcall function 00FAC998: _wcslen.LIBCMT ref: 00FACA9E
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FABAA5
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FABB00
                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00FABB63
                    • RegCloseKey.ADVAPI32(?,?), ref: 00FABBA6
                    • RegCloseKey.ADVAPI32(00000000), ref: 00FABBB3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                    • String ID:
                    • API String ID: 826366716-0
                    • Opcode ID: 9ff4a90edfa2db8dca19498af10522484e2e933da45227c8c0c67f1325df3658
                    • Instruction ID: d0e9fd7fa9c5ab0c895db97988f01c9a5857f33f5dd2d699f8f58f6857ec79fb
                    • Opcode Fuzzy Hash: 9ff4a90edfa2db8dca19498af10522484e2e933da45227c8c0c67f1325df3658
                    • Instruction Fuzzy Hash: 3D61C171608241AFC314DF24C890E2ABBE5FF85358F54855CF4998B2A2CB35ED45EBA2
                    Function 00F88BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 00F88BCD
                    • VariantClear.OLEAUT32 ref: 00F88C3E
                    • VariantClear.OLEAUT32 ref: 00F88C9D
                    • VariantClear.OLEAUT32(?), ref: 00F88D10
                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F88D3B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Variant$Clear$ChangeInitType
                    • String ID:
                    • API String ID: 4136290138-0
                    • Opcode ID: 4ba36229fdd930fbb8389a582a61975f56a69febffb335945cbf266d5ff25487
                    • Instruction ID: 4780f69a7bd39e0621084f237d4583e9d8a42d95c228a295caac999beb53e5ee
                    • Opcode Fuzzy Hash: 4ba36229fdd930fbb8389a582a61975f56a69febffb335945cbf266d5ff25487
                    • Instruction Fuzzy Hash: 235158B5A00219EFCB14DF68C894AAAB7F8FF89350B158559E909DB354E730E912CF90
                    Function 00F98AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                    Download Yara Rule
                    APIs
                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00F98BAE
                    • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00F98BDA
                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00F98C32
                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F98C57
                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F98C5F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: PrivateProfile$SectionWrite$String
                    • String ID:
                    • API String ID: 2832842796-0
                    • Opcode ID: 98054b3197eaba84ae3c463666e8ba301cc3db8c4d1a2e30ee1fb46d29f083bb
                    • Instruction ID: 4080d310a3327bb2bc81603ad83bc332bf0ca988b70e3bf11c82ab0f2612d90e
                    • Opcode Fuzzy Hash: 98054b3197eaba84ae3c463666e8ba301cc3db8c4d1a2e30ee1fb46d29f083bb
                    • Instruction Fuzzy Hash: AC514935A002199FDF14DF64C881A6EBBF5FF49314F088058E849AB362CB35ED41EBA0
                    Function 00FA8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00FA8F40
                    • GetProcAddress.KERNEL32(00000000,?), ref: 00FA8FD0
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00FA8FEC
                    • GetProcAddress.KERNEL32(00000000,?), ref: 00FA9032
                    • FreeLibrary.KERNEL32(00000000), ref: 00FA9052
                      • Part of subcall function 00F3F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00F91043,?,7644E610), ref: 00F3F6E6
                      • Part of subcall function 00F3F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00F7FA64,00000000,00000000,?,?,00F91043,?,7644E610,?,00F7FA64), ref: 00F3F70D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                    • String ID:
                    • API String ID: 666041331-0
                    • Opcode ID: 12d340356d65b1dbdbf8a8e598606d9fa73794e87d1cc73146446354c3fe2e99
                    • Instruction ID: 3165d1efeaf814a4066e0ea4b0fe2f5adc21d36f9154a4d60118977499a59138
                    • Opcode Fuzzy Hash: 12d340356d65b1dbdbf8a8e598606d9fa73794e87d1cc73146446354c3fe2e99
                    • Instruction Fuzzy Hash: C8514C75A04215DFC710DF68C4858ADBBB1FF49364F0880A9E805AB362DB75ED86EF90
                    Function 00FB6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                    Download Yara Rule
                    APIs
                    • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00FB6C33
                    • SetWindowLongW.USER32(?,000000EC,?), ref: 00FB6C4A
                    • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00FB6C73
                    • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00F9AB79,00000000,00000000), ref: 00FB6C98
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00FB6CC7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Window$Long$MessageSendShow
                    • String ID:
                    • API String ID: 3688381893-0
                    • Opcode ID: f3ecde8f3e4d810b172b75557ffcc41593c66f97780a421afca49265719151c8
                    • Instruction ID: b9bd3641d907f52b48e091929be998a64e0ce68d7fdd8f49421cf5588c4ec65f
                    • Opcode Fuzzy Hash: f3ecde8f3e4d810b172b75557ffcc41593c66f97780a421afca49265719151c8
                    • Instruction Fuzzy Hash: 5641C475A00108AFD724DF2ACC94FE67FA5EB49360F150224F995E72A0C375AD40EE90
                    Function 00F52051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: ba33cd27b2db4915dc97f66dce413731ab5f73ad2777503493b338f42b633c78
                    • Instruction ID: 209937588b1c3d86b29b91490467222c9bcfe4ba7f6aa77ed54db62b77b1360d
                    • Opcode Fuzzy Hash: ba33cd27b2db4915dc97f66dce413731ab5f73ad2777503493b338f42b633c78
                    • Instruction Fuzzy Hash: 8641E432E006049FCB20DF78C880A5EB7B5EF8A721F154669EA15EB391D731AD05EB80
                    Function 00F3912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetCursorPos.USER32(?), ref: 00F39141
                    • ScreenToClient.USER32(00000000,?), ref: 00F3915E
                    • GetAsyncKeyState.USER32(00000001), ref: 00F39183
                    • GetAsyncKeyState.USER32(00000002), ref: 00F3919D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: AsyncState$ClientCursorScreen
                    • String ID:
                    • API String ID: 4210589936-0
                    • Opcode ID: 7bfd200128032294fb048b2a2478732400d413e5a4e73b347034d6153946cd07
                    • Instruction ID: 0bb113d781772a03b78f8385993d6d80169408b3eb994be1673be910e8403eec
                    • Opcode Fuzzy Hash: 7bfd200128032294fb048b2a2478732400d413e5a4e73b347034d6153946cd07
                    • Instruction Fuzzy Hash: 2E414071A0861ABBDF15AF64C844BEEB775FB05334F208216E429A7290C7B46950EF92
                    Function 00F93874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetInputState.USER32 ref: 00F938CB
                    • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00F93922
                    • TranslateMessage.USER32(?), ref: 00F9394B
                    • DispatchMessageW.USER32(?), ref: 00F93955
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F93966
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                    • String ID:
                    • API String ID: 2256411358-0
                    • Opcode ID: 43c318a48ba92a0a6fdc6061bf9c2c714656401e8cd4f4a755b3eca194b8c375
                    • Instruction ID: ca5552387c0347bb505ec51eec188a82088ecf7325043a85035a0a76017da037
                    • Opcode Fuzzy Hash: 43c318a48ba92a0a6fdc6061bf9c2c714656401e8cd4f4a755b3eca194b8c375
                    • Instruction Fuzzy Hash: ED31E071D0434ADEFF35CB349848BB637A9AF11310F08056DE466C21A0E3F4AA88FB61
                    Function 00F9CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00F9CF38
                    • InternetReadFile.WININET(?,00000000,?,?), ref: 00F9CF6F
                    • GetLastError.KERNEL32(?,00000000,?,?,?,00F9C21E,00000000), ref: 00F9CFB4
                    • SetEvent.KERNEL32(?,?,00000000,?,?,?,00F9C21E,00000000), ref: 00F9CFC8
                    • SetEvent.KERNEL32(?,?,00000000,?,?,?,00F9C21E,00000000), ref: 00F9CFF2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                    • String ID:
                    • API String ID: 3191363074-0
                    • Opcode ID: c548fafe4ccd5179ac5799e7988a340f8bad1a9cca1a819375d7217b05e58495
                    • Instruction ID: 74bfcbfea81f288cf39e0a409c6f9252fdaa4b00b1be61a48e9531c6b1659260
                    • Opcode Fuzzy Hash: c548fafe4ccd5179ac5799e7988a340f8bad1a9cca1a819375d7217b05e58495
                    • Instruction Fuzzy Hash: 69315271900205EFEF20DFA5C884AABBBF9EB14364B10442EF516D3141DB30AE45EBB0
                    Function 00F81901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(?,?), ref: 00F81915
                    • PostMessageW.USER32(00000001,00000201,00000001), ref: 00F819C1
                    • Sleep.KERNEL32(00000000,?,?,?), ref: 00F819C9
                    • PostMessageW.USER32(00000001,00000202,00000000), ref: 00F819DA
                    • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00F819E2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessagePostSleep$RectWindow
                    • String ID:
                    • API String ID: 3382505437-0
                    • Opcode ID: da3909381010dd636f22598a4b5b5f72f791b3d3aa1392bb317be433511eb2a4
                    • Instruction ID: 47793b0aad7005253fde3b3bf184be97213f34d5084b0f487874717f4c53b2d4
                    • Opcode Fuzzy Hash: da3909381010dd636f22598a4b5b5f72f791b3d3aa1392bb317be433511eb2a4
                    • Instruction Fuzzy Hash: 7E31AF72A00219EFCB10DFA8CD99AEE3BB9FB04325F104325F965A72D1C7709955EB90
                    Function 00FB5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00FB5745
                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 00FB579D
                    • _wcslen.LIBCMT ref: 00FB57AF
                    • _wcslen.LIBCMT ref: 00FB57BA
                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00FB5816
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSend$_wcslen
                    • String ID:
                    • API String ID: 763830540-0
                    • Opcode ID: d2feed696fc851340fef42887e458af97aab511b2bd68495c03ecc6ffb70f31e
                    • Instruction ID: 334a57a13414ad0c3fb2b538b2de633fd85e19efcc100d96be10345aadd4d98e
                    • Opcode Fuzzy Hash: d2feed696fc851340fef42887e458af97aab511b2bd68495c03ecc6ffb70f31e
                    • Instruction Fuzzy Hash: 76217371D04618EADB20DFA1CC85BEE7BB8FF04B24F108216E919EB180D7789985EF50
                    Function 00FA0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    • IsWindow.USER32(00000000), ref: 00FA0951
                    • GetForegroundWindow.USER32 ref: 00FA0968
                    • GetDC.USER32(00000000), ref: 00FA09A4
                    • GetPixel.GDI32(00000000,?,00000003), ref: 00FA09B0
                    • ReleaseDC.USER32(00000000,00000003), ref: 00FA09E8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Window$ForegroundPixelRelease
                    • String ID:
                    • API String ID: 4156661090-0
                    • Opcode ID: e0284f69cac42d98e3f081659b999992de895e3d874e6fa18767c4b97cd2eeb8
                    • Instruction ID: 2629690a586370d2865f2d0ac68fbefd4794ebe5602cd863a8ad3fb22162cc79
                    • Opcode Fuzzy Hash: e0284f69cac42d98e3f081659b999992de895e3d874e6fa18767c4b97cd2eeb8
                    • Instruction Fuzzy Hash: 40218175A00214AFD714EF69DC85AAFBBE9EF49700F048168F84A97752CB34AC04EF90
                    Function 00F5CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • GetEnvironmentStringsW.KERNEL32 ref: 00F5CDC6
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F5CDE9
                      • Part of subcall function 00F53820: RtlAllocateHeap.NTDLL(00000000,?,00FF1444,?,00F3FDF5,?,?,00F2A976,00000010,00FF1440,00F213FC,?,00F213C6,?,00F21129), ref: 00F53852
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F5CE0F
