Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ship Docs_CI PL HBL COO_.exe

Overview

General Information

Sample name:Ship Docs_CI PL HBL COO_.exe
Analysis ID:1467921
MD5:bb66e44260b8a454abcb20aeb4b13f7b
SHA1:dd6a7662d0f2a05f00dcc80dd6baa37cdefafba6
SHA256:d4c4ee49a5ce076550c8305fcd63fe86707a251a2ca7d47c67d0dbef66b2a1e3
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Ship Docs_CI PL HBL COO_.exe (PID: 6752 cmdline: "C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe" MD5: BB66E44260B8A454ABCB20AEB4B13F7B)
    • RegSvcs.exe (PID: 6776 cmdline: "C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.suplementvases.com", "Username": "username: freshner@suplementvases.com", "Password": "u2FOHNL09DdqcPx"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.4111602006.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000002.4111602006.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000002.4112584252.000000000334C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000001.00000002.4112584252.000000000334C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.1644364725.0000000003010000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x34b15:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x34b87:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x34c11:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x34ca3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x34d0d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x34d7f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x34e15:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x34ea5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  1.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 6 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 131.226.2.151, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 6776, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49732

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: http://mail.suplementvases.comAvira URL Cloud: Label: malware
                    Found malware configuration
                    Source: 1.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.suplementvases.com", "Username": "username: freshner@suplementvases.com", "Password": "u2FOHNL09DdqcPx"}
                    Multi AV Scanner detection for submitted file
                    Source: Ship Docs_CI PL HBL COO_.exeVirustotal: Detection: 28%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: Ship Docs_CI PL HBL COO_.exeJoe Sandbox ML: detected
                    Source: Ship Docs_CI PL HBL COO_.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2
                    Source: Binary string: wntdll.pdbUGP source: Ship Docs_CI PL HBL COO_.exe, 00000000.00000003.1642650112.0000000003710000.00000004.00001000.00020000.00000000.sdmp, Ship Docs_CI PL HBL COO_.exe, 00000000.00000003.1641552729.0000000003520000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: Ship Docs_CI PL HBL COO_.exe, 00000000.00000003.1642650112.0000000003710000.00000004.00001000.00020000.00000000.sdmp, Ship Docs_CI PL HBL COO_.exe, 00000000.00000003.1641552729.0000000003520000.00000004.00001000.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00084696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00084696
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0008C93C FindFirstFileW,FindClose,0_2_0008C93C
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0008C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0008C9C7
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0008F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0008F200
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0008F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0008F35D
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0008F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0008F65E
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00083A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00083A2B
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00083D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00083D4E
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0008BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0008BF27

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1644364725.0000000003010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: global trafficTCP traffic: 192.168.2.4:49732 -> 131.226.2.151:587
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                    Source: Joe Sandbox ViewASN Name: UNASSIGNED UNASSIGNED
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: ip-api.com
                    Source: global trafficTCP traffic: 192.168.2.4:49732 -> 131.226.2.151:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000925E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_000925E2
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: mail.suplementvases.com
                    Source: Ship Docs_CI PL HBL COO_.exe, 00000000.00000002.1644364725.0000000003010000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111602006.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4112584252.000000000333A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: RegSvcs.exe, 00000001.00000002.4112584252.00000000033F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4112584252.0000000003824000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4112584252.0000000003401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4112584252.00000000036A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4112584252.0000000003610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4112584252.00000000034AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4112584252.0000000003553000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4112584252.0000000003447000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.suplementvases.com
                    Source: RegSvcs.exe, 00000001.00000002.4112584252.000000000334C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111906517.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4112584252.0000000003610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4117085657.000000000A41B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4114399590.000000000662A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4114088603.000000000655D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r10.i.lencr.org/0
                    Source: RegSvcs.exe, 00000001.00000002.4112584252.000000000334C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111906517.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4112584252.0000000003610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4117085657.000000000A41B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4114399590.000000000662A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4114088603.000000000655D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r10.o.lencr.org0#
                    Source: RegSvcs.exe, 00000001.00000002.4112584252.00000000032F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegSvcs.exe, 00000001.00000002.4114245949.00000000065E1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111906517.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4114305204.00000000065FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: RegSvcs.exe, 00000001.00000002.4114245949.00000000065E1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111906517.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4114305204.00000000065FD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: Ship Docs_CI PL HBL COO_.exe, 00000000.00000002.1644364725.0000000003010000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111602006.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: Ship Docs_CI PL HBL COO_.exe, 00000000.00000002.1644364725.0000000003010000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111602006.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4112584252.00000000032F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49730 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.raw.unpack, SKTzxzsJw.cs.Net Code: hlPN
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0009425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0009425A
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00094458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00094458
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0009425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0009425A
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00080219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00080219
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000ACDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_000ACDAC

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 00000000.00000002.1644364725.0000000003010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Binary is likely a compiled AutoIt script file
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: This is a third-party compiled AutoIt script.0_2_00023B4C
                    Source: Ship Docs_CI PL HBL COO_.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: Ship Docs_CI PL HBL COO_.exe, 00000000.00000000.1634015420.00000000000D5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_11aa2567-a
                    Source: Ship Docs_CI PL HBL COO_.exe, 00000000.00000000.1634015420.00000000000D5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_8a1c165b-c
                    Source: Ship Docs_CI PL HBL COO_.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_83e896fc-a
                    Source: Ship Docs_CI PL HBL COO_.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_97ba3ce0-2
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00084021: CreateFileW,DeviceIoControl,CloseHandle,0_2_00084021
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00078858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00078858
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0008545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0008545F
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0002E8000_2_0002E800
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0004DBB50_2_0004DBB5
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000A804A0_2_000A804A
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0002E0600_2_0002E060
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000341400_2_00034140
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000424050_2_00042405
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000565220_2_00056522
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000A06650_2_000A0665
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0005267E0_2_0005267E
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0004283A0_2_0004283A
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000368430_2_00036843
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000589DF0_2_000589DF
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00038A0E0_2_00038A0E
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00056A940_2_00056A94
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000A0AE20_2_000A0AE2
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0007EB070_2_0007EB07
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00088B130_2_00088B13
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0004CD610_2_0004CD61
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000570060_2_00057006
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0003710E0_2_0003710E
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000331900_2_00033190
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000212870_2_00021287
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000433C70_2_000433C7
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0004F4190_2_0004F419
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000356800_2_00035680
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000416C40_2_000416C4
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000358C00_2_000358C0
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000478D30_2_000478D3
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00041BB80_2_00041BB8
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00059D050_2_00059D05
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0002FE400_2_0002FE40
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00041FD00_2_00041FD0
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0004BFE60_2_0004BFE6
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_019D35F00_2_019D35F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_031341F81_2_031341F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0313AB801_2_0313AB80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_03134AC81_2_03134AC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0313B8101_2_0313B810
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0313EFF31_2_0313EFF3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_03133EB01_2_03133EB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06D7B8341_2_06D7B834
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06D7CD601_2_06D7CD60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06D7EB701_2_06D7EB70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06D7B5141_2_06D7B514
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06D823581_2_06D82358
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06D858C81_2_06D858C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06D861D01_2_06D861D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06D851A81_2_06D851A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06D879581_2_06D87958
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06D872781_2_06D87278
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06D8E3701_2_06D8E370
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06D800401_2_06D80040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_070C39C91_2_070C39C9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_070C95911_2_070C9591
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_070C95A01_2_070C95A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06D800071_2_06D80007
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: String function: 00048B40 appears 42 times
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: String function: 00040D27 appears 70 times
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: String function: 00027F41 appears 35 times
                    Source: Ship Docs_CI PL HBL COO_.exe, 00000000.00000003.1643081307.0000000003693000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ship Docs_CI PL HBL COO_.exe
                    Source: Ship Docs_CI PL HBL COO_.exe, 00000000.00000003.1641990262.00000000037ED000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Ship Docs_CI PL HBL COO_.exe
                    Source: Ship Docs_CI PL HBL COO_.exe, 00000000.00000002.1644364725.0000000003010000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename65f6ac0a-ca04-4292-9a7c-c35a3a892697.exe4 vs Ship Docs_CI PL HBL COO_.exe
                    Source: Ship Docs_CI PL HBL COO_.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: 0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 00000000.00000002.1644364725.0000000003010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@3/3
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0008A2D5 GetLastError,FormatMessageW,0_2_0008A2D5
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00078713 AdjustTokenPrivileges,CloseHandle,0_2_00078713
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00078CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00078CC3
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0008B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0008B59E
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0009F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0009F121
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0008C602 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0008C602
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00024FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00024FE9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeFile created: C:\Users\user\AppData\Local\Temp\aut5F9C.tmpJump to behavior
                    Source: Ship Docs_CI PL HBL COO_.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Ship Docs_CI PL HBL COO_.exeVirustotal: Detection: 28%
                    Source: unknownProcess created: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe "C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe"
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe"
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Ship Docs_CI PL HBL COO_.exeStatic file information: File size 1059328 > 1048576
                    Source: Ship Docs_CI PL HBL COO_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: Ship Docs_CI PL HBL COO_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: Ship Docs_CI PL HBL COO_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: Ship Docs_CI PL HBL COO_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Ship Docs_CI PL HBL COO_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: Ship Docs_CI PL HBL COO_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: Ship Docs_CI PL HBL COO_.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: wntdll.pdbUGP source: Ship Docs_CI PL HBL COO_.exe, 00000000.00000003.1642650112.0000000003710000.00000004.00001000.00020000.00000000.sdmp, Ship Docs_CI PL HBL COO_.exe, 00000000.00000003.1641552729.0000000003520000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: Ship Docs_CI PL HBL COO_.exe, 00000000.00000003.1642650112.0000000003710000.00000004.00001000.00020000.00000000.sdmp, Ship Docs_CI PL HBL COO_.exe, 00000000.00000003.1641552729.0000000003520000.00000004.00001000.00020000.00000000.sdmp
                    Source: Ship Docs_CI PL HBL COO_.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: Ship Docs_CI PL HBL COO_.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: Ship Docs_CI PL HBL COO_.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: Ship Docs_CI PL HBL COO_.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: Ship Docs_CI PL HBL COO_.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0009C304 LoadLibraryA,GetProcAddress,0_2_0009C304
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0002C590 push eax; retn 0002h0_2_0002C599
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00088719 push FFFFFF8Bh; iretd 0_2_0008871B
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0004E94F push edi; ret 0_2_0004E951
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0004EA68 push esi; ret 0_2_0004EA6A
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00048B85 push ecx; ret 0_2_00048B98
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0004EC43 push esi; ret 0_2_0004EC45
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0004ED2C push edi; ret 0_2_0004ED2E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06D760D8 push es; ret 1_2_06D760D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_06D760C0 push es; ret 1_2_06D760D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_070CA265 push FFFFFF8Bh; retf 1_2_070CA1FB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_070C15C0 push es; ret 1_2_070C15D0
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeFile created: \ship docs_ci pl hbl coo_.exe
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeFile created: \ship docs_ci pl hbl coo_.exeJump to behavior
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00024A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00024A35
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000A55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_000A55FD
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000433C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_000433C7
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: Ship Docs_CI PL HBL COO_.exe PID: 6752, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeAPI/Special instruction interceptor: Address: 19D3214
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: Ship Docs_CI PL HBL COO_.exe, 00000000.00000002.1644364725.0000000003010000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4112584252.000000000334C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111602006.0000000000402000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599777Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599670Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599560Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599447Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599308Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598100Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595282Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595161Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594963Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594857Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594593Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594457Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593780Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593108Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3257Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 6527Jump to behavior
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-100533
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeAPI coverage: 4.7 %
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00084696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00084696
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0008C93C FindFirstFileW,FindClose,0_2_0008C93C
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0008C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0008C9C7
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0008F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0008F200
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0008F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0008F35D
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0008F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0008F65E
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00083A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00083A2B
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00083D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00083D4E
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0008BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0008BF27
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00024AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00024AFE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599777Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599670Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599560Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599447Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599308Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598100Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99516Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98719Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98484Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98266Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98017Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97824Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595282Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595161Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594963Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594857Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594593Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594457Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593780Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593108Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 592562Jump to behavior
                    Source: RegSvcs.exe, 00000001.00000002.4112584252.000000000334C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: RegSvcs.exe, 00000001.00000002.4111602006.0000000000402000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: vmware
                    Source: RegSvcs.exe, 00000001.00000002.4111602006.0000000000402000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: VMwareVBox
                    Source: RegSvcs.exe, 00000001.00000002.4114088603.000000000655D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeAPI call chain: ExitProcess graph end nodegraph_0-97982
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeAPI call chain: ExitProcess graph end nodegraph_0-99031

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_03137EC8 CheckRemoteDebuggerPresent,1_2_03137EC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000941FD BlockInput,0_2_000941FD
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00023B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00023B4C
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00055CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00055CCC
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0009C304 LoadLibraryA,GetProcAddress,0_2_0009C304
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_019D3480 mov eax, dword ptr fs:[00000030h]0_2_019D3480
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_019D34E0 mov eax, dword ptr fs:[00000030h]0_2_019D34E0
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_019D1E70 mov eax, dword ptr fs:[00000030h]0_2_019D1E70
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000781F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_000781F7
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0004A364 SetUnhandledExceptionFilter,0_2_0004A364
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0004A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0004A395
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 11F1008Jump to behavior
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00078C93 LogonUserW,0_2_00078C93
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00023B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00023B4C
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00024A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00024A35
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00084EC9 mouse_event,0_2_00084EC9
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000781F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_000781F7
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00084C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00084C03
                    Source: Ship Docs_CI PL HBL COO_.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: Ship Docs_CI PL HBL COO_.exeBinary or memory string: Shell_TrayWnd
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0004886B cpuid 0_2_0004886B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_000550D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_000550D7
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00062230 GetUserNameW,0_2_00062230
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_0005418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0005418A
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00024AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00024AFE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.4111602006.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.4112584252.000000000334C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1644364725.0000000003010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Ship Docs_CI PL HBL COO_.exe PID: 6752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6776, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Ship Docs_CI PL HBL COO_.exeBinary or memory string: WIN_81
                    Source: Ship Docs_CI PL HBL COO_.exeBinary or memory string: WIN_XP
                    Source: Ship Docs_CI PL HBL COO_.exeBinary or memory string: WIN_XPe
                    Source: Ship Docs_CI PL HBL COO_.exeBinary or memory string: WIN_VISTA
                    Source: Ship Docs_CI PL HBL COO_.exeBinary or memory string: WIN_7
                    Source: Ship Docs_CI PL HBL COO_.exeBinary or memory string: WIN_8
                    Source: Ship Docs_CI PL HBL COO_.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                    Source: Yara matchFile source: 0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.4111602006.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.4112584252.000000000334C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1644364725.0000000003010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Ship Docs_CI PL HBL COO_.exe PID: 6752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6776, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Ship Docs_CI PL HBL COO_.exe.3010000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.4111602006.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.4112584252.000000000334C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1644364725.0000000003010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Ship Docs_CI PL HBL COO_.exe PID: 6752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6776, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00096596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00096596
                    Source: C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exeCode function: 0_2_00096A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00096A5A

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure2
                    Valid Accounts                    		221
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    Exploitation for Privilege Escalation                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts2
                    Native API                    		2
                    Valid Accounts                    		1
                    DLL Side-Loading                    		11
                    Deobfuscate/Decode Files or Information                    		121
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                    Valid Accounts                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		2
                    File and Directory Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		NTDS138
                    System Information Discovery                    		Distributed Component Object Model121
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                    Process Injection                    		2
                    Valid Accounts                    		LSA Secrets651
                    Security Software Discovery                    		SSH3
                    Clipboard Data                    		23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts231
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials231
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                    Access Token Manipulation                    		DCSync2
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
                    Process Injection                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Network Configuration Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Ship Docs_CI PL HBL COO_.exe28%VirustotalBrowse
                    Ship Docs_CI PL HBL COO_.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    api.ipify.org0%VirustotalBrowse
                    ip-api.com0%VirustotalBrowse
                    mail.suplementvases.com2%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    https://api.ipify.org/0%URL Reputationsafe
                    https://api.ipify.org0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                    http://mail.suplementvases.com100%Avira URL Cloudmalware
                    http://r10.i.lencr.org/00%Avira URL Cloudsafe
                    http://r10.o.lencr.org0#0%Avira URL Cloudsafe
                    http://r10.i.lencr.org/00%VirustotalBrowse
                    http://mail.suplementvases.com2%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ipify.org
                    		104.26.12.205
                    		truefalseunknown
                    ip-api.com
                    		208.95.112.1
                    		truetrueunknown
                    mail.suplementvases.com
                    		131.226.2.151
                    		truetrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://api.ipify.org/false
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://ip-api.com/line/?fields=hostingfalse
                    • URL Reputation: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://api.ipify.orgShip Docs_CI PL HBL COO_.exe, 00000000.00000002.1644364725.0000000003010000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111602006.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4112584252.00000000032F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://r10.o.lencr.org0#RegSvcs.exe, 00000001.00000002.4112584252.000000000334C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111906517.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4112584252.0000000003610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4117085657.000000000A41B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4114399590.000000000662A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4114088603.000000000655D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://account.dyn.com/Ship Docs_CI PL HBL COO_.exe, 00000000.00000002.1644364725.0000000003010000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111602006.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://mail.suplementvases.comRegSvcs.exe, 00000001.00000002.4112584252.00000000033F7000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4112584252.0000000003824000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4112584252.0000000003401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4112584252.00000000036A5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4112584252.0000000003610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4112584252.00000000034AA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4112584252.0000000003553000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4112584252.0000000003447000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 2%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000001.00000002.4112584252.00000000032F1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://x1.c.lencr.org/0RegSvcs.exe, 00000001.00000002.4114245949.00000000065E1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111906517.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4114305204.00000000065FD000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://x1.i.lencr.org/0RegSvcs.exe, 00000001.00000002.4114245949.00000000065E1000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111906517.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4114305204.00000000065FD000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://r10.i.lencr.org/0RegSvcs.exe, 00000001.00000002.4112584252.000000000334C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4111906517.00000000014B6000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4112584252.0000000003610000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4117085657.000000000A41B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4114399590.000000000662A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000001.00000002.4114088603.000000000655D000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    208.95.112.1
                    		ip-api.comUnited States
                    		53334TUT-ASUStrue
                    104.26.12.205
                    		api.ipify.orgUnited States
                    		13335CLOUDFLARENETUSfalse
                    131.226.2.151
                    		mail.suplementvases.comUnited States
                    		16797UNASSIGNEDtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1467921
                    Start date and time:2024-07-05 02:21:07 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 7m 58s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:6
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:Ship Docs_CI PL HBL COO_.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@3/4@3/3
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 57
                    • Number of non-executed functions: 267
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing disassembly code.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    20:21:56API Interceptor9799834x Sleep call for process: RegSvcs.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    208.95.112.1SOA Payment for June 30th.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    SecuriteInfo.com.Win32.MalwareX-gen.20684.5190.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    bL1WCnC18s.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    A1YOFV1abV.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    main.ps1Get hashmaliciousUnknownBrowse
                    • ip-api.com/json
                    main.ps1Get hashmaliciousUnknownBrowse
                    • ip-api.com/json
                    Orden.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    20240704-455.exeGet hashmaliciousGuLoaderBrowse
                    • ip-api.com/line/?fields=hosting
                    McrflHf6vg.exeGet hashmaliciousWhiteSnake StealerBrowse
                    • ip-api.com/line?fields=query,country
                    Order List Pdf.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    104.26.12.205SecuriteInfo.com.Win64.RansomX-gen.22171.1307.exeGet hashmaliciousConti, PureLog Stealer, Targeted RansomwareBrowse
                    • api.ipify.org/
                    482730621.exeGet hashmaliciousStealitBrowse
                    • api.ipify.org/?format=json
                    482730621.exeGet hashmaliciousStealitBrowse
                    • api.ipify.org/?format=json
                    Sonic-Glyder.exeGet hashmaliciousStealitBrowse
                    • api.ipify.org/?format=json
                    Sky-Beta.exeGet hashmaliciousStealitBrowse
                    • api.ipify.org/?format=json
                    SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exeGet hashmaliciousBunny LoaderBrowse
                    • api.ipify.org/
                    lods.cmdGet hashmaliciousRemcosBrowse
                    • api.ipify.org/

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    mail.suplementvases.comDoc_CI_PL_HBL_COO_Insu_.exeGet hashmaliciousAgentTeslaBrowse
                    • 131.226.2.151
                    Vsl_MV DART TRADER_001.exeGet hashmaliciousAgentTeslaBrowse
                    • 131.226.2.151
                    DHL Arrival Notice.exeGet hashmaliciousAgentTeslaBrowse
                    • 131.226.2.151
                    Payroll List or Salary List.exeGet hashmaliciousAgentTeslaBrowse
                    • 131.226.2.151
                    Cosco_RFQ_June_.exeGet hashmaliciousAgentTeslaBrowse
                    • 131.226.2.151
                    Payroll List or Salary List.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                    • 131.226.2.151
                    STS_Bunker_00617.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                    • 131.226.2.151
                    ip-api.comSOA Payment for June 30th.exeGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1
                    SecuriteInfo.com.Win32.MalwareX-gen.20684.5190.exeGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1
                    bL1WCnC18s.exeGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1
                    A1YOFV1abV.exeGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1
                    main.ps1Get hashmaliciousUnknownBrowse
                    • 208.95.112.1
                    main.ps1Get hashmaliciousUnknownBrowse
                    • 208.95.112.1
                    Orden.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1
                    20240704-455.exeGet hashmaliciousGuLoaderBrowse
                    • 208.95.112.1
                    McrflHf6vg.exeGet hashmaliciousWhiteSnake StealerBrowse
                    • 208.95.112.1
                    Order List Pdf.exeGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1
                    api.ipify.orgM.V TBN - VESSEL'S DETAILS.docx.scr.exeGet hashmaliciousAgentTeslaBrowse
                    • 104.26.13.205
                    0001.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 172.67.74.152
                    Zz3h8cOX1E.exeGet hashmaliciousQuasarBrowse
                    • 104.26.13.205
                    Luciana Alvarez CV.exeGet hashmaliciousAgentTeslaBrowse
                    • 104.26.13.205
                    Acal BFi UK - Products List 020240704.exeGet hashmaliciousAgentTesla, RedLine, StormKitty, XWormBrowse
                    • 172.67.74.152
                    z4XlS0wTQM.exeGet hashmaliciousQuasarBrowse
                    • 104.26.12.205
                    Zz3h8cOX1E.exeGet hashmaliciousQuasarBrowse
                    • 104.26.13.205
                    5gO02Ijl9V.exeGet hashmaliciousGuLoaderBrowse
                    • 104.26.12.205
                    0NJYTCJYLo.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 104.26.13.205
                    Order 0003994887588960600000.bat.exeGet hashmaliciousGuLoaderBrowse
                    • 172.67.74.152