                    • _free.LIBCMT ref: 00F5CE22
                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F5CE31
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                    • String ID:
                    • API String ID: 336800556-0
                    • Opcode ID: 8b2a9f0ce80347889128fb99bd516b850f9ec87d6f6cc476f3188f89f1f3f5d5
                    • Instruction ID: 90f29dac6f09868623ab7830d826af375b4beba5ba1b5d1148c4063843566ebf
                    • Opcode Fuzzy Hash: 8b2a9f0ce80347889128fb99bd516b850f9ec87d6f6cc476f3188f89f1f3f5d5
                    • Instruction Fuzzy Hash: 02018472A013157F232116BA6C8AD7B7A6DDEC6FA23150229FE06D7201EA658D06B5F0
                    Function 00F39639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                    Download Yara Rule
                    APIs
                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F39693
                    • SelectObject.GDI32(?,00000000), ref: 00F396A2
                    • BeginPath.GDI32(?), ref: 00F396B9
                    • SelectObject.GDI32(?,00000000), ref: 00F396E2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ObjectSelect$BeginCreatePath
                    • String ID:
                    • API String ID: 3225163088-0
                    • Opcode ID: 3c436649ac29484939f8e447c50a70727552b03f8a13227e09f8f71a763be466
                    • Instruction ID: 872cf64a8b14ba9f533f28092a1f14a96122c2873421641c66c6a1b4e4ba4b30
                    • Opcode Fuzzy Hash: 3c436649ac29484939f8e447c50a70727552b03f8a13227e09f8f71a763be466
                    • Instruction Fuzzy Hash: 67215931806309EBDB21AF29EC597BA3BA8BF10375F104216F810A61A0D3F09895FFD0
                    Function 00F85711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _memcmp
                    • String ID:
                    • API String ID: 2931989736-0
                    • Opcode ID: b4726f63d9cedda8892e4822430b1449c39093e371a61eaaba6fa3d4f2b0eed7
                    • Instruction ID: 9909f2a0a758df9e015b06282dbefe2d06119b0a9c480f43c05f8b3b6b87aad5
                    • Opcode Fuzzy Hash: b4726f63d9cedda8892e4822430b1449c39093e371a61eaaba6fa3d4f2b0eed7
                    • Instruction Fuzzy Hash: B901F5A6A4160DBBE2086511DD82FFF774CAB60BA4F40C030FD049E241F724EE54B7A5
                    Function 00F52DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,?,00F4F2DE,00F53863,00FF1444,?,00F3FDF5,?,?,00F2A976,00000010,00FF1440,00F213FC,?,00F213C6), ref: 00F52DFD
                    • _free.LIBCMT ref: 00F52E32
                    • _free.LIBCMT ref: 00F52E59
                    • SetLastError.KERNEL32(00000000,00F21129), ref: 00F52E66
                    • SetLastError.KERNEL32(00000000,00F21129), ref: 00F52E6F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ErrorLast$_free
                    • String ID:
                    • API String ID: 3170660625-0
                    • Opcode ID: 678beaa7d70109d264f4715bf9127c33750abb690a861c2e8e4b62e207d6eec4
                    • Instruction ID: df91fbbeffaab14d111be54494cd836afe8fc75fdd480450c8311a426c9aa5c5
                    • Opcode Fuzzy Hash: 678beaa7d70109d264f4715bf9127c33750abb690a861c2e8e4b62e207d6eec4
                    • Instruction Fuzzy Hash: 0801FE3250590467C65227756C87D2B3659ABD37B7B244319FF25A2192DE289C0D7160
                    Function 00F8000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                    Download Yara Rule
                    APIs
                    • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F7FF41,80070057,?,?,?,00F8035E), ref: 00F8002B
                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F7FF41,80070057,?,?), ref: 00F80046
                    • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F7FF41,80070057,?,?), ref: 00F80054
                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F7FF41,80070057,?), ref: 00F80064
                    • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F7FF41,80070057,?,?), ref: 00F80070
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: From$Prog$FreeStringTasklstrcmpi
                    • String ID:
                    • API String ID: 3897988419-0
                    • Opcode ID: defde1fc910db0b33cdfe50155bfe5cd5ed9f9b57ec05eb903f19d1bf9d1ffc6
                    • Instruction ID: 7f70bc69afeded64db4d8b11e22a8a64a168fc58e120c6e4ba06bb765e098545
                    • Opcode Fuzzy Hash: defde1fc910db0b33cdfe50155bfe5cd5ed9f9b57ec05eb903f19d1bf9d1ffc6
                    • Instruction Fuzzy Hash: 9D01AD72A00208BFDB516F68DC84BEB7AEDEF447A2F544224F905D6210EB71DD44BBA0
                    Function 00F8E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                    Download Yara Rule
                    APIs
                    • QueryPerformanceCounter.KERNEL32(?), ref: 00F8E997
                    • QueryPerformanceFrequency.KERNEL32(?), ref: 00F8E9A5
                    • Sleep.KERNEL32(00000000), ref: 00F8E9AD
                    • QueryPerformanceCounter.KERNEL32(?), ref: 00F8E9B7
                    • Sleep.KERNEL32 ref: 00F8E9F3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: PerformanceQuery$CounterSleep$Frequency
                    • String ID:
                    • API String ID: 2833360925-0
                    • Opcode ID: dabda5f3313947edc3c52f31b3fb5b1e014770a4ce2d976e1c6dfc20eb45fc0f
                    • Instruction ID: 513b1be34442cf7a3466fc27499b09ead708957d237168f37322d8b6441f3a56
                    • Opcode Fuzzy Hash: dabda5f3313947edc3c52f31b3fb5b1e014770a4ce2d976e1c6dfc20eb45fc0f
                    • Instruction Fuzzy Hash: F8019E31D0162DDBCF00AFE9DC89AEEBB78FF09311F000646E542B2241CB709550EBA1
                    Function 00F810F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F81114
                    • GetLastError.KERNEL32(?,00000000,00000000,?,?,00F80B9B,?,?,?), ref: 00F81120
                    • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F80B9B,?,?,?), ref: 00F8112F
                    • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F80B9B,?,?,?), ref: 00F81136
                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F8114D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 842720411-0
                    • Opcode ID: c290f55ca697fab31355cda462a5573ffc5d27aa8cac6e60a63a6e2f280561cb
                    • Instruction ID: 44fd36452db0b13f1cceae11547c1c14c3e6f99bbf04e7f6795d1188367d26af
                    • Opcode Fuzzy Hash: c290f55ca697fab31355cda462a5573ffc5d27aa8cac6e60a63a6e2f280561cb
                    • Instruction Fuzzy Hash: 3A016D75500609BFDB115F65DC8DAAB3B6EFF85360B210515FA45D3360DA31DC00AFA0
                    Function 00F80FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F80FCA
                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F80FD6
                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F80FE5
                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F80FEC
                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F81002
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: HeapInformationToken$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 44706859-0
                    • Opcode ID: d550bd87a0c877c6d0cee40b708d4b41df6523d8e66238c8fde6bc99aa33f45a
                    • Instruction ID: fbc93b2f0bcdd080ac393199d98b5940c51e678a3558ffeb9e8043f56a6ad571
                    • Opcode Fuzzy Hash: d550bd87a0c877c6d0cee40b708d4b41df6523d8e66238c8fde6bc99aa33f45a
                    • Instruction Fuzzy Hash: 3DF0A975200309ABDB212FA99C89F973BADFF89762F100525FA49D6251CA30DC40AEA0
                    Function 00F81014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F8102A
                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F81036
                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F81045
                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F8104C
                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F81062
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: HeapInformationToken$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 44706859-0
                    • Opcode ID: 3e6842303f75ab764c22a03d198685a2ea34e2fffeb7db10e111fa855bc51c1d
                    • Instruction ID: 13553e8ec5bd50c16e35c798b8744035a98f7f44a17262254ea50f9b9d051276
                    • Opcode Fuzzy Hash: 3e6842303f75ab764c22a03d198685a2ea34e2fffeb7db10e111fa855bc51c1d
                    • Instruction Fuzzy Hash: 31F06D75200309EBDB216FA9EC89F973BADFF89761F100525FA45D7251CA70D841AFA0
                    Function 00F9030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                    Download Yara Rule
                    APIs
                    • CloseHandle.KERNEL32(?,?,?,?,00F9017D,?,00F932FC,?,00000001,00F62592,?), ref: 00F90324
                    • CloseHandle.KERNEL32(?,?,?,?,00F9017D,?,00F932FC,?,00000001,00F62592,?), ref: 00F90331
                    • CloseHandle.KERNEL32(?,?,?,?,00F9017D,?,00F932FC,?,00000001,00F62592,?), ref: 00F9033E
                    • CloseHandle.KERNEL32(?,?,?,?,00F9017D,?,00F932FC,?,00000001,00F62592,?), ref: 00F9034B
                    • CloseHandle.KERNEL32(?,?,?,?,00F9017D,?,00F932FC,?,00000001,00F62592,?), ref: 00F90358
                    • CloseHandle.KERNEL32(?,?,?,?,00F9017D,?,00F932FC,?,00000001,00F62592,?), ref: 00F90365
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CloseHandle
                    • String ID:
                    • API String ID: 2962429428-0
                    • Opcode ID: c9f7adb56772d421d776e82ad800532824b3ff5ac895bd9a30ff5e1f4b06fbe6
                    • Instruction ID: 44818f5dfce83d3e7adf38493f2388a5a720beaad9cd25a2584d8c7fe9b8cf95
                    • Opcode Fuzzy Hash: c9f7adb56772d421d776e82ad800532824b3ff5ac895bd9a30ff5e1f4b06fbe6
                    • Instruction Fuzzy Hash: 8B01AE72800B159FDB30AF66D880812FBF9BF603253158A3FD19652931CBB1A958EF80
                    Function 00F5D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00F5D752
                      • Part of subcall function 00F529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000), ref: 00F529DE
                      • Part of subcall function 00F529C8: GetLastError.KERNEL32(00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000,00000000), ref: 00F529F0
                    • _free.LIBCMT ref: 00F5D764
                    • _free.LIBCMT ref: 00F5D776
                    • _free.LIBCMT ref: 00F5D788
                    • _free.LIBCMT ref: 00F5D79A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 2bc8def762334641f9f388fcfd9bb6fbd620e609e047d90f40676a363f339b1b
                    • Instruction ID: 3bd153d0c09343c57aded1db6267336194637d3354adea37ccc882ef3ca36ccf
                    • Opcode Fuzzy Hash: 2bc8def762334641f9f388fcfd9bb6fbd620e609e047d90f40676a363f339b1b
                    • Instruction Fuzzy Hash: 82F09C3290124CAB8675EB58FDC1C5A7BEDBB493227940C05FE44E7502C734FC84B6A0
                    Function 00F85C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003E9), ref: 00F85C58
                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 00F85C6F
                    • MessageBeep.USER32(00000000), ref: 00F85C87
                    • KillTimer.USER32(?,0000040A), ref: 00F85CA3
                    • EndDialog.USER32(?,00000001), ref: 00F85CBD
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                    • String ID:
                    • API String ID: 3741023627-0
                    • Opcode ID: 6721d525c31a85c25ed08c690acd215760668b67f5c576e7b309aa3a07d0a628
                    • Instruction ID: 27bd008debc1fd2d6b7cb4601b69fe4e587394b55137af1b5663964477e2afb5
                    • Opcode Fuzzy Hash: 6721d525c31a85c25ed08c690acd215760668b67f5c576e7b309aa3a07d0a628
                    • Instruction Fuzzy Hash: A4018B705007049BEB216B20DD8EFE677B9BB01F05F001659A587A14E1DBF45944AF90
                    Function 00F522A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00F522BE
                      • Part of subcall function 00F529C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000), ref: 00F529DE