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    CLOUDFLARENETUShttps://rb.gy/zsqpjaGet hashmaliciousHTMLPhisherBrowse
                    • 104.17.2.184
                    https://singingfiles.com/show.php?l=0&u=2156442&id=64574Get hashmaliciousUnknownBrowse
                    • 188.114.97.3
                    http://business.ifbsmetaiidentiityconfirms.com/meta-community-standard100068928266341/Get hashmaliciousHTMLPhisherBrowse
                    • 188.114.97.3
                    http://services.business-manange.com/Get hashmaliciousHTMLPhisherBrowse
                    • 172.67.138.117
                    http://pub-2e7429ed1f544f43a4684eeceb978dbb.r2.dev/home.htmlGet hashmaliciousHTMLPhisherBrowse
                    • 104.18.2.35
                    http://helpdesk-advertising-review-id-9865133.d3m7n55z273utf.amplifyapp.com/index.htmlGet hashmaliciousUnknownBrowse
                    • 104.26.8.44
                    http://www.anuihafw369.xyz/m/register/Get hashmaliciousUnknownBrowse
                    • 104.17.24.14
                    https://pub-1b634168cd404e2d8bece63d5ebb4798.r2.dev/uint.html?schweissdoorsGet hashmaliciousHTMLPhisherBrowse
                    • 104.18.2.35
                    https://pub-9445ce0d74714d1c934c51ffcf83c3f2.r2.dev/slnt.html?nycsbsGet hashmaliciousHTMLPhisherBrowse
                    • 104.18.2.35
                    https://delivery.attempt.failure.ebbs.co.za/public/MY096OineFzTCVJ56qDw3aMDByE0CDQ1Get hashmaliciousUnknownBrowse
                    • 104.17.25.14
                    TUT-ASUSSOA Payment for June 30th.exeGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1
                    SecuriteInfo.com.Win32.MalwareX-gen.20684.5190.exeGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1
                    bL1WCnC18s.exeGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1
                    A1YOFV1abV.exeGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1
                    main.ps1Get hashmaliciousUnknownBrowse
                    • 208.95.112.1
                    main.ps1Get hashmaliciousUnknownBrowse
                    • 208.95.112.1
                    Orden.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1
                    20240704-455.exeGet hashmaliciousGuLoaderBrowse
                    • 208.95.112.1
                    McrflHf6vg.exeGet hashmaliciousWhiteSnake StealerBrowse
                    • 208.95.112.1
                    Order List Pdf.exeGet hashmaliciousAgentTeslaBrowse
                    • 208.95.112.1
                    UNASSIGNED95DVgihS4k.elfGet hashmaliciousUnknownBrowse
                    • 204.76.203.63
                    VeML3EnAwP.elfGet hashmaliciousUnknownBrowse
                    • 204.76.203.19
                    oR1q3XIaZu.elfGet hashmaliciousUnknownBrowse
                    • 204.76.203.19
                    q7r87KTHbc.exeGet hashmaliciousAgentTeslaBrowse
                    • 131.226.2.60
                    Doc_CI_PL_HBL_COO_Insu_.exeGet hashmaliciousAgentTeslaBrowse
                    • 131.226.2.151
                    roger.exeGet hashmaliciousAgentTeslaBrowse
                    • 131.226.2.60
                    doc -scan file.exeGet hashmaliciousAgentTeslaBrowse
                    • 131.226.2.60
                    Vsl_MV DART TRADER_001.exeGet hashmaliciousAgentTeslaBrowse
                    • 131.226.2.151
                    DHL Arrival Notice.exeGet hashmaliciousAgentTeslaBrowse
                    • 131.226.2.151
                    f6RyWmGZLw.elfGet hashmaliciousUnknownBrowse
                    • 153.10.48.141

                    JA3 Fingerprints

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    3b5074b1b5d032e5620f69f9f700ff0ehttps://singingfiles.com/show.php?l=0&u=2156442&id=64574Get hashmaliciousUnknownBrowse
                    • 104.26.12.205
                    https://sula.starladeroff.com/Get hashmaliciousUnknownBrowse
                    • 104.26.12.205
                    http://business.ifbsmetaiidentiityconfirms.com/meta-community-standard100068928266341/Get hashmaliciousHTMLPhisherBrowse
                    • 104.26.12.205
                    http://helpdesk-advertising-review-id-9865133.d3m7n55z273utf.amplifyapp.com/index.htmlGet hashmaliciousUnknownBrowse
                    • 104.26.12.205
                    https://pub-9445ce0d74714d1c934c51ffcf83c3f2.r2.dev/slnt.html?nycsbsGet hashmaliciousHTMLPhisherBrowse
                    • 104.26.12.205
                    https://pradeeprunner.com/auth.htmlGet hashmaliciousUnknownBrowse
                    • 104.26.12.205
                    https://iwahadxi.hosted.phplist.com/lists/lt.php/?tid=eU1SAFEEUlZTABhUAVAGGAZWVFsfXVQLWkkDBQIAUAwCAgcAAldPWwdaBlNRVAgYVwEEXh9QClxcSQcAUlcbWgQGAAJVVwRXBAoBSQcBAVALVA8LHwIEXVtJUg8GVxsAVVMHGA5SB1EBC1YDAQQBDAGet hashmaliciousUnknownBrowse
                    • 104.26.12.205
                    http://multichaindappsx.pages.dev/Get hashmaliciousUnknownBrowse
                    • 104.26.12.205
                    http://sp.26skins.com/steamstore/category/science_fiction/?snr=1_category_4_multiplayeronlinecompetitive_12Get hashmaliciousUnknownBrowse
                    • 104.26.12.205
                    M.V TBN - VESSEL'S DETAILS.docx.scr.exeGet hashmaliciousAgentTeslaBrowse
                    • 104.26.12.205

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Temp\Graff

                    Download File
                    Process:C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):246272
                    Entropy (8bit):6.640227593395889
                    Encrypted:false
                    SSDEEP:6144:0J69qjM5Rwzm8E/eOm54OSstCArVeblhtZmwciszm1FxUgn:h8eGzm8qeOVlhuedR
                    MD5:C9ECE500BCDACA2873F83E51285C31AD
                    SHA1:DA6F584915C6561AF1B1E6EB726758F9962C3555
                    SHA-256:8A44F053A9A40480C5AAB796BC4CDC1398720F1C74A8B0EF7FCE2F1E1E79665A
                    SHA-512:7D6017052A6A343D77CB401CDE099112DBDB206EA669431735192FA71F20C8465912C4E1425B10F29A9B8D32E3CCB88992666077C7A2DD36B7E5C6F5C77CD46C
                    Malicious:false
                    Reputation:low
                    Preview:y..X[ALJFQXO..WH.NSXJ4GP.XALJBQXOZMWHMNSXJ4GPXXALJBQXOZMWHMN.XJ4IO.VA.C.p.N..v.%' x:F(7*9,l)#?6 .m5-m<&6j])p...l'-5=aW@]lMNSXJ4G..XA.KAQ..2+WHMNSXJ4.PZYJMABQ.LZM_HMNSXJ..SXXaLJB.[OZM.HMnSXJ6GP\XALJBQXKZMWHMNSXj0GPZXALJBQZO..WH]NSHJ4GPHXA\JBQXOZ]WHMNSXJ4GPX..OJ.QXOZ.TH.KSXJ4GPXXALJBQXOZMWHMJSTJ4GPXXALJBQXOZMWHMNSXJ4GPXXALJBQXOZMWHMNSXJ4GPXXALJBqXORMWHMNSXJ4GPPxAL.BQXOZMWHMNSv>Q?$XXA..AQXoZMW.NNSZJ4GPXXALJBQXOZmWH-`!+8WGPX.DLJB.[OZKWHM.PXJ4GPXXALJBQX.ZM.f?+?7)4G\XXALJFQXMZMW.NNSXJ4GPXXALJB.XO.MWHMNSXJ4GPXXALJ.[OZMWH.NSXH4BP<.CL.uPXLZMWIMNUXJ4GPXXALJBQXOZMWHMNSXJ4GPXXALJBQXOZMWHMNSXJ4GPXE....q.0iB/I.~.S.S..R..;..@.X.3Y...9....k?D..O.Bg..Z...%.PD5K....u7C<@;.=.H1.E....ly;...N#.)...9b.6Gh.k...|n....\,.l..,../%/.9?*!2f./598].R.YALJB........'+...D_FlS4.....n_/....44GP<XAL8BQX.ZMW.MNS7J4G>XXA2JBQ&OZM.HMN.XJ4pPXXdLJB<XOZiWHM0SXJ.:_W..#1..OZMWHx..h.Y.....{..n>.3.*u........]..E*./.....C.3..P.3^b..EP^K_OPLNBnV...yZEHO@V\LVpY....y...a..;... .+HMNSXJ.GP.XAL..Q.OZM.H.N..J4G.X.L.B...Z

                    C:\Users\user\AppData\Local\Temp\aut5F9C.tmp

                    Download File
                    Process:C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):153610
                    Entropy (8bit):7.92820320555911
                    Encrypted:false
                    SSDEEP:3072:V7ap5kYVAWcrggE9+lUi0NkgWiTCNBawtc18xn62dw4s:VoeYVNcrgvYUi0/TIANA62dPs
                    MD5:C8B8B95F44F14AF4DB491EE2E1C0C121
                    SHA1:F4B821C0C62870AD893FBDCB551DFDEB19F4F6BE
                    SHA-256:1E5221F3BBEE4AEB2229699B0FDF1ED0063E9E8917A5F32439F7F59758FC1C07
                    SHA-512:2CE9FDD3330894AEA698B0120613BC7560C5146B213599D465F76844BC0232E61725BFE6B11DDC8174034C0D09E2FF44B407D0DEC1F96D2391041A0016AA3EFF
                    Malicious:false
                    Reputation:low
                    Preview:EA06......x.....J.Tk....H..u.T.P.V..J...Z......\...~....I........p.S....rK'.^'TiD.U9.[%29..A...e...mj..n..J.'..g.....l.T..;X..)t..O.2..4.OP.ViT.....V....\j.5:.b...lk`..^.M....j=B..'.X.F.S.=B..+..>5..+.. ...V(5...W@4.....Q..W[T.B.`..=*.T....D~.._\k.....j...2..U...?........X.....u:.Z.T.m.zD..!..*...z....X.....?|.....?.......+.....C.N..."5.|`....a.T.."..*R&.*..C.k......W..i.Z.....E..6Y.LB...ZhR.N:....{.UK........cu3...8d....c........V.GOgZ......f.D....l...u......{..Lu.^..-.^gq.7..#..|......Q..;_...[.Zm...,.[7..f./......C2.G..Y....h. ...Q..z<|..W..Fh..5..4.zx;|.../.y........i..."\..C.4....>..&@......s.0.r...Y......i..&....u_...ZI..........Y.|..}...[..I.2Uu..0r.3.....YV~_..B....3O3.w..).z...Qj..]~.P.S.V.....^kTZE>.V.S*....g...w1.6R...w.~.F.9 .J.^...;...+.Q.~z.m;....:.z.....t{...bs)....n."...........y..C+...f.O.Q+5...O.P+.....'.Pi.....O.S..*m:.&.M(.K...a.......J..*u..&CP.W(vJ...R..6u....+.M(.i,....S.SI.6.L..*5..<..B.....R"U.mf..^.W..2.H.3+..E{gO.

                    C:\Users\user\AppData\Local\Temp\aut5FCC.tmp

                    Download File
                    Process:C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):9838
                    Entropy (8bit):7.604572376847771
                    Encrypted:false
                    SSDEEP:192:ZyaFcKb+Kfp488lkVmkX64sKX16WBVoBFuCMQeWTyNM0iP:3F7b+Kfp48Eyn0s13BVoreVM0iP
                    MD5:213C2E0D25E0911A5603497024F77E59
                    SHA1:DDC0A581F7E0E43C0BFF2E2D31E54F831F57C7E5
                    SHA-256:61330433902C3B4CA07EBF376FFF70283212B1074F92C04950F279E76EA00A34
                    SHA-512:D4BF293F49799608EA762C3DFD68BCD90CF371D4E839A209D21E2331E0618EB816AB3EC207F22C0612201258E329B2F1160817E2A1BABED6462BEBB598F57F79
                    Malicious:false
                    Reputation:low
                    Preview:EA06..pT..f.Y..4.Lf.9..D.P..I..3..h3j..s9..g3...g3..4:..E..&.i..8......D.Ph3...aB.Q..j5.q4.Pf....qb.....-..c.L...$.m5...k..c0.M....k8.X.3i...l..%.o2....A8.6,.........3k....e.N&s0.oNf.)...k.K$.eb....5..f.........6.0.o.p....l39....V0...S..$.if...6....f.I...@.....i8........X@.4.1..........$.P...0z.5..$}3Y.....=5..`d....!d..V...7f.[$..8...|.I..W.d...|vI..W.d...|vK..W.d...|vK(.W.e...|vY..W,.O...k.`..X@..9..^.8..F.6.z..G......`......i..G../Z...zqd...l.;.........|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&

                    C:\Users\user\AppData\Local\Temp\vehiculation

                    Download File
                    Process:C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe
                    File Type:ASCII text, with very long lines (28756), with no line terminators
                    Category:dropped
                    Size (bytes):28756
                    Entropy (8bit):3.5907145057364027
                    Encrypted:false
                    SSDEEP:768:4iTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbd+IH6B34vfF3if6gyC3:4iTZ+2QoioGRk6ZklputwjpjBkCiw2Rc
                    MD5:017E03654ECC18E67E47802F0D19C129
                    SHA1:A4C2D19D4EA4A3AC9DB5787788370A23519AB8D7
                    SHA-256:C9E0FBA21B32FC57B153ABF69B56059990C28463860378A3C05DF05374B53601
                    SHA-512:563B6A9CCBDC8F117669987C6621E2B3FBF4471DCFB304F705415E54F7DB65592AFE0AB80864630EFFF8ED2EDBCDE3433E88F6BBE070465C7A7CFB7519DF14C4
                    Malicious:false
                    Reputation:low
                    Preview:1A6E71D4810309FDFC6D43D3E9A6A999A1918E3376ACA2EEC40F44C89B681ADD6AA0260BDF66FE84DA0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):6.970108026459542
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:Ship Docs_CI PL HBL COO_.exe
                    File size:1'059'328 bytes
                    MD5:bb66e44260b8a454abcb20aeb4b13f7b
                    SHA1:dd6a7662d0f2a05f00dcc80dd6baa37cdefafba6
                    SHA256:d4c4ee49a5ce076550c8305fcd63fe86707a251a2ca7d47c67d0dbef66b2a1e3
                    SHA512:9677eb4607c573e2f940ebeb2005e6151241afedfe798e54776a9808eb99644821c50c65b4d4d451d07ec4dcb2767ad3fd2768bf3ef06e263522d87a0e07a8df
                    SSDEEP:24576:AAHnh+eWsN3skA4RV1Hom2KXMmHajmsE+a6U27eDQVyx5:3h+ZkldoPK8YajRNn2sVI
                    TLSH:0E35AD0273D1C036FFAB92739B6AF64596BC79254133852F13981DB9BD701B2223E663
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                    File Icon

                    Icon Hash:aaf3e3e3938382a0

                    Static PE Info

                    General

                    Entrypoint:0x42800a
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                    Time Stamp:0x66872A57 [Thu Jul 4 23:03:51 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:1
                    File Version Major:5
                    File Version Minor:1
                    Subsystem Version Major:5
                    Subsystem Version Minor:1
                    Import Hash:afcdf79be1557326c854b6e20cb900a7

                    Entrypoint Preview

                    Instruction
                    call 00007FCBF47FACADh
                    jmp 00007FCBF47EDA64h
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    push edi
                    push esi
                    mov esi, dword ptr [esp+10h]
                    mov ecx, dword ptr [esp+14h]
                    mov edi, dword ptr [esp+0Ch]
                    mov eax, ecx
                    mov edx, ecx
                    add eax, esi
                    cmp edi, esi
                    jbe 00007FCBF47EDBEAh
                    cmp edi, eax
                    jc 00007FCBF47EDF4Eh
                    bt dword ptr [004C41FCh], 01h
                    jnc 00007FCBF47EDBE9h
                    rep movsb
                    jmp 00007FCBF47EDEFCh
                    cmp ecx, 00000080h
                    jc 00007FCBF47EDDB4h
                    mov eax, edi
                    xor eax, esi
                    test eax, 0000000Fh
                    jne 00007FCBF47EDBF0h
                    bt dword ptr [004BF324h], 01h
                    jc 00007FCBF47EE0C0h
                    bt dword ptr [004C41FCh], 00000000h
                    jnc 00007FCBF47EDD8Dh
                    test edi, 00000003h
                    jne 00007FCBF47EDD9Eh
                    test esi, 00000003h
                    jne 00007FCBF47EDD7Dh
                    bt edi, 02h
                    jnc 00007FCBF47EDBEFh
                    mov eax, dword ptr [esi]
                    sub ecx, 04h
                    lea esi, dword ptr [esi+04h]
                    mov dword ptr [edi], eax
                    lea edi, dword ptr [edi+04h]
                    bt edi, 03h
                    jnc 00007FCBF47EDBF3h
                    movq xmm1, qword ptr [esi]
                    sub ecx, 08h
                    lea esi, dword ptr [esi+08h]
                    movq qword ptr [edi], xmm1
                    lea edi, dword ptr [edi+08h]
                    test esi, 00000007h
                    je 00007FCBF47EDC45h
                    bt esi, 03h

                    Rich Headers

                    Programming Language:
                    • [ASM] VS2013 build 21005
                    • [ C ] VS2013 build 21005
                    • [C++] VS2013 build 21005
                    • [ C ] VS2008 SP1 build 30729
                    • [IMP] VS2008 SP1 build 30729
                    • [ASM] VS2013 UPD5 build 40629
                    • [RES] VS2013 build 21005
                    • [LNK] VS2013 UPD5 build 40629

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x383f0.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1010000x7134.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0xc80000x383f00x38400f7adc6e224ce32104b19b7736cfe977cFalse0.8838107638888889data7.7835613813274085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x1010000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_ICON0xc85a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                    RT_ICON0xc86d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                    RT_ICON0xc87f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                    RT_ICON0xc89200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                    RT_ICON0xc8c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                    RT_ICON0xc8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                    RT_ICON0xc9bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                    RT_ICON0xca4800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                    RT_ICON0xca9e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                    RT_ICON0xccf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                    RT_ICON0xce0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                    RT_MENU0xce4a00x50dataEnglishGreat Britain0.9
                    RT_STRING0xce4f00x594dataEnglishGreat Britain0.3333333333333333
                    RT_STRING0xcea840x68adataEnglishGreat Britain0.2747909199522103
                    RT_STRING0xcf1100x490dataEnglishGreat Britain0.3715753424657534
                    RT_STRING0xcf5a00x5fcdataEnglishGreat Britain0.3087467362924282
                    RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.34336609336609336
                    RT_STRING0xd01f80x466dataEnglishGreat Britain0.3605683836589698
                    RT_STRING0xd06600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                    RT_RCDATA0xd07b80x2f6b6data1.0003398033259538
                    RT_GROUP_ICON0xffe700x76dataEnglishGreat Britain0.6610169491525424
                    RT_GROUP_ICON0xffee80x14dataEnglishGreat Britain1.25
                    RT_GROUP_ICON0xffefc0x14dataEnglishGreat Britain1.15
                    RT_GROUP_ICON0xfff100x14dataEnglishGreat Britain1.25
                    RT_VERSION0xfff240xdcdataEnglishGreat Britain0.6181818181818182
                    RT_MANIFEST0x1000000x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                    Imports

                    DLLImport
                    WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                    VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                    COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                    MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                    WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                    PSAPI.DLLGetProcessMemoryInfo
                    IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                    USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                    UxTheme.dllIsThemeActive
                    KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                    USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                    GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                    COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                    ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                    SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                    OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishGreat Britain