                      • Part of subcall function 00F529C8: GetLastError.KERNEL32(00000000,?,00F5D7D1,00000000,00000000,00000000,00000000,?,00F5D7F8,00000000,00000007,00000000,?,00F5DBF5,00000000,00000000), ref: 00F529F0
                    • _free.LIBCMT ref: 00F522D0
                    • _free.LIBCMT ref: 00F522E3
                    • _free.LIBCMT ref: 00F522F4
                    • _free.LIBCMT ref: 00F52305
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 04b336ef9f530372d6977e23cdb3fcf598f18fce7aa1abf83d05e1daf7626781
                    • Instruction ID: cecc65eef3f0bca74eb32774dab1e1ee1c76922b0ba55132db75c280e6e51045
                    • Opcode Fuzzy Hash: 04b336ef9f530372d6977e23cdb3fcf598f18fce7aa1abf83d05e1daf7626781
                    • Instruction Fuzzy Hash: 3DF054748001189B8652AF9CBC418693B78FF19762B00070AF910E63B2CB350516FFE4
                    Function 00F395C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    • EndPath.GDI32(?), ref: 00F395D4
                    • StrokeAndFillPath.GDI32(?,?,00F771F7,00000000,?,?,?), ref: 00F395F0
                    • SelectObject.GDI32(?,00000000), ref: 00F39603
                    • DeleteObject.GDI32 ref: 00F39616
                    • StrokePath.GDI32(?), ref: 00F39631
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Path$ObjectStroke$DeleteFillSelect
                    • String ID:
                    • API String ID: 2625713937-0
                    • Opcode ID: e593eda1367142d02538f0983134ae7f11d7f181a234083ea349578013b8fe7d
                    • Instruction ID: e2c178f418655d677b1194d61b8c83fceb9985cdb4e007d2ada9f2a7a6605503
                    • Opcode Fuzzy Hash: e593eda1367142d02538f0983134ae7f11d7f181a234083ea349578013b8fe7d
                    • Instruction Fuzzy Hash: 3FF0F63140A20CEBDB226F69ED5877A3B69BF10372F048214E565950F0CBF08995FFA0
                    Function 00F50F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: __freea$_free
                    • String ID: a/p$am/pm
                    • API String ID: 3432400110-3206640213
                    • Opcode ID: 971ec30d16c27e6898e6ae6367c58ae54cee3c9265ebbc24fe85226c3d226cbc
                    • Instruction ID: 47a0c3d582c13332da0a3a5a3dc00f48007af0333cec012988a7e7a8b2cc0b04
                    • Opcode Fuzzy Hash: 971ec30d16c27e6898e6ae6367c58ae54cee3c9265ebbc24fe85226c3d226cbc
                    • Instruction Fuzzy Hash: 3AD10532D00206DADB249F68C865BFAB7B4FF06722F140159EF019BA51D375BD88EB91
                    Function 00FA7B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F40242: EnterCriticalSection.KERNEL32(00FF070C,00FF1884,?,?,00F3198B,00FF2518,?,?,?,00F212F9,00000000), ref: 00F4024D
                      • Part of subcall function 00F40242: LeaveCriticalSection.KERNEL32(00FF070C,?,00F3198B,00FF2518,?,?,?,00F212F9,00000000), ref: 00F4028A
                      • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                      • Part of subcall function 00F400A3: __onexit.LIBCMT ref: 00F400A9
                    • __Init_thread_footer.LIBCMT ref: 00FA7BFB
                      • Part of subcall function 00F401F8: EnterCriticalSection.KERNEL32(00FF070C,?,?,00F38747,00FF2514), ref: 00F40202
                      • Part of subcall function 00F401F8: LeaveCriticalSection.KERNEL32(00FF070C,?,00F38747,00FF2514), ref: 00F40235
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                    • String ID: 5$G$Variable must be of type 'Object'.
                    • API String ID: 535116098-3733170431
                    • Opcode ID: d4645f60e4150d9723f670f2d890ec74deaf26ebdefe362bcaf38552d641052f
                    • Instruction ID: 716cbaff09e90b1bf95c5c33c9f2a8937432a779966992a204b619762e1ba530
                    • Opcode Fuzzy Hash: d4645f60e4150d9723f670f2d890ec74deaf26ebdefe362bcaf38552d641052f
                    • Instruction Fuzzy Hash: F3919CB5A04209EFCB04EF54DC90DBDB7B1BF4A310F148059F8069B2A2DB75AE45EB61
                    Function 00F82716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F8B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F821D0,?,?,00000034,00000800,?,00000034), ref: 00F8B42D
                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F82760
                      • Part of subcall function 00F8B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F821FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00F8B3F8
                      • Part of subcall function 00F8B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00F8B355
                      • Part of subcall function 00F8B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F82194,00000034,?,?,00001004,00000000,00000000), ref: 00F8B365
                      • Part of subcall function 00F8B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F82194,00000034,?,?,00001004,00000000,00000000), ref: 00F8B37B
                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F827CD
                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F8281A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                    • String ID: @
                    • API String ID: 4150878124-2766056989
                    • Opcode ID: 5bb41147867b875dd3121623eec1eeb2720394277af8ff18388fe975d7a75f9b
                    • Instruction ID: c4e3b2c323673c00e176b0e830fbaad1fd39fd192c1129ae56e47b034c750646
                    • Opcode Fuzzy Hash: 5bb41147867b875dd3121623eec1eeb2720394277af8ff18388fe975d7a75f9b
                    • Instruction Fuzzy Hash: CE411B72900218BFDB10EFA4CD86AEEBBB8AF09710F104095FA55B7181DB746E45DBA1
                    Function 00F5172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\whiteee.exe,00000104), ref: 00F51769
                    • _free.LIBCMT ref: 00F51834
                    • _free.LIBCMT ref: 00F5183E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _free$FileModuleName
                    • String ID: C:\Users\user\Desktop\whiteee.exe
                    • API String ID: 2506810119-1416438080
                    • Opcode ID: cef49572d75939e553c1ba888c1d01b527ea647b4754dbe77258c86b864c4754
                    • Instruction ID: 3acfc6809e5d5a06a81c76d12cf64c3a6108b2b6a2eb41b2daf9c38bdbce3360
                    • Opcode Fuzzy Hash: cef49572d75939e553c1ba888c1d01b527ea647b4754dbe77258c86b864c4754
                    • Instruction Fuzzy Hash: A7318375E00218EBDB21DB999C81E9EBBBCFF85312B144166FE0497211D6705E48EB90
                    Function 00F8C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F8C306
                    • DeleteMenu.USER32(?,00000007,00000000), ref: 00F8C34C
                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00FF1990,01505208), ref: 00F8C395
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Menu$Delete$InfoItem
                    • String ID: 0
                    • API String ID: 135850232-4108050209
                    • Opcode ID: 5cd070b2388465bda70747879e1bac90d7bacc0d6802d51126f81fb60310ccc9
                    • Instruction ID: c0c960f5ed6410c2ebb27634a632ccd80456b2dbf3b2ec5df98be91b6a877133
                    • Opcode Fuzzy Hash: 5cd070b2388465bda70747879e1bac90d7bacc0d6802d51126f81fb60310ccc9
                    • Instruction Fuzzy Hash: 1C41A3316043019FD720EF25DC84B9ABBE8EF85320F14862DF9A5972D1D774E905EBA2
                    Function 00FB4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                    Download Yara Rule
                    APIs
                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00FBCC08,00000000,?,?,?,?), ref: 00FB44AA
                    • GetWindowLongW.USER32 ref: 00FB44C7
                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FB44D7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Window$Long
                    • String ID: SysTreeView32
                    • API String ID: 847901565-1698111956
                    • Opcode ID: 15cfc3bef67ab9110431c64e1f243317e1ba7781361a752b6e19cd845a71f562
                    • Instruction ID: 35943266359bd376d457efbd25a314707ab207b6de76de1732ccc5553d046388
                    • Opcode Fuzzy Hash: 15cfc3bef67ab9110431c64e1f243317e1ba7781361a752b6e19cd845a71f562
                    • Instruction Fuzzy Hash: BB31CD31610605AFDB209E39DC45BEA7BA9EB08334F244315F979921E1D774EC60AB60
                    Function 00FA304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00FA335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00FA3077,?,?), ref: 00FA3378
                    • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FA307A
                    • _wcslen.LIBCMT ref: 00FA309B
                    • htons.WSOCK32(00000000,?,?,00000000), ref: 00FA3106
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                    • String ID: 255.255.255.255
                    • API String ID: 946324512-2422070025
                    • Opcode ID: 40321586aba28bb319b6ba0ff09c95a8b9b2ca9a0ef51ef0a65bd4677d0482cf
                    • Instruction ID: f779034a862e504fdd3a191d71aa5cdae3e9133c27a0d29d1bb9d050efca31ec
                    • Opcode Fuzzy Hash: 40321586aba28bb319b6ba0ff09c95a8b9b2ca9a0ef51ef0a65bd4677d0482cf
                    • Instruction Fuzzy Hash: 1231E7B5A042059FCB10CF68C885EAA77E0EF16328F24C059F8158B392DB75EE41EB60
                    Function 00FB3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00FB3F40
                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00FB3F54
                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00FB3F78
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSend$Window
                    • String ID: SysMonthCal32
                    • API String ID: 2326795674-1439706946
                    • Opcode ID: 2eac8fb5c223b22c54a5ded1f1662d3690f4cbf7960dc20e91074c01dea9d03f
                    • Instruction ID: 9c5a0108891d46aa6d8865c234c462b4504a083a6e11f693f8c828f2aabebf69
                    • Opcode Fuzzy Hash: 2eac8fb5c223b22c54a5ded1f1662d3690f4cbf7960dc20e91074c01dea9d03f
                    • Instruction Fuzzy Hash: 0421BF32A40219BBDF259F91CC46FEA3B79EF48724F110214FA156B1D0D6B5E850EB90
                    Function 00FB4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00FB4705
                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00FB4713
                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FB471A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSend$DestroyWindow
                    • String ID: msctls_updown32
                    • API String ID: 4014797782-2298589950
                    • Opcode ID: c552752a9b00b73abc246afd880e0eaf2573d0f3ec65eea4df4399183167949a
                    • Instruction ID: 97271e42ae707545c2064af4a4f61e9b8d3046b1ac93d57e201f8af642882c30
                    • Opcode Fuzzy Hash: c552752a9b00b73abc246afd880e0eaf2573d0f3ec65eea4df4399183167949a
                    • Instruction Fuzzy Hash: C9211BB5600209AFEB10DF65DC81DB737ADEB5A3A4B140159FA049B251CB75FC11EEA0
                    Function 00F895AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _wcslen
                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                    • API String ID: 176396367-2734436370
                    • Opcode ID: 7edd9d230992aaba41c5beabbce822d4b4910a73c37ce9c70f483aca33cb91eb
                    • Instruction ID: 0e5635c72140238218abd99fed8bb2e6cbb24d6ded777222f0e2ba83bface8be
                    • Opcode Fuzzy Hash: 7edd9d230992aaba41c5beabbce822d4b4910a73c37ce9c70f483aca33cb91eb
                    • Instruction Fuzzy Hash: 40213532608621A6C331BA25DC02FFB77D89F91320F1C4026F9499B181FBD9AD46F395
                    Function 00FB37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00FB3840
                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00FB3850
                    • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00FB3876
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSend$MoveWindow
                    • String ID: Listbox
                    • API String ID: 3315199576-2633736733
                    • Opcode ID: 4cfb3a033e8204cc54957b8e0f11900b39ea1ca567814582706b290cf77fa527
                    • Instruction ID: b0ad2a86c373c6ae5f94fd2ed1abbc7c3a9ec3a2a2f138fa0f1cd59739dad6a0