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jul 5, 2024 02:21:56.497392893 CEST49730443192.168.2.4104.26.12.205
                    Jul 5, 2024 02:21:56.497422934 CEST44349730104.26.12.205192.168.2.4
                    Jul 5, 2024 02:21:56.497560978 CEST49730443192.168.2.4104.26.12.205
                    Jul 5, 2024 02:21:56.514489889 CEST49730443192.168.2.4104.26.12.205
                    Jul 5, 2024 02:21:56.514512062 CEST44349730104.26.12.205192.168.2.4
                    Jul 5, 2024 02:21:57.013860941 CEST44349730104.26.12.205192.168.2.4
                    Jul 5, 2024 02:21:57.013940096 CEST49730443192.168.2.4104.26.12.205
                    Jul 5, 2024 02:21:57.017260075 CEST49730443192.168.2.4104.26.12.205
                    Jul 5, 2024 02:21:57.017271996 CEST44349730104.26.12.205192.168.2.4
                    Jul 5, 2024 02:21:57.017668009 CEST44349730104.26.12.205192.168.2.4
                    Jul 5, 2024 02:21:57.064313889 CEST49730443192.168.2.4104.26.12.205
                    Jul 5, 2024 02:21:57.203728914 CEST49730443192.168.2.4104.26.12.205
                    Jul 5, 2024 02:21:57.248502970 CEST44349730104.26.12.205192.168.2.4
                    Jul 5, 2024 02:21:57.314038038 CEST44349730104.26.12.205192.168.2.4
                    Jul 5, 2024 02:21:57.314100981 CEST44349730104.26.12.205192.168.2.4
                    Jul 5, 2024 02:21:57.314161062 CEST49730443192.168.2.4104.26.12.205
                    Jul 5, 2024 02:21:57.347031116 CEST49730443192.168.2.4104.26.12.205
                    Jul 5, 2024 02:21:57.360893965 CEST4973180192.168.2.4208.95.112.1
                    Jul 5, 2024 02:21:57.365711927 CEST8049731208.95.112.1192.168.2.4
                    Jul 5, 2024 02:21:57.365814924 CEST4973180192.168.2.4208.95.112.1
                    Jul 5, 2024 02:21:57.371578932 CEST4973180192.168.2.4208.95.112.1
                    Jul 5, 2024 02:21:57.376343012 CEST8049731208.95.112.1192.168.2.4
                    Jul 5, 2024 02:21:57.856928110 CEST8049731208.95.112.1192.168.2.4
                    Jul 5, 2024 02:21:57.908046961 CEST4973180192.168.2.4208.95.112.1
                    Jul 5, 2024 02:21:59.451536894 CEST4973180192.168.2.4208.95.112.1
                    Jul 5, 2024 02:21:59.456717014 CEST8049731208.95.112.1192.168.2.4
                    Jul 5, 2024 02:21:59.456784010 CEST4973180192.168.2.4208.95.112.1
                    Jul 5, 2024 02:21:59.699579954 CEST49732587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:21:59.704484940 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:21:59.704579115 CEST49732587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:22:00.249630928 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:00.249847889 CEST49732587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:22:00.254937887 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:00.371959925 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:00.373516083 CEST49732587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:22:00.378499031 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:00.497052908 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:00.497600079 CEST49732587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:22:00.502428055 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:00.621017933 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:00.621063948 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:00.621074915 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:00.621110916 CEST49732587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:22:00.647521973 CEST49732587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:22:00.652340889 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:00.769954920 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:00.773264885 CEST49732587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:22:00.778316021 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:00.895921946 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:00.897100925 CEST49732587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:22:00.902036905 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:01.019474983 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:01.020901918 CEST49732587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:22:01.025729895 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:01.143069029 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:01.143471003 CEST49732587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:22:01.148356915 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:01.265486002 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:01.265780926 CEST49732587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:22:01.270621061 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:01.389754057 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:01.404336929 CEST49732587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:22:01.409219027 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:01.526431084 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:01.527081966 CEST49732587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:22:01.527172089 CEST49732587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:22:01.527204990 CEST49732587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:22:01.527240038 CEST49732587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:22:01.531954050 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:01.532053947 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:01.532115936 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:01.726134062 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:22:01.769279003 CEST49732587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:39.470957041 CEST49732587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:39.476264000 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:39.595699072 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:39.595938921 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:39.596004009 CEST49732587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:39.596508026 CEST58749732131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:39.596556902 CEST49732587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:39.605408907 CEST49732587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:40.301357985 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:40.306231976 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:40.306951046 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:40.837789059 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:40.837984085 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:40.842820883 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:40.959556103 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:40.959712982 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:40.964528084 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:41.081197977 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:41.081728935 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:41.086545944 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:41.203874111 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:41.204942942 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:41.207978010 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:41.209702015 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:41.212711096 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:41.393709898 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:41.393946886 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:41.398731947 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:41.516202927 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:41.516441107 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:41.522135019 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:41.639144897 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:41.639305115 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:41.644175053 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:41.764051914 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:41.764255047 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:41.769126892 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:41.886792898 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:41.886970997 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:41.891796112 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.008642912 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.010229111 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.010297060 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.010322094 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.010462046 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.011976957 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.015047073 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.015089035 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.015173912 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.015275955 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.015362024 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.016884089 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.016927958 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.016961098 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.017004013 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.017033100 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.017086029 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.019859076 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.019910097 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.020071983 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.020118952 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.021759033 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.021816015 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.021862984 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.021893024 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.021902084 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.021909952 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.021946907 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.021971941 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.022022009 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.022185087 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.022227049 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.024914026 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.024921894 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.024950981 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.024960995 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.024986982 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.025006056 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.026479959 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.026547909 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.026906967 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.026925087 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.026933908 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.026942015 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.026951075 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.026958942 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.026961088 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.026983023 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:42.027012110 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.027045965 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.027054071 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.027117014 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.027168989 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.027177095 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.027184963 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.029849052 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.029856920 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.029964924 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031459093 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031467915 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031471014 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031474113 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031486034 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031493902 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031501055 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031508923 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031516075 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031672955 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031682014 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031688929 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031697989 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031817913 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031826019 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031877995 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031886101 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031894922 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031903028 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031943083 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031950951 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031959057 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.031970978 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.032341003 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.032349110 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.032356024 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.032365084 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.032373905 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.363240004 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:42.564436913 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:54.740856886 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:54.745788097 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:54.862884998 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:54.863120079 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:54.863176107 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:54.863282919 CEST58749740131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:54.863296986 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:54.863332033 CEST49740587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:54.864214897 CEST49741587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:54.869002104 CEST58749741131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:54.869113922 CEST49741587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:54.986453056 CEST49741587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:54.991292953 CEST58749741131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:54.991348028 CEST49741587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:55.042399883 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:55.047230005 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:55.047317028 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:55.577599049 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:55.577706099 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:55.582566023 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:55.699306011 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:55.699444056 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:55.704194069 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:55.820871115 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:55.821588993 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:55.826410055 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:55.943420887 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:55.944072962 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:55.944369078 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:55.948815107 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:55.949081898 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.133482933 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.133928061 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.138664961 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.255861044 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.256159067 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.260911942 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.379215956 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.379393101 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.385350943 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.502298117 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.504164934 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.509027958 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.626143932 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.626297951 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.631356001 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.748040915 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.748328924 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.748383045 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.748445988 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.748511076 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.750149012 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.753304005 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.753361940 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.755356073 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.755409002 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.755590916 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.755670071 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.755721092 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.755779982 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.758196115 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.758243084 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.760746002 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.760792971 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.760812044 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.760864019 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.760984898 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.760994911 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.761043072 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.761065960 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.761240005 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.761293888 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.761327982 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.761395931 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.763150930 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.763196945 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.765517950 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.765599012 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.765723944 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.765775919 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.765815020 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.765867949 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.766030073 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.766073942 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.766077995 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.766128063 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:56.766180992 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.766222954 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.766408920 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.766583920 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.766592979 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.766599894 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.766789913 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.768021107 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.768054962 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.768071890 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.768183947 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.768193007 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.768315077 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.768323898 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.768326998 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.768413067 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.770720959 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.771095037 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.771296978 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.771307945 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.771317005 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.771401882 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.771409988 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.771539927 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.771583080 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.771591902 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.771600008 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.771639109 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.771684885 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.771692991 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.771852970 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.771899939 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.771949053 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.771958113 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.772025108 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.772072077 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.772080898 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.772089958 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:56.772206068 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:57.118098974 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:23:57.173810959 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:59.881380081 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:23:59.886234045 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:00.002564907 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:00.002968073 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:00.003026962 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:00.003101110 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:00.003613949 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:00.004034996 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:00.004091024 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:00.008117914 CEST58749742131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:00.008797884 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:00.008877993 CEST49742587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:00.008878946 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:00.538870096 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:00.539062977 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:00.543960094 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:00.659504890 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:00.659665108 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:00.664532900 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:00.780388117 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:00.780688047 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:00.785617113 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:00.901523113 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:00.902390957 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:00.902909040 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:00.907742023 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:00.907752037 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.023160934 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.023426056 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:01.028270960 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.143728018 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.143913984 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:01.148694038 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.264615059 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.269364119 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:01.274162054 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.390203953 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.393506050 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:01.398380041 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.516614914 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.517510891 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:01.522496939 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.637729883 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.641836882 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:01.642112017 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:01.642112017 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:01.642270088 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:01.645386934 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:01.646588087 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.646848917 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.646976948 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:01.647017956 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.649490118 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:01.650234938 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.650414944 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.650548935 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:01.651561022 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.651675940 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.651860952 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:01.654335976 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.655718088 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.656671047 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.656744957 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.656754017 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.656816959 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:01.656934023 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:01.661700010 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.661834002 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.661900043 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.661990881 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.662058115 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:01.662125111 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.662133932 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.662137985 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.662157059 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.662200928 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.662209988 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.662225962 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:01.662235022 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.666321993 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.666398048 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.666405916 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.666414976 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.666488886 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.666897058 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.666904926 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.666951895 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.666960955 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.666977882 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.667057991 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.667067051 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.667076111 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.667114973 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.667176008 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.667185068 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.667248011 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.667257071 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.667294025 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.667301893 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.667331934 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.667340994 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.667347908 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.667363882 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.667372942 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.667376041 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.667428970 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:01.992937088 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:02.173872948 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:02.982029915 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:02.986943960 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:03.102305889 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:03.102399111 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:03.102443933 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:03.102561951 CEST58749743131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:03.102602005 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:03.104650021 CEST49743587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:03.126080990 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:03.134736061 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:03.134800911 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:03.671472073 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:03.673885107 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:03.679081917 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:03.797261953 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:03.798535109 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:03.803491116 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:03.922094107 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:03.922462940 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:03.927309990 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:04.045672894 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:04.046264887 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:04.046534061 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:04.051115036 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:04.051271915 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:04.239314079 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:04.239521027 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:04.244529009 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:04.526622057 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:04.526875973 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:04.531652927 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:04.650324106 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:04.650532007 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:04.656321049 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:04.775459051 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:04.775669098 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:04.780555964 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:04.899427891 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:04.899611950 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:04.904421091 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.032126904 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.032589912 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:05.032706976 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:05.032738924 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:05.032788992 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:05.034099102 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:05.037600040 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.037611008 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.037623882 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.037678957 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:05.037775040 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.037947893 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:05.038974047 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.038990974 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.039032936 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:05.039073944 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:05.039091110 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.039099932 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.039150953 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:05.039809942 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.039868116 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:05.042283058 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.042349100 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:05.042798996 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.042856932 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:05.043972969 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.044045925 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:05.044162035 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.044172049 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.044255972 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:05.044734955 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.044810057 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:05.044842958 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.044918060 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:05.047296047 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.047380924 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:05.047884941 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.048181057 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.048191071 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.048280954 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:05.048877001 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.049030066 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.049104929 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:05.049144983 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.049460888 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.049493074 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.049500942 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.049524069 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:05.049601078 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.049729109 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.049756050 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.049763918 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.049990892 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.050061941 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.052197933 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.052645922 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.052654982 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.052663088 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.053200960 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.053735018 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.053755045 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.053764105 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.053879976 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.053888083 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.053895950 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.053905010 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.053913116 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.053926945 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.053936005 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.053972960 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.053981066 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.053991079 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.053999901 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.054007053 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.054112911 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.054121017 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.054128885 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.054250956 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.054367065 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.054433107 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.054441929 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.054486990 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.054496050 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.396497011 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:05.536838055 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:08.443231106 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:08.448262930 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:08.566541910 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:08.567543030 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:08.567657948 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:08.567805052 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:08.567868948 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:08.567868948 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:08.568675041 CEST49745587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:08.572746038 CEST58749744131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:08.572839975 CEST49744587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:08.573487043 CEST58749745131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:08.573585987 CEST49745587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:08.658276081 CEST49745587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:08.663209915 CEST58749745131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:08.663297892 CEST49745587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:08.725732088 CEST49746587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:08.733666897 CEST58749746131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:08.733782053 CEST49746587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:28.127078056 CEST49746587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:28.131897926 CEST58749746131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:28.131948948 CEST49746587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:28.187252045 CEST49747587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:28.192162991 CEST58749747131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:28.192236900 CEST49747587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:28.379682064 CEST49747587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:28.384747028 CEST58749747131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:28.391561031 CEST49747587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:28.427588940 CEST49748587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:28.433001995 CEST58749748131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:28.435514927 CEST49748587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:32.455173016 CEST49748587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:32.464772940 CEST58749748131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:32.465431929 CEST49748587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:32.510380983 CEST49749587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:32.515311003 CEST58749749131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:32.515434980 CEST49749587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:36.142688990 CEST49749587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:36.147790909 CEST58749749131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:36.147855043 CEST49749587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:36.203234911 CEST49750587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:36.208434105 CEST58749750131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:36.208533049 CEST49750587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:37.424046040 CEST49750587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:37.429052114 CEST58749750131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:37.429251909 CEST49750587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:37.475545883 CEST49751587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:37.480334044 CEST58749751131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:37.480415106 CEST49751587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:48.502096891 CEST49751587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:48.508300066 CEST58749751131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:48.508543015 CEST49751587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:48.571562052 CEST49752587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:48.576278925 CEST58749752131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:48.576447964 CEST49752587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:53.017705917 CEST49752587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:53.022696972 CEST58749752131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:53.022778988 CEST49752587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:53.066487074 CEST49753587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:24:53.071497917 CEST58749753131.226.2.151192.168.2.4
                    Jul 5, 2024 02:24:53.071592093 CEST49753587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:25:00.783390999 CEST49753587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:25:00.788610935 CEST58749753131.226.2.151192.168.2.4
                    Jul 5, 2024 02:25:00.788724899 CEST49753587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:25:00.831300020 CEST49754587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:25:00.836195946 CEST58749754131.226.2.151192.168.2.4
                    Jul 5, 2024 02:25:00.836302996 CEST49754587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:25:03.064594030 CEST49754587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:25:03.069626093 CEST58749754131.226.2.151192.168.2.4
                    Jul 5, 2024 02:25:03.073548079 CEST49754587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:25:03.117235899 CEST49755587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:25:03.122021914 CEST58749755131.226.2.151192.168.2.4
                    Jul 5, 2024 02:25:03.122178078 CEST49755587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:25:24.504904032 CEST58749755131.226.2.151192.168.2.4
                    Jul 5, 2024 02:25:24.504966021 CEST49755587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:25:24.506220102 CEST49755587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:25:24.511116028 CEST58749755131.226.2.151192.168.2.4
                    Jul 5, 2024 02:25:30.647989035 CEST49756587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:25:30.653048992 CEST58749756131.226.2.151192.168.2.4
                    Jul 5, 2024 02:25:30.653158903 CEST49756587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:25:37.377155066 CEST49756587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:25:37.382425070 CEST58749756131.226.2.151192.168.2.4
                    Jul 5, 2024 02:25:37.382502079 CEST49756587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:25:37.428232908 CEST49757587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:25:37.433024883 CEST58749757131.226.2.151192.168.2.4
                    Jul 5, 2024 02:25:37.433177948 CEST49757587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:25:56.830503941 CEST49757587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:25:56.835423946 CEST58749757131.226.2.151192.168.2.4
                    Jul 5, 2024 02:25:56.835478067 CEST49757587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:25:56.892865896 CEST49758587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:25:56.897640944 CEST58749758131.226.2.151192.168.2.4
                    Jul 5, 2024 02:25:56.897715092 CEST49758587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:26:03.727293968 CEST49758587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:26:03.733074903 CEST58749758131.226.2.151192.168.2.4
                    Jul 5, 2024 02:26:03.733186007 CEST49758587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:26:03.781629086 CEST49759587192.168.2.4131.226.2.151
                    Jul 5, 2024 02:26:03.786504030 CEST58749759131.226.2.151192.168.2.4
                    Jul 5, 2024 02:26:03.786616087 CEST49759587192.168.2.4131.226.2.151

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jul 5, 2024 02:21:56.482822895 CEST5900653192.168.2.41.1.1.1
                    Jul 5, 2024 02:21:56.492985964 CEST53590061.1.1.1192.168.2.4
                    Jul 5, 2024 02:21:57.352618933 CEST5066253192.168.2.41.1.1.1
                    Jul 5, 2024 02:21:57.360333920 CEST53506621.1.1.1192.168.2.4
                    Jul 5, 2024 02:21:59.452305079 CEST5016453192.168.2.41.1.1.1
                    Jul 5, 2024 02:21:59.698926926 CEST53501641.1.1.1192.168.2.4

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Jul 5, 2024 02:21:56.482822895 CEST192.168.2.41.1.1.10x9852Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                    Jul 5, 2024 02:21:57.352618933 CEST192.168.2.41.1.1.10xfdb4Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                    Jul 5, 2024 02:21:59.452305079 CEST192.168.2.41.1.1.10x8802Standard query (0)mail.suplementvases.comA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Jul 5, 2024 02:21:56.492985964 CEST1.1.1.1192.168.2.40x9852No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                    Jul 5, 2024 02:21:56.492985964 CEST1.1.1.1192.168.2.40x9852No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                    Jul 5, 2024 02:21:56.492985964 CEST1.1.1.1192.168.2.40x9852No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                    Jul 5, 2024 02:21:57.360333920 CEST1.1.1.1192.168.2.40xfdb4No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                    Jul 5, 2024 02:21:59.698926926 CEST1.1.1.1192.168.2.40x8802No error (0)mail.suplementvases.com131.226.2.151A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • api.ipify.org
                    • ip-api.com

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.449731208.95.112.1806776C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    TimestampBytes transferredDirectionData
                    Jul 5, 2024 02:21:57.371578932 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                    Host: ip-api.com
                    Connection: Keep-Alive
                    Jul 5, 2024 02:21:57.856928110 CEST175INHTTP/1.1 200 OK
                    Date: Fri, 05 Jul 2024 00:21:57 GMT
                    Content-Type: text/plain; charset=utf-8
                    Content-Length: 6
                    Access-Control-Allow-Origin: *
                    X-Ttl: 60
                    X-Rl: 44
                    Data Raw: 66 61 6c 73 65 0a
                    Data Ascii: false


                    HTTPS Proxied Packets

                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.449730104.26.12.2054436776C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    TimestampBytes transferredDirectionData
                    2024-07-05 00:21:57 UTC155OUTGET / HTTP/1.1
                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                    Host: api.ipify.org
                    Connection: Keep-Alive
                    2024-07-05 00:21:57 UTC211INHTTP/1.1 200 OK
                    Date: Fri, 05 Jul 2024 00:21:57 GMT
                    Content-Type: text/plain
                    Content-Length: 11
                    Connection: close
                    Vary: Origin
                    CF-Cache-Status: DYNAMIC
                    Server: cloudflare
                    CF-RAY: 89e332a8da6c726f-EWR
                    2024-07-05 00:21:57 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                    Data Ascii: 8.46.123.33


                    SMTP Packets

                    TimestampSource PortDest PortSource IPDest IPCommands
                    Jul 5, 2024 02:22:00.249630928 CEST58749732131.226.2.151192.168.2.4220 ns1.suplementvases.com ESMTP Postfix (Ubuntu)
                    Jul 5, 2024 02:22:00.249847889 CEST49732587192.168.2.4131.226.2.151EHLO 445817
                    Jul 5, 2024 02:22:00.371959925 CEST58749732131.226.2.151192.168.2.4250-ns1.suplementvases.com
                    250-PIPELINING
                    250-SIZE 10240000
                    250-VRFY
                    250-ETRN
                    250-STARTTLS
                    250-AUTH PLAIN LOGIN
                    250-AUTH=PLAIN LOGIN
                    250-ENHANCEDSTATUSCODES
                    250-8BITMIME
                    250-DSN
                    250-SMTPUTF8
                    250 CHUNKING
                    Jul 5, 2024 02:22:00.373516083 CEST49732587192.168.2.4131.226.2.151STARTTLS
                    Jul 5, 2024 02:22:00.497052908 CEST58749732131.226.2.151192.168.2.4220 2.0.0 Ready to start TLS
                    Jul 5, 2024 02:23:40.837789059 CEST58749740131.226.2.151192.168.2.4220 ns1.suplementvases.com ESMTP Postfix (Ubuntu)
                    Jul 5, 2024 02:23:40.837984085 CEST49740587192.168.2.4131.226.2.151EHLO 445817
                    Jul 5, 2024 02:23:40.959556103 CEST58749740131.226.2.151192.168.2.4250-ns1.suplementvases.com
                    250-PIPELINING
                    250-SIZE 10240000
                    250-VRFY
                    250-ETRN
                    250-STARTTLS
                    250-AUTH PLAIN LOGIN
                    250-AUTH=PLAIN LOGIN
                    250-ENHANCEDSTATUSCODES
                    250-8BITMIME
                    250-DSN
                    250-SMTPUTF8
                    250 CHUNKING
                    Jul 5, 2024 02:23:40.959712982 CEST49740587192.168.2.4131.226.2.151STARTTLS
                    Jul 5, 2024 02:23:41.081197977 CEST58749740131.226.2.151192.168.2.4220 2.0.0 Ready to start TLS
                    Jul 5, 2024 02:23:55.577599049 CEST58749742131.226.2.151192.168.2.4220 ns1.suplementvases.com ESMTP Postfix (Ubuntu)
                    Jul 5, 2024 02:23:55.577706099 CEST49742587192.168.2.4131.226.2.151EHLO 445817
                    Jul 5, 2024 02:23:55.699306011 CEST58749742131.226.2.151192.168.2.4250-ns1.suplementvases.com
                    250-PIPELINING
                    250-SIZE 10240000
                    250-VRFY
                    250-ETRN
                    250-STARTTLS
                    250-AUTH PLAIN LOGIN
                    250-AUTH=PLAIN LOGIN
                    250-ENHANCEDSTATUSCODES
                    250-8BITMIME
                    250-DSN
                    250-SMTPUTF8
                    250 CHUNKING
                    Jul 5, 2024 02:23:55.699444056 CEST49742587192.168.2.4131.226.2.151STARTTLS
                    Jul 5, 2024 02:23:55.820871115 CEST58749742131.226.2.151192.168.2.4220 2.0.0 Ready to start TLS
                    Jul 5, 2024 02:24:00.538870096 CEST58749743131.226.2.151192.168.2.4220 ns1.suplementvases.com ESMTP Postfix (Ubuntu)
                    Jul 5, 2024 02:24:00.539062977 CEST49743587192.168.2.4131.226.2.151EHLO 445817
                    Jul 5, 2024 02:24:00.659504890 CEST58749743131.226.2.151192.168.2.4250-ns1.suplementvases.com
                    250-PIPELINING
                    250-SIZE 10240000
                    250-VRFY
                    250-ETRN
                    250-STARTTLS
                    250-AUTH PLAIN LOGIN
                    250-AUTH=PLAIN LOGIN
                    250-ENHANCEDSTATUSCODES
                    250-8BITMIME
                    250-DSN
                    250-SMTPUTF8
                    250 CHUNKING
                    Jul 5, 2024 02:24:00.659665108 CEST49743587192.168.2.4131.226.2.151STARTTLS
                    Jul 5, 2024 02:24:00.780388117 CEST58749743131.226.2.151192.168.2.4220 2.0.0 Ready to start TLS
                    Jul 5, 2024 02:24:03.671472073 CEST58749744131.226.2.151192.168.2.4220 ns1.suplementvases.com ESMTP Postfix (Ubuntu)
                    Jul 5, 2024 02:24:03.673885107 CEST49744587192.168.2.4131.226.2.151EHLO 445817
                    Jul 5, 2024 02:24:03.797261953 CEST58749744131.226.2.151192.168.2.4250-ns1.suplementvases.com
                    250-PIPELINING
                    250-SIZE 10240000
                    250-VRFY
                    250-ETRN
                    250-STARTTLS
                    250-AUTH PLAIN LOGIN
                    250-AUTH=PLAIN LOGIN
                    250-ENHANCEDSTATUSCODES
                    250-8BITMIME
                    250-DSN
                    250-SMTPUTF8
                    250 CHUNKING
                    Jul 5, 2024 02:24:03.798535109 CEST49744587192.168.2.4131.226.2.151STARTTLS
                    Jul 5, 2024 02:24:03.922094107 CEST58749744131.226.2.151192.168.2.4220 2.0.0 Ready to start TLS

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:20:21:54
                    Start date:04/07/2024
                    Path:C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe"
                    Imagebase:0x20000
                    File size:1'059'328 bytes
                    MD5 hash:BB66E44260B8A454ABCB20AEB4B13F7B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1644364725.0000000003010000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1644364725.0000000003010000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1644364725.0000000003010000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.1644364725.0000000003010000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:1
                    Start time:20:21:55
                    Start date:04/07/2024
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\Ship Docs_CI PL HBL COO_.exe"
                    Imagebase:0xf10000
                    File size:45'984 bytes
                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4111602006.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.4111602006.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.4112584252.000000000334C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.4112584252.000000000334C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:high
                    Has exited:false