                    • Opcode Fuzzy Hash: 4cfb3a033e8204cc54957b8e0f11900b39ea1ca567814582706b290cf77fa527
                    • Instruction Fuzzy Hash: 8421D072A40218BBEB219F56CC84FFB376EEF89760F108114F9009B190CA71DC12ABE0
                    Function 00F949F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 00F94A08
                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F94A5C
                    • SetErrorMode.KERNEL32(00000000,?,?,00FBCC08), ref: 00F94AD0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ErrorMode$InformationVolume
                    • String ID: %lu
                    • API String ID: 2507767853-685833217
                    • Opcode ID: 740a7ba02e1aecdc5c03cbeeb1f5ae157a932b0992814aac4fbd59afa7eb5aad
                    • Instruction ID: 71f8ef3c94426e633365518f1ff9a55834aa32575db7e8ccfeb307cb3ebd3646
                    • Opcode Fuzzy Hash: 740a7ba02e1aecdc5c03cbeeb1f5ae157a932b0992814aac4fbd59afa7eb5aad
                    • Instruction Fuzzy Hash: B1317171A00109AFDB10DF54C885EAABBF8EF48318F1480A5F909EB252D775ED46DBA1
                    Function 00FB41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00FB424F
                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00FB4264
                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00FB4271
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: msctls_trackbar32
                    • API String ID: 3850602802-1010561917
                    • Opcode ID: 98e9e1a687c6006f2e683c0d7ae705ded63f02c77f53593f0ac29859da95814b
                    • Instruction ID: 4949602afcb84ee9a9a26b25ac2af4ba637dbc4bcda2f755af94a881cd43eced
                    • Opcode Fuzzy Hash: 98e9e1a687c6006f2e683c0d7ae705ded63f02c77f53593f0ac29859da95814b
                    • Instruction Fuzzy Hash: D011E331640248BEEF209E2ACC06FEB3BACEF95B64F010114FA55E20A1D271EC11FB50
                    Function 00F82F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F26B57: _wcslen.LIBCMT ref: 00F26B6A
                      • Part of subcall function 00F82DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F82DC5
                      • Part of subcall function 00F82DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F82DD6
                      • Part of subcall function 00F82DA7: GetCurrentThreadId.KERNEL32 ref: 00F82DDD
                      • Part of subcall function 00F82DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F82DE4
                    • GetFocus.USER32 ref: 00F82F78
                      • Part of subcall function 00F82DEE: GetParent.USER32(00000000), ref: 00F82DF9
                    • GetClassNameW.USER32(?,?,00000100), ref: 00F82FC3
                    • EnumChildWindows.USER32(?,00F8303B), ref: 00F82FEB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                    • String ID: %s%d
                    • API String ID: 1272988791-1110647743
                    • Opcode ID: 2d47457495f1445f25eb7ebaba668179780e44ac8fac2688904593ba1f7f4b1d
                    • Instruction ID: 2da5199a4f39214159769a933479f76e2a015ad0af88d1c81afceaf16e5b747f
                    • Opcode Fuzzy Hash: 2d47457495f1445f25eb7ebaba668179780e44ac8fac2688904593ba1f7f4b1d
                    • Instruction Fuzzy Hash: 1E1103726002096BCF507F709CC6EEE3B6AAF84308F044075FD09DB292DE349909AB70
                    Function 00FB5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FB58C1
                    • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FB58EE
                    • DrawMenuBar.USER32(?), ref: 00FB58FD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Menu$InfoItem$Draw
                    • String ID: 0
                    • API String ID: 3227129158-4108050209
                    • Opcode ID: 3134e328bcb81bc24144f3c6c220be4b068b59c261781fc8448fda24f3538bd7
                    • Instruction ID: c85b081b33abc79c9b942cfcc93583607a79f5f3ee367fa80f76552f6cd90314
                    • Opcode Fuzzy Hash: 3134e328bcb81bc24144f3c6c220be4b068b59c261781fc8448fda24f3538bd7
                    • Instruction Fuzzy Hash: D5012D32900218EFDB219F12DC44BEFBBB4FB45761F1480AAE849D6151DB348A98FF61
                    Function 00F7D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00F7D3BF
                    • FreeLibrary.KERNEL32 ref: 00F7D3E5
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: AddressFreeLibraryProc
                    • String ID: GetSystemWow64DirectoryW$X64
                    • API String ID: 3013587201-2590602151
                    • Opcode ID: 0023f766e1770a11552e85e7351c16111b8110e26aca1ffbc20bf16d80d72c99
                    • Instruction ID: 59384c6db9de59c0e80402c6fd4611981b00f265c94482008312477aefb697f6
                    • Opcode Fuzzy Hash: 0023f766e1770a11552e85e7351c16111b8110e26aca1ffbc20bf16d80d72c99
                    • Instruction Fuzzy Hash: C8F05562C026258BD3B512118C94BAA3334AF00B15FDAC217F80EF2047EB60CC42FAD3
                    Function 00F8007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e66758f2d4b5770836a214312bc36653604be74120a6acab9432e6ad9c57c793
                    • Instruction ID: 61c0f688673097a5b15de6bc862f2db0bc1dd209a21adb8d79aa91e13dd13dfd
                    • Opcode Fuzzy Hash: e66758f2d4b5770836a214312bc36653604be74120a6acab9432e6ad9c57c793
                    • Instruction Fuzzy Hash: C1C17C75A0020AEFDB54DFA4C888BAEB7B5FF48314F508598E405EB251CB71EE45EB90
                    Function 00F53E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: __alldvrm$_strrchr
                    • String ID:
                    • API String ID: 1036877536-0
                    • Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                    • Instruction ID: 6337d4cf60934f44ed2e407b769e220939492d39c2fe192f0a34600738aff47f
                    • Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
                    • Instruction Fuzzy Hash: 53A16B72D007469FD716CF18CC817AEBBE4EF613A5F28416DEE459B281C2389989E750
                    Function 00FA342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Variant$ClearInitInitializeUninitialize
                    • String ID:
                    • API String ID: 1998397398-0
                    • Opcode ID: 70d6839d116dff16f1f72b630246483af15fed8732559cc7795bab9eed3eecaa
                    • Instruction ID: ab146a90ef010882046f86ae52cfe145086608ddc9f54b8ac239e45b0e17b945
                    • Opcode Fuzzy Hash: 70d6839d116dff16f1f72b630246483af15fed8732559cc7795bab9eed3eecaa
                    • Instruction Fuzzy Hash: A6A150B56043109FC700EF28C985E1AB7E5FF89724F088859F9899B361DB34ED01EB91
                    Function 00F80436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                    Download Yara Rule
                    APIs
                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00FBFC08,?), ref: 00F805F0
                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00FBFC08,?), ref: 00F80608
                    • CLSIDFromProgID.OLE32(?,?,00000000,00FBCC40,000000FF,?,00000000,00000800,00000000,?,00FBFC08,?), ref: 00F8062D
                    • _memcmp.LIBVCRUNTIME ref: 00F8064E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: FromProg$FreeTask_memcmp
                    • String ID:
                    • API String ID: 314563124-0
                    • Opcode ID: 28b7db12b8d9d1fdf2ee7ae45ae52a4f6b4eeecef3d8da0ff19060756f1cc773
                    • Instruction ID: 0733798ed4e0ee34869b438ec8569ed704af9715824051480f0399dd8fd4b321
                    • Opcode Fuzzy Hash: 28b7db12b8d9d1fdf2ee7ae45ae52a4f6b4eeecef3d8da0ff19060756f1cc773
                    • Instruction Fuzzy Hash: 64812971A00109EFCB44DF94C988EEEB7B9FF89315F244558E506AB250DB71AE0ADF60
                    Function 00F61391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: 77a3456e65d258f19e75e7f6f9715f2eb788e7d8dbf1605114b15474b350eacd
                    • Instruction ID: 5bd6e9a0985ae637c7e733ba45f818244450172fb9e6cce891be4e3b62978fc2
                    • Opcode Fuzzy Hash: 77a3456e65d258f19e75e7f6f9715f2eb788e7d8dbf1605114b15474b350eacd
                    • Instruction Fuzzy Hash: 9D411931E00110ABDB25EBB98C467BE3AA4FF43370F1C4225F919D7292EA788D457761
                    Function 00FB6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(0150E6D0,?), ref: 00FB62E2
                    • ScreenToClient.USER32(?,?), ref: 00FB6315
                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00FB6382
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Window$ClientMoveRectScreen
                    • String ID:
                    • API String ID: 3880355969-0
                    • Opcode ID: eda33758a49b038b57b171361d316d1186f4fa0b2026bb4022b101d098e97e7a
                    • Instruction ID: 3677582099dda6e36bd24cc8c8f8e13adffa741bf7b18bb7060a207dc6540fb9
                    • Opcode Fuzzy Hash: eda33758a49b038b57b171361d316d1186f4fa0b2026bb4022b101d098e97e7a
                    • Instruction Fuzzy Hash: 8D512870A00209EFDB20DF59D8809AE7BB5EF45360F148269F915D7290D774AD41EF90
                    Function 00FA1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                    Download Yara Rule
                    APIs
                    • socket.WSOCK32(00000002,00000002,00000011), ref: 00FA1AFD
                    • WSAGetLastError.WSOCK32 ref: 00FA1B0B
                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00FA1B8A
                    • WSAGetLastError.WSOCK32 ref: 00FA1B94
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ErrorLast$socket
                    • String ID:
                    • API String ID: 1881357543-0
                    • Opcode ID: 1605c2fa413186d552fcb6c1e9c86d500cddfef609a3d53e9b6d55175f777fd8
                    • Instruction ID: 9f73813840a5f09805867ff19e5ba7c518f9803edcc13322dd4cf22ce027652a
                    • Opcode Fuzzy Hash: 1605c2fa413186d552fcb6c1e9c86d500cddfef609a3d53e9b6d55175f777fd8
                    • Instruction Fuzzy Hash: D441E274600210AFE720EF20DC86F2A77E5AF89728F548448F91A9F7D2D776DD419BA0
                    Function 00F5B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4b96f990d36ecb8449ab49a17b5a2ab9c690aa617da4a514dc3c769fa4df5307
                    • Instruction ID: ede0ed41c9fe0a1f4eec2d0cb2c0a7a5e41ba9eb3ff2ccfca38511f9bddeed8a
                    • Opcode Fuzzy Hash: 4b96f990d36ecb8449ab49a17b5a2ab9c690aa617da4a514dc3c769fa4df5307
                    • Instruction Fuzzy Hash: FB413C72A00304BFD724DF38CC41B6A7BE9EB88721F20462EFA05DB282D375A9059790
                    Function 00F956D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00F95783
                    • GetLastError.KERNEL32(?,00000000), ref: 00F957A9
                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00F957CE
                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00F957FA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CreateHardLink$DeleteErrorFileLast
                    • String ID:
                    • API String ID: 3321077145-0
                    • Opcode ID: 8aad0bb1a769def303b1f9095d733ab133db954b3f1853797986c354a23a5da9
                    • Instruction ID: 3944275e0638e52db02e7e71ee04daf6ed3b656fd078d9104a5e996a321ef26d
                    • Opcode Fuzzy Hash: 8aad0bb1a769def303b1f9095d733ab133db954b3f1853797986c354a23a5da9
                    • Instruction Fuzzy Hash: 70412C35600610DFCF11EF55D945A5EBBE1AF89720B188488E84AAF366CB34FD00EF91
                    Function 00F5D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00F46D71,00000000,00000000,00F482D9,?,00F482D9,?,00000001,00F46D71,8BE85006,00000001,00F482D9,00F482D9), ref: 00F5D910
                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F5D999
                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00F5D9AB
                    • __freea.LIBCMT ref: 00F5D9B4
                      • Part of subcall function 00F53820: RtlAllocateHeap.NTDLL(00000000,?,00FF1444,?,00F3FDF5,?,?,00F2A976,00000010,00FF1440,00F213FC,?,00F213C6,?,00F21129), ref: 00F53852
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                    • String ID:
                    • API String ID: 2652629310-0
                    • Opcode ID: 00993fddc9103398ce812935d6b2115da006e6dafc049de2c45c231cdedf1808