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:4%
                      Dynamic/Decrypted Code Coverage:1.3%
                      Signature Coverage:2.7%
                      Total number of Nodes:2000
                      Total number of Limit Nodes:53
                      execution_graph 97665 60226 97674 2ade2 Mailbox 97665->97674 97667 60c86 97839 766f4 97667->97839 97669 60c8f 97671 600e0 VariantClear 97671->97674 97672 2b6c1 97838 8a0b5 89 API calls 4 library calls 97672->97838 97674->97667 97674->97669 97674->97671 97674->97672 97681 8d2e6 97674->97681 97728 25906 97674->97728 97737 9e237 97674->97737 97740 8d2e5 97674->97740 97787 9474d 97674->97787 97796 32123 97674->97796 97836 29df0 59 API calls Mailbox 97674->97836 97837 77405 59 API calls 97674->97837 97682 8d305 97681->97682 97683 8d310 97681->97683 97883 29c9c 59 API calls 97682->97883 97724 8d3ea Mailbox 97683->97724 97884 277c7 97683->97884 97687 8d433 97688 8d43f 97687->97688 97690 25906 60 API calls 97687->97690 97852 29997 97688->97852 97690->97688 97691 277c7 59 API calls 97693 8d33d 97691->97693 97695 29997 84 API calls 97693->97695 97697 8d349 97695->97697 97889 246f9 97697->97889 97700 8d46a GetLastError 97704 8d483 97700->97704 97701 8d49e 97706 8d4c9 97701->97706 97707 8d500 97701->97707 97702 8d35e 97940 27c8e 97702->97940 97725 8d3f3 Mailbox 97704->97725 97958 25a1a CloseHandle 97704->97958 97710 40ff6 Mailbox 59 API calls 97706->97710 97708 40ff6 Mailbox 59 API calls 97707->97708 97712 8d505 97708->97712 97709 8d3e3 97957 29c9c 59 API calls 97709->97957 97714 8d4ce 97710->97714 97718 277c7 59 API calls 97712->97718 97712->97725 97717 8d4df 97714->97717 97720 277c7 59 API calls 97714->97720 97959 8f835 59 API calls 2 library calls 97717->97959 97718->97725 97719 8d3a5 97952 27f41 97719->97952 97720->97717 97724->97725 97842 40ff6 97724->97842 97725->97674 97727 8d3bb Mailbox 97727->97709 97729 40ff6 Mailbox 59 API calls 97728->97729 97730 25916 97729->97730 97731 25dcf CloseHandle 97730->97731 97732 25921 97731->97732 97733 277c7 59 API calls 97732->97733 97734 25929 97733->97734 97735 25dcf CloseHandle 97734->97735 97736 25930 97735->97736 97736->97674 98108 9cdf1 97737->98108 97739 9e247 97739->97674 97741 8d305 97740->97741 97742 8d310 97740->97742 98219 29c9c 59 API calls 97741->98219 97745 277c7 59 API calls 97742->97745 97776 8d3ea Mailbox 97742->97776 97744 40ff6 Mailbox 59 API calls 97746 8d433 97744->97746 97748 8d334 97745->97748 97747 8d43f 97746->97747 97749 25906 60 API calls 97746->97749 97751 29997 84 API calls 97747->97751 97750 277c7 59 API calls 97748->97750 97749->97747 97752 8d33d 97750->97752 97753 8d457 97751->97753 97754 29997 84 API calls 97752->97754 97755 25956 67 API calls 97753->97755 97756 8d349 97754->97756 97757 8d466 97755->97757 97758 246f9 59 API calls 97756->97758 97759 8d46a GetLastError 97757->97759 97760 8d49e 97757->97760 97761 8d35e 97758->97761 97763 8d483 97759->97763 97765 8d4c9 97760->97765 97766 8d500 97760->97766 97762 27c8e 59 API calls 97761->97762 97764 8d391 97762->97764 97770 8d3f3 Mailbox 97763->97770 98222 25a1a CloseHandle 97763->98222 97768 8d3e3 97764->97768 97773 83e73 3 API calls 97764->97773 97769 40ff6 Mailbox 59 API calls 97765->97769 97767 40ff6 Mailbox 59 API calls 97766->97767 97772 8d505 97767->97772 98221 29c9c 59 API calls 97768->98221 97774 8d4ce 97769->97774 97770->97674 97772->97770 97779 277c7 59 API calls 97772->97779 97777 8d3a1 97773->97777 97778 8d4df 97774->97778 97781 277c7 59 API calls 97774->97781 97776->97744 97776->97770 97777->97768 97780 8d3a5 97777->97780 98223 8f835 59 API calls 2 library calls 97778->98223 97779->97770 97782 27f41 59 API calls 97780->97782 97781->97778 97784 8d3b2 97782->97784 98220 83c66 63 API calls Mailbox 97784->98220 97786 8d3bb Mailbox 97786->97768 97788 29997 84 API calls 97787->97788 97789 94787 97788->97789 98224 263a0 97789->98224 97791 94797 97792 947bc 97791->97792 98250 2a000 97791->98250 97795 947c0 97792->97795 98273 29bf8 97792->98273 97795->97674 97797 29bf8 59 API calls 97796->97797 97798 3213b 97797->97798 97800 40ff6 Mailbox 59 API calls 97798->97800 97803 669af 97798->97803 97801 32154 97800->97801 97804 32164 97801->97804 97805 25906 60 API calls 97801->97805 97802 32189 97812 32196 97802->97812 98329 29c9c 59 API calls 97802->98329 97803->97802 98328 8f7df 59 API calls 97803->98328 97806 29997 84 API calls 97804->97806 97805->97804 97807 32172 97806->97807 97809 25956 67 API calls 97807->97809 97811 32181 97809->97811 97810 669f7 97810->97812 97813 669ff 97810->97813 97811->97802 97811->97803 98327 25a1a CloseHandle 97811->98327 97814 25e3f 2 API calls 97812->97814 98330 29c9c 59 API calls 97813->98330 97817 3219d 97814->97817 97818 321b7 97817->97818 97819 66a11 97817->97819 97821 277c7 59 API calls 97818->97821 97820 40ff6 Mailbox 59 API calls 97819->97820 97822 66a17 97820->97822 97823 321bf 97821->97823 97828 66a2b 97822->97828 98331 259b0 ReadFile SetFilePointerEx 97822->98331 98305 256d2 97823->98305 97825 321ce 97830 66a2f _memmove 97825->97830 98320 29b9c 97825->98320 97828->97830 98332 8794e 59 API calls 2 library calls 97828->98332 97831 321e2 Mailbox 97832 3221c 97831->97832 97833 25dcf CloseHandle 97831->97833 97832->97674 97834 32210 97833->97834 97834->97832 98326 25a1a CloseHandle 97834->98326 97836->97674 97837->97674 97838->97667 98356 76636 97839->98356 97841 76702 97841->97669 97843 40ffe 97842->97843 97845 41018 97843->97845 97847 4101c std::exception::exception 97843->97847 97960 4594c 97843->97960 97977 435e1 DecodePointer 97843->97977 97845->97687 97978 487db RaiseException 97847->97978 97849 41046 97979 48711 58 API calls _free 97849->97979 97851 41058 97851->97687 97853 299b1 97852->97853 97861 299ab 97852->97861 97854 5f9fc __i64tow 97853->97854 97855 5f903 97853->97855 97856 299f9 97853->97856 97857 299b7 __itow 97853->97857 97863 40ff6 Mailbox 59 API calls 97855->97863 97868 5f97b Mailbox _wcscpy 97855->97868 97988 438d8 83 API calls 3 library calls 97856->97988 97860 40ff6 Mailbox 59 API calls 97857->97860 97862 299d1 97860->97862 97870 25956 97861->97870 97862->97861 97864 27f41 59 API calls 97862->97864 97865 5f948 97863->97865 97864->97861 97866 40ff6 Mailbox 59 API calls 97865->97866 97867 5f96e 97866->97867 97867->97868 97869 27f41 59 API calls 97867->97869 97989 438d8 83 API calls 3 library calls 97868->97989 97869->97868 97990 25dcf 97870->97990 97874 259a4 97874->97700 97874->97701 97875 25981 97875->97874 98002 25770 97875->98002 97877 25993 98019 253db SetFilePointerEx SetFilePointerEx 97877->98019 97879 2599a 97879->97874 97880 5e030 97879->97880 98020 83696 SetFilePointerEx SetFilePointerEx WriteFile 97880->98020 97882 5e060 97882->97874 97883->97683 97885 40ff6 Mailbox 59 API calls 97884->97885 97886 277e8 97885->97886 97887 40ff6 Mailbox 59 API calls 97886->97887 97888 277f6 97887->97888 97888->97691 97890 277c7 59 API calls 97889->97890 97891 2470f 97890->97891 97892 277c7 59 API calls 97891->97892 97893 24717 97892->97893 97894 277c7 59 API calls 97893->97894 97895 2471f 97894->97895 97896 277c7 59 API calls 97895->97896 97897 24727 97896->97897 97898 2475b 97897->97898 97899 5d8fb 97897->97899 97900 279ab 59 API calls 97898->97900 97901 281a7 59 API calls 97899->97901 97902 24769 97900->97902 97903 5d904 97901->97903 98059 27e8c 97902->98059 98070 27eec 97903->98070 97906 24773 97907 279ab 59 API calls 97906->97907 97908 2479e 97906->97908 97910 24794 97907->97910 97909 247de 97908->97909 97911 247bd 97908->97911 97922 5d924 97908->97922 98046 279ab 97909->98046 97913 27e8c 59 API calls 97910->97913 98063 27b52 97911->98063 97913->97908 97914 5d9f4 97918 27d2c 59 API calls 97914->97918 97916 247ef 97917 24801 97916->97917 98066 281a7 97916->98066 97921 24811 97917->97921 97923 281a7 59 API calls 97917->97923 97935 5d9b1 97918->97935 97925 24818 97921->97925 97927 281a7 59 API calls 97921->97927 97922->97914 97924 5d9dd 97922->97924 97933 5d95b 97922->97933 97923->97921 97924->97914 97929 5d9c8 97924->97929 97928 281a7 59 API calls 97925->97928 97937 2481f Mailbox 97925->97937 97926 279ab 59 API calls 97926->97909 97927->97925 97928->97937 97932 27d2c 59 API calls 97929->97932 97930 5d9b9 97931 27d2c 59 API calls 97930->97931 97931->97935 97932->97935 97933->97930 97938 5d9a4 97933->97938 97934 27b52 59 API calls 97934->97935 97935->97909 97935->97934 98083 27a84 59 API calls 2 library calls 97935->98083 97937->97702 98074 27d2c 97938->98074 97941 5f094 97940->97941 97942 27ca0 97940->97942 98103 78123 59 API calls _memmove 97941->98103 98097 27bb1 97942->98097 97945 27cac 97945->97709 97949 83e73 97945->97949 97946 5f09e 97947 281a7 59 API calls 97946->97947 97948 5f0a6 Mailbox 97947->97948 98104 84696 GetFileAttributesW 97949->98104 97953 27f50 __NMSG_WRITE _memmove 97952->97953 97954 40ff6 Mailbox 59 API calls 97953->97954 97955 27f8e 97954->97955 97956 83c66 63 API calls Mailbox 97955->97956 97956->97727 97957->97724 97958->97725 97959->97725 97961 459c7 97960->97961 97966 45958 97960->97966 97986 435e1 DecodePointer 97961->97986 97963 45963 97963->97966 97980 4a3ab 58 API calls 2 library calls 97963->97980 97981 4a408 58 API calls 6 library calls 97963->97981 97982 432df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97963->97982 97964 459cd 97987 48d68 58 API calls __getptd_noexit 97964->97987 97966->97963 97968 4598b RtlAllocateHeap 97966->97968 97971 459b3 97966->97971 97975 459b1 97966->97975 97983 435e1 DecodePointer 97966->97983 97968->97966 97969 459bf 97968->97969 97969->97843 97984 48d68 58 API calls __getptd_noexit 97971->97984 97985 48d68 58 API calls __getptd_noexit 97975->97985 97977->97843 97978->97849 97979->97851 97980->97963 97981->97963 97983->97966 97984->97975 97985->97969 97986->97964 97987->97969 97988->97857 97989->97854 97991 25de8 97990->97991 97992 25962 97990->97992 97991->97992 97993 25ded CloseHandle 97991->97993 97994 25df9 97992->97994 97993->97992 97995 25e12 CreateFileW 97994->97995 97996 5e181 97994->97996 97999 25e34 97995->97999 97997 5e187 CreateFileW 97996->97997 97996->97999 97998 5e1ad 