                    • Instruction ID: a05fa3b779f667a7cd9486da4c96aea1d0a75bfe2702d95fffe173dc79a504e2
                    • Opcode Fuzzy Hash: 00993fddc9103398ce812935d6b2115da006e6dafc049de2c45c231cdedf1808
                    • Instruction Fuzzy Hash: 4331D272A0120AABDF24DF64DC81EAF7BA5EB41321F050168FD04E7151EB35DD58EB90
                    Function 00FB52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 00FB5352
                    • GetWindowLongW.USER32(?,000000F0), ref: 00FB5375
                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FB5382
                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FB53A8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: LongWindow$InvalidateMessageRectSend
                    • String ID:
                    • API String ID: 3340791633-0
                    • Opcode ID: b7f7908a4768618e027f86a292cdc92ad410ffa4e07c3190a26bb969ecc4247f
                    • Instruction ID: 4a162210ad1b9d43c6a51225a14638253704fa15ccab636c834b3117099d5a37
                    • Opcode Fuzzy Hash: b7f7908a4768618e027f86a292cdc92ad410ffa4e07c3190a26bb969ecc4247f
                    • Instruction Fuzzy Hash: D031B031E55A0CEFEB309A56CC45BE937E7AB04BA0F5C4101BA11963E0C7B99980BF81
                    Function 00F8AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00F8ABF1
                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00F8AC0D
                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 00F8AC74
                    • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00F8ACC6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: KeyboardState$InputMessagePostSend
                    • String ID:
                    • API String ID: 432972143-0
                    • Opcode ID: 28496facd8f14c8df6164f4f90a9a1572f5dcab3b479e35aa75354e2e332fdc6
                    • Instruction ID: 37bf270aff8ea9e522842fb3cb1e0ef2435a507bb91301b3189e3df2f8e1b697
                    • Opcode Fuzzy Hash: 28496facd8f14c8df6164f4f90a9a1572f5dcab3b479e35aa75354e2e332fdc6
                    • Instruction Fuzzy Hash: D1310970E047186FFF35EB658C05BFA7BA5EB4A320F08431BE485521D1D375C985A792
                    Function 00FB7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                    Download Yara Rule
                    APIs
                    • ClientToScreen.USER32(?,?), ref: 00FB769A
                    • GetWindowRect.USER32(?,?), ref: 00FB7710
                    • PtInRect.USER32(?,?,00FB8B89), ref: 00FB7720
                    • MessageBeep.USER32(00000000), ref: 00FB778C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Rect$BeepClientMessageScreenWindow
                    • String ID:
                    • API String ID: 1352109105-0
                    • Opcode ID: 601fd80eddd1d0c6ff6118fcd77b90cb1577ba3fbec50c59962b01b8a66c475b
                    • Instruction ID: f3706a8832162b553a5519b063db00957e8316fc30385e22fb0e3b5da775efcd
                    • Opcode Fuzzy Hash: 601fd80eddd1d0c6ff6118fcd77b90cb1577ba3fbec50c59962b01b8a66c475b
                    • Instruction Fuzzy Hash: EF418D34A09318DFDB11EF5AC894EE9BBF5FF88310F2541A8E4159B261CB70A941EF90
                    Function 00FB16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32 ref: 00FB16EB
                      • Part of subcall function 00F83A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F83A57
                      • Part of subcall function 00F83A3D: GetCurrentThreadId.KERNEL32 ref: 00F83A5E
                      • Part of subcall function 00F83A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F825B3), ref: 00F83A65
                    • GetCaretPos.USER32(?), ref: 00FB16FF
                    • ClientToScreen.USER32(00000000,?), ref: 00FB174C
                    • GetForegroundWindow.USER32 ref: 00FB1752
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                    • String ID:
                    • API String ID: 2759813231-0
                    • Opcode ID: 562b113fb2c73c11024147c59ca9a635abeb601d88538c6bef81ea1a0ace999a
                    • Instruction ID: 4bcdaff091ab11d7c2eccfb12c635587e988b0295f729be7b4ce6a96b5890b07
                    • Opcode Fuzzy Hash: 562b113fb2c73c11024147c59ca9a635abeb601d88538c6bef81ea1a0ace999a
                    • Instruction Fuzzy Hash: 76315D75D00259AFCB00EFAAD881DEEBBF9EF48304B5080A9E415E7211DB359E45DFA0
                    Function 00F8D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00F8D501
                    • Process32FirstW.KERNEL32(00000000,?), ref: 00F8D50F
                    • Process32NextW.KERNEL32(00000000,?), ref: 00F8D52F
                    • CloseHandle.KERNEL32(00000000), ref: 00F8D5DC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                    • String ID:
                    • API String ID: 420147892-0
                    • Opcode ID: 3dbceb12a97ea320309f2a895e6b81dcf16fb45697846ea92556dd41aa36e3cd
                    • Instruction ID: 9fabf39f9271f2b5651cf7c25d7cd472e5354df907497f9b0f0ec8d65cb34c08
                    • Opcode Fuzzy Hash: 3dbceb12a97ea320309f2a895e6b81dcf16fb45697846ea92556dd41aa36e3cd
                    • Instruction Fuzzy Hash: 3231B1725083049FD300EF54DC81AAFBBF8EF99354F58092DF581971A1EB719948EBA2
                    Function 00FB8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F39BB2
                    • GetCursorPos.USER32(?), ref: 00FB9001
                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F77711,?,?,?,?,?), ref: 00FB9016
                    • GetCursorPos.USER32(?), ref: 00FB905E
                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F77711,?,?,?), ref: 00FB9094
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                    • String ID:
                    • API String ID: 2864067406-0
                    • Opcode ID: 574ffd472e2afb79072c04a5116a4663903167812baefe12414bdb04c1cba940
                    • Instruction ID: 14d38d7d1689340823073fa26598df452f4275daaa84da43c505ce6df56e53cc
                    • Opcode Fuzzy Hash: 574ffd472e2afb79072c04a5116a4663903167812baefe12414bdb04c1cba940
                    • Instruction Fuzzy Hash: F4217C35A04018EFDB259FA5C898EFA7BB9EF8A3A0F044155FA0547261C3B19950FFA0
                    Function 00F8D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNEL32(?,00FBCB68), ref: 00F8D2FB
                    • GetLastError.KERNEL32 ref: 00F8D30A
                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00F8D319
                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00FBCB68), ref: 00F8D376
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CreateDirectory$AttributesErrorFileLast
                    • String ID:
                    • API String ID: 2267087916-0
                    • Opcode ID: 75ecb29bc1b6014369cf540f31e9b0e89162ce9ac8bcc470fbb8dc4bb84cea04
                    • Instruction ID: 080b28fefb28f01f234f25d0ac533cb2f9e075caeea23b2f2d0a6de4df8247df
                    • Opcode Fuzzy Hash: 75ecb29bc1b6014369cf540f31e9b0e89162ce9ac8bcc470fbb8dc4bb84cea04
                    • Instruction Fuzzy Hash: A2219F709083019F8700EF28D8858AFB7E8AE9A368F544A1DF499C72E1D731D945EB93
                    Function 00F81571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F81014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F8102A
                      • Part of subcall function 00F81014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F81036
                      • Part of subcall function 00F81014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F81045
                      • Part of subcall function 00F81014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F8104C
                      • Part of subcall function 00F81014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F81062
                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F815BE
                    • _memcmp.LIBVCRUNTIME ref: 00F815E1
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F81617
                    • HeapFree.KERNEL32(00000000), ref: 00F8161E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                    • String ID:
                    • API String ID: 1592001646-0
                    • Opcode ID: fff31ba5e209ac252fbdead06e33e9437b3045632c0afb149d2e4a54601f551d
                    • Instruction ID: b300cdc46e7e9db826592090445335358ee9f3c5e7bee4b74b973c6ea74bea2f
                    • Opcode Fuzzy Hash: fff31ba5e209ac252fbdead06e33e9437b3045632c0afb149d2e4a54601f551d
                    • Instruction Fuzzy Hash: 0F216D71E00109EFDF10EFA4C945BEEB7B8FF44354F184659E441AB241E734AA46EBA0
                    Function 00FB2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowLongW.USER32(?,000000EC), ref: 00FB280A
                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FB2824
                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FB2832
                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00FB2840
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Window$Long$AttributesLayered
                    • String ID:
                    • API String ID: 2169480361-0
                    • Opcode ID: b4903e840da80da8a481e54a3975405a0388947d7b9770db99a6eec0dec9466f
                    • Instruction ID: 450a5f2b0b8a6dcba95d23e850e15e84fd554d48e0bd7e1a319502b4f711219c
                    • Opcode Fuzzy Hash: b4903e840da80da8a481e54a3975405a0388947d7b9770db99a6eec0dec9466f
                    • Instruction Fuzzy Hash: B121F131604110AFD7149B25CC85FAA7B99AF45324F288258F4268B6E2CB75FC42DFD0
                    Function 00F878F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F88D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00F8790A,?,000000FF,?,00F88754,00000000,?,0000001C,?,?), ref: 00F88D8C
                      • Part of subcall function 00F88D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00F88DB2
                      • Part of subcall function 00F88D7D: lstrcmpiW.KERNEL32(00000000,?,00F8790A,?,000000FF,?,00F88754,00000000,?,0000001C,?,?), ref: 00F88DE3
                    • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00F88754,00000000,?,0000001C,?,?,00000000), ref: 00F87923
                    • lstrcpyW.KERNEL32(00000000,?), ref: 00F87949
                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,00F88754,00000000,?,0000001C,?,?,00000000), ref: 00F87984
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: lstrcmpilstrcpylstrlen
                    • String ID: cdecl
                    • API String ID: 4031866154-3896280584
                    • Opcode ID: 7bf84249872aa634886712ebe12861f3be46ef4f1e64d0faca5ff5818cf481eb
                    • Instruction ID: 2788947fe1afc1cf3787968de2d50c28c5832ca35c9749079a094cff549a96f3
                    • Opcode Fuzzy Hash: 7bf84249872aa634886712ebe12861f3be46ef4f1e64d0faca5ff5818cf481eb
                    • Instruction Fuzzy Hash: 3D11B43A600346ABCB15BF39DC45EBB77A9EF453A0B50402AE946C7264EB31D811E791
                    Function 00FB7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowLongW.USER32(?,000000F0), ref: 00FB7D0B
                    • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00FB7D2A
                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00FB7D42
                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00F9B7AD,00000000), ref: 00FB7D6B
                      • Part of subcall function 00F39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F39BB2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Window$Long
                    • String ID:
                    • API String ID: 847901565-0
                    • Opcode ID: c89792aa1e8fcb7053ee829c8f5590188ae8e9b49792aed6e52e231a28ade5e2
                    • Instruction ID: 48d2078aee1f628a25c6957604388e9f4d39b7e4d310ff2ea864cc609514ecc9
                    • Opcode Fuzzy Hash: c89792aa1e8fcb7053ee829c8f5590188ae8e9b49792aed6e52e231a28ade5e2
                    • Instruction Fuzzy Hash: 981163315056199FCB10AF29CC44AB63BA5BF893B0B154724F839D71F0D7319951EF90
                    Function 00FB5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00001060,?,00000004), ref: 00FB56BB
                    • _wcslen.LIBCMT ref: 00FB56CD
                    • _wcslen.LIBCMT ref: 00FB56D8
                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00FB5816
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSend_wcslen
                    • String ID:
                    • API String ID: 455545452-0
                    • Opcode ID: 1a5e96b03757ba2e3733a9c49d35abed30bdab4b6d97a58b04bdc8148d36e950
                    • Instruction ID: afb16c972385f7c3d1174a11b86d7538895f32851ca06de03f376063335edc1b
                    • Opcode Fuzzy Hash: 1a5e96b03757ba2e3733a9c49d35abed30bdab4b6d97a58b04bdc8148d36e950
                    • Instruction Fuzzy Hash: 3311B471A00608EADF20DF62CC85BEE776CEF10B74B104126F915D6081EB78D980EF60
                    Function 00F3990F Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                    Download Yara Rule
                    APIs
                    • SetTextColor.GDI32(?,?), ref: 00F398D6
                    • SetBkMode.GDI32(?,00000001), ref: 00F398E9
                    • GetStockObject.GDI32(00000005), ref: 00F398F1
                    • GetWindowLongW.USER32(?,000000EB), ref: 00F39952
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ColorLongModeObjectStockTextWindow
                    • String ID:
                    • API String ID: 2960364272-0
                    • Opcode ID: 05cfdca4f01a78ff82ce2dee15ffcb090ec5b32507cd8f25fff6ad6f24a0649f
                    • Instruction ID: 783a9999aa37bc21055c4a76904450a7a635610b986779515dc6fb29fa34ae92
                    • Opcode Fuzzy Hash: 05cfdca4f01a78ff82ce2dee15ffcb090ec5b32507cd8f25fff6ad6f24a0649f
                    • Instruction Fuzzy Hash: 6A21E43294E2409FD7124F64DC55BEA3B64AF53330F19019EE9828A162D7F14941FBA0
                    Function 00F51D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c763425e8aa1784f1000f4e48d412f24acef19037ee7bb375639dc82f33df212
                    • Instruction ID: 562d6f4230ff09fe92f2a7b70db7b6880eb093194061f08da083b2f66be1ea68
                    • Opcode Fuzzy Hash: c763425e8aa1784f1000f4e48d412f24acef19037ee7bb375639dc82f33df212
                    • Instruction Fuzzy Hash: 0901A2B260561A3EF62126786CC0F67772CEF813BAB300325FF31612D2DB64AC487160
                    Function 00F81A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00F81A47
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F81A59
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F81A6F
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F81A8A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID:
                    • API String ID: 3850602802-0
                    • Opcode ID: ad4fdbe600827a75455c933cb379979198692a46a840338a90f22c048f8f2667
                    • Instruction ID: 6b14e8f6231b53ed44b4cdd9fb89e2593b04b9da1555b6af7b22da3f186fbfc5
                    • Opcode Fuzzy Hash: ad4fdbe600827a75455c933cb379979198692a46a840338a90f22c048f8f2667
                    • Instruction Fuzzy Hash: 0111273AD01219FFEB10ABA4CD85FEDBB78FB08750F200191EA14B7290D6716E51EB94
                    Function 00F8E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 00F8E1FD
                    • MessageBoxW.USER32(?,?,?,?), ref: 00F8E230
                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F8E246
                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F8E24D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                    • String ID:
                    • API String ID: 2880819207-0
                    • Opcode ID: 668c99226f04365db91acef6ba11ef2dff27df4226e3fd30d4b5fa0ed2c0740b
                    • Instruction ID: d25a09ce5a9912f7160d6ecb4d556128b0b50c6f146f480c0c7f6ae7b94c5d1b
                    • Opcode Fuzzy Hash: 668c99226f04365db91acef6ba11ef2dff27df4226e3fd30d4b5fa0ed2c0740b
                    • Instruction Fuzzy Hash: 4211C476D0425CBBD701AFA89C49AEF7FADAF45320F144365F924E3291D6B0C904ABA0
                    Function 00F4D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateThread.KERNEL32(00000000,?,00F4CFF9,00000000,00000004,00000000), ref: 00F4D218
                    • GetLastError.KERNEL32 ref: 00F4D224
                    • __dosmaperr.LIBCMT ref: 00F4D22B
                    • ResumeThread.KERNEL32(00000000), ref: 00F4D249
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Thread$CreateErrorLastResume__dosmaperr
                    • String ID:
                    • API String ID: 173952441-0
                    • Opcode ID: b3183c98dcb500aa25ebd1c7d7a0e82056c16008e907604910fdd21c9d8e62e5
                    • Instruction ID: f11ca7ddaff766ddd626eb0f549c956a3344848d406f96321f4e361e73d60991
                    • Opcode Fuzzy Hash: b3183c98dcb500aa25ebd1c7d7a0e82056c16008e907604910fdd21c9d8e62e5
                    • Instruction Fuzzy Hash: DB01D236805218BBDB115BA5DC49BAF7EA9DF81331F100319FD25921D0DBB4CA45E6A0
                    Function 00FB9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F39BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F39BB2
                    • GetClientRect.USER32(?,?), ref: 00FB9F31
                    • GetCursorPos.USER32(?), ref: 00FB9F3B
                    • ScreenToClient.USER32(?,?), ref: 00FB9F46
                    • DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00FB9F7A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Client$CursorLongProcRectScreenWindow
                    • String ID:
                    • API String ID: 4127811313-0
                    • Opcode ID: 5449983068e84d03e61d93da2a6df2192890dbb373df205dce0c8ab2df8a3818
                    • Instruction ID: 674ec7872c90b3c6d1cbd707bd24ffae981e6d4395dd7db862fcde8772c9e321
                    • Opcode Fuzzy Hash: 5449983068e84d03e61d93da2a6df2192890dbb373df205dce0c8ab2df8a3818
                    • Instruction Fuzzy Hash: 4611253290411AABDB10EFAACC859FE77B9FB46321F000551FA11E3150D7B4BA81EFA1
                    Function 00F2600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                    Download Yara Rule
                    APIs
                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F2604C
                    • GetStockObject.GDI32(00000011), ref: 00F26060
                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00F2606A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CreateMessageObjectSendStockWindow
                    • String ID:
                    • API String ID: 3970641297-0
                    • Opcode ID: cd362b51e512f44e39abda874ec22ff0c8b501fc4f0494450797ad55e1323f35
                    • Instruction ID: 3f877f0bfeb0e3dcd05419e2b51d0e0ce7f86123fbbbf1edaf3a955d2f5dc185
                    • Opcode Fuzzy Hash: cd362b51e512f44e39abda874ec22ff0c8b501fc4f0494450797ad55e1323f35
                    • Instruction Fuzzy Hash: 92115B72501558BFEF129FA4AC84EEBBB69EF193A4F040215FA1496110D732DC60FFA1
                    Function 00F43B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • ___BuildCatchObject.LIBVCRUNTIME ref: 00F43B56
                      • Part of subcall function 00F43AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00F43AD2
                      • Part of subcall function 00F43AA3: ___AdjustPointer.LIBCMT ref: 00F43AED
                    • _UnwindNestedFrames.LIBCMT ref: 00F43B6B
                    • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00F43B7C
                    • CallCatchBlock.LIBVCRUNTIME ref: 00F43BA4
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                    • String ID:
                    • API String ID: 737400349-0
                    • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                    • Instruction ID: 27aa185f84cd35d22f4e1bc42b978c21b6b1b4c3511c56f4b341fadd58947a7b
                    • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                    • Instruction Fuzzy Hash: DC010C32500149BBDF126E95CC46EEB7F6DFF98768F044114FE48A6121C736E961EBA0
                    Function 00F53073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00F213C6,00000000,00000000,?,00F5301A,00F213C6,00000000,00000000,00000000,?,00F5328B,00000006,FlsSetValue), ref: 00F530A5
                    • GetLastError.KERNEL32(?,00F5301A,00F213C6,00000000,00000000,00000000,?,00F5328B,00000006,FlsSetValue,00FC2290,FlsSetValue,00000000,00000364,?,00F52E46), ref: 00F530B1
                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00F5301A,00F213C6,00000000,00000000,00000000,?,00F5328B,00000006,FlsSetValue,00FC2290,FlsSetValue,00000000), ref: 00F530BF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: LibraryLoad$ErrorLast
                    • String ID:
                    • API String ID: 3177248105-0
                    • Opcode ID: 9564506aa6e2c3c0257afdc20ea0023951396c53131a217bbbaa82e1cd0b5a5a
                    • Instruction ID: 324cbf5472f2e2a2cbe84178d7d43b09b6721e07948616a49aa9afb7152c0f47
                    • Opcode Fuzzy Hash: 9564506aa6e2c3c0257afdc20ea0023951396c53131a217bbbaa82e1cd0b5a5a
                    • Instruction Fuzzy Hash: 70018832711326ABCB214A7D9C84A677798AF457F6B110720FE05E71C0D721D909EAE0
                    Function 00F87464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00F8747F
                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00F87497
                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00F874AC
                    • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00F874CA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Type$Register$FileLoadModuleNameUser
                    • String ID:
                    • API String ID: 1352324309-0
                    • Opcode ID: 8f0dabf216b4471487ca733a72a2ad35215d769f6e0e7d02a160e7734fe30b46
                    • Instruction ID: fc2217d7cbbf20063ac994888e365238548fbe879cb89a814cd524008c438956
                    • Opcode Fuzzy Hash: 8f0dabf216b4471487ca733a72a2ad35215d769f6e0e7d02a160e7734fe30b46
                    • Instruction Fuzzy Hash: C5118BB2209314EBE720EF54DC48BD37BFCEB00B10F208569A656D6191D7B0E904EFA0
                    Function 00F8B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                    Download Yara Rule
                    APIs
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F8ACD3,?,00008000), ref: 00F8B0C4
                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F8ACD3,?,00008000), ref: 00F8B0E9
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F8ACD3,?,00008000), ref: 00F8B0F3
                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F8ACD3,?,00008000), ref: 00F8B126
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CounterPerformanceQuerySleep
                    • String ID:
                    • API String ID: 2875609808-0
                    • Opcode ID: 5f015c685afd918c1ff24a275bae9c3c1cd850012470ffcd306e0c669377cb08
                    • Instruction ID: 5fea3ed1a0b043394d6d880ec2c63875540924840bdbe67cd5a28e7fe18a14cb
                    • Opcode Fuzzy Hash: 5f015c685afd918c1ff24a275bae9c3c1cd850012470ffcd306e0c669377cb08
                    • Instruction Fuzzy Hash: 35113931C0192CE7CF00EFA9E9986EEBB78FF09711F104186D981B6181CB305650AB91
                    Function 00F82DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F82DC5
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00F82DD6
                    • GetCurrentThreadId.KERNEL32 ref: 00F82DDD
                    • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F82DE4
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                    • String ID:
                    • API String ID: 2710830443-0
                    • Opcode ID: e48042b85af18dfc73b95d8f743ef8f93322de1cbb14984eab7c5b1e9c79b78a
                    • Instruction ID: ef7997edbbee103bb27cf8992d343f297b249d6e4507b70cec215b7b56fef85b
                    • Opcode Fuzzy Hash: e48042b85af18dfc73b95d8f743ef8f93322de1cbb14984eab7c5b1e9c79b78a
                    • Instruction Fuzzy Hash: B4E06D725012287BD7202B639C4DFEB3F6DEB42BA1F000215B509D10809AA09840EAF0
                    Function 00FB8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F39639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F39693
                      • Part of subcall function 00F39639: SelectObject.GDI32(?,00000000), ref: 00F396A2
                      • Part of subcall function 00F39639: BeginPath.GDI32(?), ref: 00F396B9
                      • Part of subcall function 00F39639: SelectObject.GDI32(?,00000000), ref: 00F396E2
                    • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00FB8887
                    • LineTo.GDI32(?,?,?), ref: 00FB8894
                    • EndPath.GDI32(?), ref: 00FB88A4
                    • StrokePath.GDI32(?), ref: 00FB88B2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                    • String ID:
                    • API String ID: 1539411459-0
                    • Opcode ID: e36048c44d7fe7f377f1d47b21957ff1171a2b9d4cc6c1f83b2e37cefe9f6995
                    • Instruction ID: c34af36843fde0a70415bcbd4b49e501801d0f71e32357f6b6d7e7b4e68e674b
                    • Opcode Fuzzy Hash: e36048c44d7fe7f377f1d47b21957ff1171a2b9d4cc6c1f83b2e37cefe9f6995
                    • Instruction Fuzzy Hash: F7F03A36045259FBDB126F94AC4AFDA3A59AF06360F048100FA11A50E1C7B55511EFE5
                    Function 00F398B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                    Download Yara Rule
                    APIs
                    • GetSysColor.USER32(00000008), ref: 00F398CC
                    • SetTextColor.GDI32(?,?), ref: 00F398D6
                    • SetBkMode.GDI32(?,00000001), ref: 00F398E9
                    • GetStockObject.GDI32(00000005), ref: 00F398F1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Color$ModeObjectStockText
                    • String ID:
                    • API String ID: 4037423528-0
                    • Opcode ID: 20336ef7dffddb41347804cdfd88262c46c64d14edeca65a49bf9449880807ef
                    • Instruction ID: f9bc7eafe112e39381c39428a5b581b080863adb34fec592c1f2cd4cf445879d
                    • Opcode Fuzzy Hash: 20336ef7dffddb41347804cdfd88262c46c64d14edeca65a49bf9449880807ef
                    • Instruction Fuzzy Hash: 25E06531644284AADB215B78AC49BD93F10AB11735F08C31AF6F9580E1C3714640AF11
                    Function 00F8162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThread.KERNEL32 ref: 00F81634
                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,00F811D9), ref: 00F8163B
                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F811D9), ref: 00F81648
                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,00F811D9), ref: 00F8164F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CurrentOpenProcessThreadToken
                    • String ID:
                    • API String ID: 3974789173-0
                    • Opcode ID: 11ce271fd6efd8d64d71ac6e6695e57572bed14da4e7596a09ee67a0f9550f17
                    • Instruction ID: dfe6d420804414f7234e0c8089ec278026e7c040127a52920270d5b788bdae31
                    • Opcode Fuzzy Hash: 11ce271fd6efd8d64d71ac6e6695e57572bed14da4e7596a09ee67a0f9550f17
                    • Instruction Fuzzy Hash: 4EE08631A01215DBD7202FA09D4DBC73B7CBF447E1F184918F285C9080E6344441EFA0
                    Function 00F7D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • GetDesktopWindow.USER32 ref: 00F7D858
                    • GetDC.USER32(00000000), ref: 00F7D862
                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F7D882
                    • ReleaseDC.USER32(?), ref: 00F7D8A3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CapsDesktopDeviceReleaseWindow
                    • String ID:
                    • API String ID: 2889604237-0
                    • Opcode ID: 33420e4fd4121378ccaca173302b0e44302906e0da25f07541bc7e51b3456294
                    • Instruction ID: 02098bb32bcd59cd4152d192f9b7639228c2c58a9dd797f4e1206ff13b9c2fde
                    • Opcode Fuzzy Hash: 33420e4fd4121378ccaca173302b0e44302906e0da25f07541bc7e51b3456294
                    • Instruction Fuzzy Hash: 43E01AB5C00208DFCB41AFA4D948A6EBBB6FB48310F108109E80AE7250C7384901BF91
                    Function 00F7D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                    Download Yara Rule
                    APIs
                    • GetDesktopWindow.USER32 ref: 00F7D86C
                    • GetDC.USER32(00000000), ref: 00F7D876
                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F7D882
                    • ReleaseDC.USER32(?), ref: 00F7D8A3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CapsDesktopDeviceReleaseWindow
                    • String ID:
                    • API String ID: 2889604237-0
                    • Opcode ID: 7d238a4e955a8d731f8da6122ebf3bcaec1fa2626e5f9bfcb85decd6ef7f1a45
                    • Instruction ID: 3f80c063a2566fed2f3e1714d43e31bb31216b61a8b50551da0e7716b4d3e469
                    • Opcode Fuzzy Hash: 7d238a4e955a8d731f8da6122ebf3bcaec1fa2626e5f9bfcb85decd6ef7f1a45
                    • Instruction Fuzzy Hash: 6BE09AB5D04208DFCB51AFA4D948A6EBBB6BB48311F148549E94AE7250C7385901BF90
                    Function 00F94D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F27620: _wcslen.LIBCMT ref: 00F27625
                    • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00F94ED4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Connection_wcslen
                    • String ID: *$LPT
                    • API String ID: 1725874428-3443410124
                    • Opcode ID: 82a0fc0f5a67fff521b520983657cee676415706183571113b340d7e9f222fce
                    • Instruction ID: 3b8c979278fe44f816257019038bdf17aca4f8f34a0398f2a8dfcf15140da20b
                    • Opcode Fuzzy Hash: 82a0fc0f5a67fff521b520983657cee676415706183571113b340d7e9f222fce
                    • Instruction Fuzzy Hash: 3C918275E002159FDB14DF54C484EAABBF1BF54318F188099E80A9F3A2D735ED86DB90
                    Function 00F3E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID:
                    • String ID: #
                    • API String ID: 0-1885708031
                    • Opcode ID: 8fe36a6e6dbc584ad7843c3daada6c7cded9d91489e91b52a7ceb8ab53b13a4e
                    • Instruction ID: 7ea5399800a741f86912c4c112e21beee4051ebf944ecb4d0ad29b6dd0445c55
                    • Opcode Fuzzy Hash: 8fe36a6e6dbc584ad7843c3daada6c7cded9d91489e91b52a7ceb8ab53b13a4e
                    • Instruction Fuzzy Hash: C3513635D00246DFDB19DF28C481ABA7BA8EF19320F248097EC659B2C0D638DD53EB52
                    Function 00F3F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNEL32(00000000), ref: 00F3F2A2
                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00F3F2BB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: GlobalMemorySleepStatus
                    • String ID: @
                    • API String ID: 2783356886-2766056989
                    • Opcode ID: d19f68185cbdb7eaf288e2fea5bf513c30f4f71fa438b066a2967dfeda5bdd8e
                    • Instruction ID: 03447029a40fefc542dfdd2ba21006a86874e23a6510e9c115a0b857a4299557
                    • Opcode Fuzzy Hash: d19f68185cbdb7eaf288e2fea5bf513c30f4f71fa438b066a2967dfeda5bdd8e
                    • Instruction Fuzzy Hash: 06512771408748ABD320AF50EC86BAFBBF8FB84300F81895DF1D941195EB748529DBA6
                    Function 00FA5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00FA57E0
                    • _wcslen.LIBCMT ref: 00FA57EC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: BuffCharUpper_wcslen
                    • String ID: CALLARGARRAY
                    • API String ID: 157775604-1150593374
                    • Opcode ID: 98966118b3c540679b0ab5a41e2d4b7226a1cf8bf69beb84fa333558f358d7b2
                    • Instruction ID: af8ce2116cc6c6a5dec39f8ef9674d61dd197bec4c34bdcb543dcffcd428afe3
                    • Opcode Fuzzy Hash: 98966118b3c540679b0ab5a41e2d4b7226a1cf8bf69beb84fa333558f358d7b2
                    • Instruction Fuzzy Hash: 0A419371E002099FCB14EFA9C8819FEBBB5FF5A720F144069E505A7252E7789D81EF90
                    Function 00F9D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                    Download Yara Rule
                    APIs
                    • _wcslen.LIBCMT ref: 00F9D130
                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F9D13A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CrackInternet_wcslen
                    • String ID: |
                    • API String ID: 596671847-2343686810
                    • Opcode ID: 346b3ff291f520e5090a618428cd8368d4d9b43edc1aaef14852f7e0ea051a33
                    • Instruction ID: 611b73bae8d589cbc02e3c71bfabf8a0a0fb25f9ac8db3c7dde089fcedaa129d
                    • Opcode Fuzzy Hash: 346b3ff291f520e5090a618428cd8368d4d9b43edc1aaef14852f7e0ea051a33
                    • Instruction Fuzzy Hash: 34318F71C01219ABDF11EFA4DC85EEE7FB9FF04300F100019F815A6162DB35AA46EB60
                    Function 00FB356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(?,?,?,?), ref: 00FB3621
                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00FB365C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Window$DestroyMove
                    • String ID: static
                    • API String ID: 2139405536-2160076837
                    • Opcode ID: c2373abfc5ff82601b0441da775788041bcb18047dd56acbd91c20db2df3a0c1
                    • Instruction ID: 2f7aa862b0b98802687dee913f1a1489358578adf4108f90896712235c7c3c65
                    • Opcode Fuzzy Hash: c2373abfc5ff82601b0441da775788041bcb18047dd56acbd91c20db2df3a0c1
                    • Instruction Fuzzy Hash: BE319071510604AEDB24DF29DC80FFB73A9FF88760F108619F8A5D7290DA34AD81EB60
                    Function 00FB4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00FB461F
                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FB4634
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: '
                    • API String ID: 3850602802-1997036262
                    • Opcode ID: bf4f9bbaf4dbb5de497d78a9aeed8a2b0c5e13b2d93036f11cca8396692db7cf
                    • Instruction ID: d33954805a749f1f4ec4197cf6a52147ad7e5b5b72980b6e0c2c1a8f0bd5141d
                    • Opcode Fuzzy Hash: bf4f9bbaf4dbb5de497d78a9aeed8a2b0c5e13b2d93036f11cca8396692db7cf
                    • Instruction Fuzzy Hash: EF313B75A006199FDB14CF6AC980BDABBB5FF49300F144069E904AB382D770A941DF90
                    Function 00FB31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FB327C
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FB3287
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: Combobox
                    • API String ID: 3850602802-2096851135
                    • Opcode ID: 3f322a1fc1e0cea838b0ae86ea142be277d9420c00d50c462e1f798f4ed54261
                    • Instruction ID: f7271ac46a626541fbfb9392f1c684240d4a182772a1b2a673607eb5b5a26d73
                    • Opcode Fuzzy Hash: 3f322a1fc1e0cea838b0ae86ea142be277d9420c00d50c462e1f798f4ed54261
                    • Instruction Fuzzy Hash: F911B2717402087FEF219E95DC81EFB376AEB983A4F104229F91897290D6719D51ABA0
                    Function 00FB3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F2600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F2604C
                      • Part of subcall function 00F2600E: GetStockObject.GDI32(00000011), ref: 00F26060
                      • Part of subcall function 00F2600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F2606A
                    • GetWindowRect.USER32(00000000,?), ref: 00FB377A
                    • GetSysColor.USER32(00000012), ref: 00FB3794
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                    • String ID: static
                    • API String ID: 1983116058-2160076837
                    • Opcode ID: 2cb46d1c7c747a61c89ff7638e6a1b11e35a5c0e903fec25b9e1dc3adede076f
                    • Instruction ID: be50bbffcdbedf5c473520c86d724890ddd8782169069612b286e4e63e24a1b6
                    • Opcode Fuzzy Hash: 2cb46d1c7c747a61c89ff7638e6a1b11e35a5c0e903fec25b9e1dc3adede076f
                    • Instruction Fuzzy Hash: B81129B2650209AFDB10DFA9CC45EEA7BB8FB08354F104614F955E2250EB35E851EBA0
                    Function 00F9CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F9CD7D
                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F9CDA6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Internet$OpenOption
                    • String ID: <local>
                    • API String ID: 942729171-4266983199
                    • Opcode ID: 322efa6436aad4ec583ee589e2987964c16ad08fe1bc2adb739d095101e60a9b
                    • Instruction ID: f5bdaf24fc60385077d34c0ac4a4ac048f2137298b39d7c79a82fd3121cae60e
                    • Opcode Fuzzy Hash: 322efa6436aad4ec583ee589e2987964c16ad08fe1bc2adb739d095101e60a9b
                    • Instruction Fuzzy Hash: AB11C6B26056367AEB384B668C85FE7BE6CEF127B4F104227B12983180D7709840E6F0
                    Function 00FB3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowTextLengthW.USER32(00000000), ref: 00FB34AB
                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00FB34BA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: LengthMessageSendTextWindow
                    • String ID: edit
                    • API String ID: 2978978980-2167791130
                    • Opcode ID: 925ff56ee59a3f7b1a001e337f8cbda88abc8e204a0e2700ba27272afde435f0
                    • Instruction ID: aaf97433e8fda04b699165efff7de27d080f5d54490cd6911e074cf5c12f7eb3
                    • Opcode Fuzzy Hash: 925ff56ee59a3f7b1a001e337f8cbda88abc8e204a0e2700ba27272afde435f0
                    • Instruction Fuzzy Hash: 08116D71540108EBEB218E66DC84AEB376AEF05374F504324F965931E4C775DC51BF50
                    Function 00F86C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                    • CharUpperBuffW.USER32(?,?,?), ref: 00F86CB6
                    • _wcslen.LIBCMT ref: 00F86CC2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _wcslen$BuffCharUpper
                    • String ID: STOP
                    • API String ID: 1256254125-2411985666
                    • Opcode ID: 277506ab1b1253f2c3e06e75021827d8a4ab8088de452b408c7a11fb9f88c4f6
                    • Instruction ID: 9c3c6eb1c3a3ec5710cbbf6a8a5a9279448a388dd35d30901a4dc46245cfec4e
                    • Opcode Fuzzy Hash: 277506ab1b1253f2c3e06e75021827d8a4ab8088de452b408c7a11fb9f88c4f6
                    • Instruction Fuzzy Hash: A801C433A145278BCB21BFBDDC909FF77A5FB61720B500524E852D7191EA75D900E750
                    Function 00F81CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                      • Part of subcall function 00F83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F83CCA
                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F81D4C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_wcslen
                    • String ID: ComboBox$ListBox
                    • API String ID: 624084870-1403004172
                    • Opcode ID: 17d475fecd55573c3f6553072a432b49f80ee6142db2dc099a2810ffbbf8b0ca
                    • Instruction ID: f2712d88f153a571a9b32ec515a6e75d9a5fb544bcd2c23862ff1ace7cd9544c
                    • Opcode Fuzzy Hash: 17d475fecd55573c3f6553072a432b49f80ee6142db2dc099a2810ffbbf8b0ca
                    • Instruction Fuzzy Hash: F4012872A00228ABCB04FBA0DC51EFE73A8FB46760F040619F822572D1EA745909A7A0
                    Function 00F81BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                      • Part of subcall function 00F83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F83CCA
                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00F81C46
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_wcslen
                    • String ID: ComboBox$ListBox
                    • API String ID: 624084870-1403004172
                    • Opcode ID: 069235286e98d478560362374e15914c8f716995522d82d9a1a0d38d5e02555b
                    • Instruction ID: 756212a319c5967cb5c5d75feff48b3ce83d35158c90f01246975626d28d3b0a
                    • Opcode Fuzzy Hash: 069235286e98d478560362374e15914c8f716995522d82d9a1a0d38d5e02555b
                    • Instruction Fuzzy Hash: E001A775A8111867CB04FB90DD62EFF77ACBB56740F140119A40667281EA649E09B7B1
                    Function 00F81C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                      • Part of subcall function 00F83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F83CCA
                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00F81CC8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_wcslen
                    • String ID: ComboBox$ListBox
                    • API String ID: 624084870-1403004172
                    • Opcode ID: d91bd2010d164c4bc0e45e23254f9b659b903703c0e7b9726d1e48c29a27bde9
                    • Instruction ID: 296a309931e339cfd59f00f33abde824b4ad1b409213a6108764f6ef911db334
                    • Opcode Fuzzy Hash: d91bd2010d164c4bc0e45e23254f9b659b903703c0e7b9726d1e48c29a27bde9
                    • Instruction Fuzzy Hash: AC01A2B5B8012867CB04FBA1DE12AFE73ACAB12740F540115B80273281EA649F09B772
                    Function 00F81D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F29CB3: _wcslen.LIBCMT ref: 00F29CBD
                      • Part of subcall function 00F83CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F83CCA
                    • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00F81DD3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_wcslen
                    • String ID: ComboBox$ListBox
                    • API String ID: 624084870-1403004172
                    • Opcode ID: 798189ceae7ecc5f2cce4d31fdc006d4ae8c1d76b69e03f296bb8e4762fa3667
                    • Instruction ID: 032db8da647a0d67ec4c24fbe9f8ed4c6e3e2ad9e9fc8678ffee10ede4c9c177
                    • Opcode Fuzzy Hash: 798189ceae7ecc5f2cce4d31fdc006d4ae8c1d76b69e03f296bb8e4762fa3667
                    • Instruction Fuzzy Hash: C7F02872F4022867CB04F7A4DC62FFF73BCBB02750F040A15B822632C1DAA49909A360
                    Function 00FA747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: _wcslen
                    • String ID: 3, 3, 16, 1
                    • API String ID: 176396367-3042988571
                    • Opcode ID: 8d630afbdd6542ead348bdd6566559c40e4a4c1b876464240d732432c805359a
                    • Instruction ID: 95f5b1763029c9beb3d09353e7eba526b40dbf814ae845c6e77b53f11e8529f3
                    • Opcode Fuzzy Hash: 8d630afbdd6542ead348bdd6566559c40e4a4c1b876464240d732432c805359a
                    • Instruction Fuzzy Hash: C6E02B46614320509231327ADCC1E7F6B8DCFCE760710182BFD81D2266EE98DD92B3A1
                    Function 00F80B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                    Download Yara Rule
                    APIs
                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F80B23
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: Message
                    • String ID: AutoIt$Error allocating memory.
                    • API String ID: 2030045667-4017498283
                    • Opcode ID: bf73a7d1b3fbe0048a29db17b60daf59ec831560f8b3b88194fec608ff2e2540
                    • Instruction ID: 16f13bb8a66049827ea1b11685b48355985dcb14bff04424a8313940cb2161f9
                    • Opcode Fuzzy Hash: bf73a7d1b3fbe0048a29db17b60daf59ec831560f8b3b88194fec608ff2e2540
                    • Instruction Fuzzy Hash: 6DE0483264435827E21437957C47FCA7E848F05F65F200426FB58955C38EE564947AE9
                    Function 00F40D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00F3F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F40D71,?,?,?,00F2100A), ref: 00F3F7CE
                    • IsDebuggerPresent.KERNEL32(?,?,?,00F2100A), ref: 00F40D75
                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F2100A), ref: 00F40D84
                    Strings
                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F40D7F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                    • API String ID: 55579361-631824599
                    • Opcode ID: 61e2981e7081ce1eadab9da317986c1db0edf4f26a6ef9927b2b5d444223435a
                    • Instruction ID: 33f3ed4bf5e7b5d0a84f2a60c9d92b7d53f7c9bf342c876226ddaba39ea85de7
                    • Opcode Fuzzy Hash: 61e2981e7081ce1eadab9da317986c1db0edf4f26a6ef9927b2b5d444223435a
                    • Instruction Fuzzy Hash: FCE06D706003118BD3209FB9E8447527FF4AF04740F004A2DE982C6652DFB5E448AFA1
                    Function 00F7D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: LocalTime
                    • String ID: %.3d$X64
                    • API String ID: 481472006-1077770165
                    • Opcode ID: 064727106af66b40e998ebf7d57e3cbd29ec997401f7a6923032a295a982c572
                    • Instruction ID: 8bfdb4e4707b754803ca21ccc08054a4adbef11b079f5d9653d916ba3341c40a
                    • Opcode Fuzzy Hash: 064727106af66b40e998ebf7d57e3cbd29ec997401f7a6923032a295a982c572
                    • Instruction Fuzzy Hash: 9ED012A2C08109EACB90A6D0DC45ABAB37CAF48311F90C453F90AE1041D624C509FB63
                    Function 00FB2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                    Download Yara Rule
                    APIs
                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FB236C
                    • PostMessageW.USER32(00000000), ref: 00FB2373
                      • Part of subcall function 00F8E97B: Sleep.KERNEL32 ref: 00F8E9F3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: FindMessagePostSleepWindow
                    • String ID: Shell_TrayWnd
                    • API String ID: 529655941-2988720461
                    • Opcode ID: 019fb855c170c5ca6f5895c270bc417c10e2dea2b98775655177cd7d9ad4508a
                    • Instruction ID: bc029d2ccc84c173ce454c5ca4b72c06ee808f7f49bd5878385f9f741e56f00c
                    • Opcode Fuzzy Hash: 019fb855c170c5ca6f5895c270bc417c10e2dea2b98775655177cd7d9ad4508a
                    • Instruction Fuzzy Hash: 1DD0A9323C03047AE264B730DC4FFC776049B04B00F000A02B285EA0D0C8E0A8009A84
                    Function 00FB2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                    Download Yara Rule
                    APIs
                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FB232C
                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00FB233F
                      • Part of subcall function 00F8E97B: Sleep.KERNEL32 ref: 00F8E9F3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: FindMessagePostSleepWindow
                    • String ID: Shell_TrayWnd
                    • API String ID: 529655941-2988720461
                    • Opcode ID: 5e03ea21cd1e97e7809e478c0c40e5159cc756f17fd130c68977de2ca9a054e9
                    • Instruction ID: 7345a5599651cf8ed9528f04f0236051d859e4c88bbf15d3bc511329aee748d9
                    • Opcode Fuzzy Hash: 5e03ea21cd1e97e7809e478c0c40e5159cc756f17fd130c68977de2ca9a054e9
                    • Instruction Fuzzy Hash: D5D0A932380304B6E264B730DC4FFD77A049B00B00F000A02B289AA0D0C8E0A8009A80
                    Function 00F5BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00F5BE93
                    • GetLastError.KERNEL32 ref: 00F5BEA1
                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F5BEFC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2163623532.0000000000F21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F20000, based on PE: true
                    • Associated: 00000000.00000002.2163605840.0000000000F20000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FBC000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163784743.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163871603.0000000000FEC000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2163891317.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_f20000_whiteee.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$ErrorLast
                    • String ID:
                    • API String ID: 1717984340-0
                    • Opcode ID: 85a46180387cccb4f709fb5b55cd5a1c1466ce870e026fc0e41287f02cfabebb
                    • Instruction ID: dec66386c46b908e2388be2350499c3de63370cf507f4abec77a1810165aa1d0
                    • Opcode Fuzzy Hash: 85a46180387cccb4f709fb5b55cd5a1c1466ce870e026fc0e41287f02cfabebb
                    • Instruction Fuzzy Hash: D741D535A04206AFCF218FA5CC45BBA7BE5AF41322F144169FE59971A1DB308D09EB60