97997->97998 97997->97999 98021 25c4e 97998->98021 97999->97875 98003 2578b 98002->98003 98004 5dfce 98002->98004 98005 25c4e 2 API calls 98003->98005 98018 2581a 98003->98018 98004->98018 98040 25e3f 98004->98040 98006 257ad 98005->98006 98031 2538e 98006->98031 98010 257c4 98011 40ff6 Mailbox 59 API calls 98010->98011 98012 257cf 98011->98012 98013 2538e 59 API calls 98012->98013 98014 257da 98013->98014 98034 25d20 98014->98034 98017 25c4e 2 API calls 98017->98018 98018->97877 98019->97879 98020->97882 98028 25c68 98021->98028 98022 5e151 98030 25dae SetFilePointerEx 98022->98030 98023 25cef SetFilePointerEx 98029 25dae SetFilePointerEx 98023->98029 98026 25cc3 98026->97999 98027 5e16b 98028->98022 98028->98023 98028->98026 98029->98026 98030->98027 98032 40ff6 Mailbox 59 API calls 98031->98032 98033 253a0 98032->98033 98033->98004 98033->98010 98035 25d93 98034->98035 98036 25d2e 98034->98036 98045 25dae SetFilePointerEx 98035->98045 98038 25807 98036->98038 98039 25d66 ReadFile 98036->98039 98038->98017 98039->98036 98039->98038 98041 25c4e 2 API calls 98040->98041 98042 25e60 98041->98042 98043 25c4e 2 API calls 98042->98043 98044 25e74 98043->98044 98044->98018 98045->98036 98047 27a17 98046->98047 98048 279ba 98046->98048 98049 27e8c 59 API calls 98047->98049 98048->98047 98050 279c5 98048->98050 98051 279e8 _memmove 98049->98051 98052 279e0 98050->98052 98053 5ef32 98050->98053 98051->97916 98084 28087 59 API calls Mailbox 98052->98084 98085 28189 98053->98085 98056 5ef3c 98057 40ff6 Mailbox 59 API calls 98056->98057 98058 5ef5c 98057->98058 98060 27e9a 98059->98060 98062 27ea3 _memmove 98059->98062 98060->98062 98088 27faf 98060->98088 98062->97906 98064 27faf 59 API calls 98063->98064 98065 247c7 98064->98065 98065->97909 98065->97926 98067 281b2 98066->98067 98068 281ba 98066->98068 98092 280d7 98067->98092 98068->97917 98071 27f06 98070->98071 98073 27ef9 98070->98073 98072 40ff6 Mailbox 59 API calls 98071->98072 98072->98073 98073->97908 98075 27da5 98074->98075 98076 27d38 __NMSG_WRITE 98074->98076 98077 27e8c 59 API calls 98075->98077 98078 27d73 98076->98078 98079 27d4e 98076->98079 98082 27d56 _memmove 98077->98082 98080 28189 59 API calls 98078->98080 98096 28087 59 API calls Mailbox 98079->98096 98080->98082 98082->97935 98083->97935 98084->98051 98086 40ff6 Mailbox 59 API calls 98085->98086 98087 28193 98086->98087 98087->98056 98089 27fc2 98088->98089 98091 27fbf _memmove 98088->98091 98090 40ff6 Mailbox 59 API calls 98089->98090 98090->98091 98091->98062 98093 280fa _memmove 98092->98093 98094 280e7 98092->98094 98093->98068 98094->98093 98095 40ff6 Mailbox 59 API calls 98094->98095 98095->98093 98096->98082 98098 27bbf 98097->98098 98102 27be5 _memmove 98097->98102 98099 40ff6 Mailbox 59 API calls 98098->98099 98098->98102 98100 27c34 98099->98100 98101 40ff6 Mailbox 59 API calls 98100->98101 98101->98102 98102->97945 98103->97946 98105 83e7a 98104->98105 98106 846b1 FindFirstFileW 98104->98106 98105->97709 98105->97719 98106->98105 98107 846c6 FindClose 98106->98107 98107->98105 98109 29997 84 API calls 98108->98109 98110 9ce2e 98109->98110 98114 9ce75 Mailbox 98110->98114 98146 9dab9 98110->98146 98112 9d242 98196 9dbdc 92 API calls Mailbox 98112->98196 98114->97739 98116 9d251 98117 9d0db 98116->98117 98118 9d25d 98116->98118 98159 9cc82 98117->98159 98118->98114 98119 29997 84 API calls 98125 9cec6 Mailbox 98119->98125 98124 9d114 98174 40e48 98124->98174 98125->98114 98125->98119 98133 9d0cd 98125->98133 98178 8f835 59 API calls 2 library calls 98125->98178 98179 9d2f3 61 API calls 2 library calls 98125->98179 98128 9d12e 98180 8a0b5 89 API calls 4 library calls 98128->98180 98129 9d147 98181 2942e 98129->98181 98132 9d139 GetCurrentProcess TerminateProcess 98132->98129 98133->98112 98133->98117 98138 9d2b8 98138->98114 98142 9d2cc FreeLibrary 98138->98142 98139 9d17f 98193 9d95d 107 API calls _free 98139->98193 98142->98114 98145 9d190 98145->98138 98194 28ea0 59 API calls Mailbox 98145->98194 98195 29e9c 60 API calls Mailbox 98145->98195 98197 9d95d 107 API calls _free 98145->98197 98147 27faf 59 API calls 98146->98147 98148 9dad4 CharLowerBuffW 98147->98148 98198 7f658 98148->98198 98152 277c7 59 API calls 98153 9db0d 98152->98153 98155 279ab 59 API calls 98153->98155 98154 9db6c Mailbox 98154->98125 98156 9db24 98155->98156 98157 27e8c 59 API calls 98156->98157 98158 9db30 Mailbox 98157->98158 98158->98154 98205 9d2f3 61 API calls 2 library calls 98158->98205 98160 9cc9d 98159->98160 98164 9ccf2 98159->98164 98161 40ff6 Mailbox 59 API calls 98160->98161 98163 9ccbf 98161->98163 98162 40ff6 Mailbox 59 API calls 98162->98163 98163->98162 98163->98164 98165 9dd64 98164->98165 98166 9df8d Mailbox 98165->98166 98167 9dd87 _strcat _wcscpy __NMSG_WRITE 98165->98167 98166->98124 98167->98166 98168 29c9c 59 API calls 98167->98168 98169 29cf8 59 API calls 98167->98169 98170 29d46 59 API calls 98167->98170 98171 29997 84 API calls 98167->98171 98172 4594c 58 API calls __malloc_crt 98167->98172 98208 85b29 61 API calls 2 library calls 98167->98208 98168->98167 98169->98167 98170->98167 98171->98167 98172->98167 98176 40e5d 98174->98176 98175 40ef5 VirtualAlloc 98177 40ec3 98175->98177 98176->98175 98176->98177 98177->98128 98177->98129 98178->98125 98179->98125 98180->98132 98182 29436 98181->98182 98183 40ff6 Mailbox 59 API calls 98182->98183 98184 29444 98183->98184 98185 29450 98184->98185 98209 2935c 59 API calls Mailbox 98184->98209 98187 291b0 98185->98187 98210 292c0 98187->98210 98189 291bf 98190 40ff6 Mailbox 59 API calls 98189->98190 98191 2925b 98189->98191 98190->98191 98191->98145 98192 28ea0 59 API calls Mailbox 98191->98192 98192->98139 98193->98145 98194->98145 98195->98145 98196->98116 98197->98145 98200 7f683 __NMSG_WRITE 98198->98200 98199 7f6c2 98199->98152 98199->98158 98200->98199 98202 7f6b8 98200->98202 98203 7f769 98200->98203 98202->98199 98206 27a24 61 API calls 98202->98206 98203->98199 98207 27a24 61 API calls 98203->98207 98205->98154 98206->98202 98207->98203 98208->98167 98209->98185 98211 292c9 Mailbox 98210->98211 98212 5f5c8 98211->98212 98216 292d3 98211->98216 98213 40ff6 Mailbox 59 API calls 98212->98213 98215 5f5d4 98213->98215 98214 292da 98214->98189 98216->98214 98218 29df0 59 API calls Mailbox 98216->98218 98218->98216 98219->97742 98220->97786 98221->97776 98222->97770 98223->97770 98286 27b76 98224->98286 98226 265ca 98293 2766f 59 API calls 2 library calls 98226->98293 98228 265e4 Mailbox 98228->97791 98231 5e41f 98296 7fdba 91 API calls 4 library calls 98231->98296 98232 268f9 98232->98228 98298 7fdba 91 API calls 4 library calls 98232->98298 98235 2766f 59 API calls 98245 263c5 98235->98245 98237 27eec 59 API calls 98237->98245 98238 5e42d 98297 2766f 59 API calls 2 library calls 98238->98297 98240 5e443 98240->98228 98241 5e3bb 98242 28189 59 API calls 98241->98242 98244 5e3c6 98242->98244 98248 40ff6 Mailbox 59 API calls 98244->98248 98245->98226 98245->98231 98245->98232 98245->98235 98245->98237 98245->98241 98246 27faf 59 API calls 98245->98246 98249 5e3eb _memmove 98245->98249 98291 260cc 60 API calls 98245->98291 98292 25ea1 59 API calls Mailbox 98245->98292 98294 25fd2 60 API calls 98245->98294 98295 27a84 59 API calls 2 library calls 98245->98295 98247 2659b CharUpperBuffW 98246->98247 98247->98245 98248->98249 98249->98231 98249->98232 98251 2a01f 98250->98251 98268 2a04d Mailbox 98250->98268 98252 40ff6 Mailbox 59 API calls 98251->98252 98252->98268 98253 2b5d5 98254 281a7 59 API calls 98253->98254 98267 2a1b7 98254->98267 98255 40ff6 59 API calls Mailbox 98255->98268 98259 6047f 98301 8a0b5 89 API calls 4 library calls 98259->98301 98261 281a7 59 API calls 98261->98268 98262 277c7 59 API calls 98262->98268 98264 6048e 98264->97792 98265 42f80 67 API calls __cinit 98265->98268 98266 77405 59 API calls 98266->98268 98267->97792 98268->98253 98268->98255 98268->98259 98268->98261 98268->98262 98268->98265 98268->98266 98268->98267 98269 60e00 98268->98269 98271 2b5da 98268->98271 98272 2a6ba 98268->98272 98299 2ca20 341 API calls 2 library calls 98268->98299 98300 2ba60 60 API calls Mailbox 98268->98300 98303 8a0b5 89 API calls 4 library calls 98269->98303 98304 8a0b5 89 API calls 4 library calls 98271->98304 98302 8a0b5 89 API calls 4 library calls 98272->98302 98274 5fbff 98273->98274 98275 29c08 98273->98275 98276 5fc10 98274->98276 98277 27d2c 59 API calls 98274->98277 98280 40ff6 Mailbox 59 API calls 98275->98280 98278 27eec 59 API calls 98276->98278 98277->98276 98279 5fc1a 98278->98279 98282 29c34 98279->98282 98284 277c7 59 API calls 98279->98284 98281 29c1b 98280->98281 98281->98279 98283 29c26 98281->98283 98282->97795 98283->98282 98285 27f41 59 API calls 98283->98285 98284->98282 98285->98282 98287 40ff6 Mailbox 59 API calls 98286->98287 98288 27b9b 98287->98288 98289 28189 59 API calls 98288->98289 98290 27baa 98289->98290 98290->98245 98291->98245 98292->98245 98293->98228 98294->98245 98295->98245 98296->98238 98297->98240 98298->98228 98299->98268 98300->98268 98301->98264 98302->98267 98303->98271 98304->98267 98306 25702 98305->98306 98307 256dd 98305->98307 98308 27eec 59 API calls 98306->98308 98307->98306 98311 256ec 98307->98311 98312 8349a 98308->98312 98309 834c9 98309->97825 98335 25c18 98311->98335 98312->98309 98333 83436 ReadFile SetFilePointerEx 98312->98333 98334 27a84 59 API calls 2 library calls 98312->98334 98319 835d8 Mailbox 98319->97825 98321 29be7 98320->98321 98322 29ba8 98320->98322 98323 281a7 59 API calls 98321->98323 98325 40ff6 Mailbox 59 API calls 98322->98325 98324 29bbb 98323->98324 98324->97831 98325->98324 98326->97832 98327->97803 98328->97803 98329->97810 98330->97817 98331->97828 98332->97830 98333->98312 98334->98312 98336 40ff6 Mailbox 59 API calls 98335->98336 98337 25c2b 98336->98337 98338 40ff6 Mailbox 59 API calls 98337->98338 98339 25c37 98338->98339 98340 25632 98339->98340 98347 25a2f 98340->98347 98342 25674 98342->98319 98346 2793a 61 API calls Mailbox 98342->98346 98343 25d20 2 API calls 98344 25643 98343->98344 98344->98342 98344->98343 98354 25bda 59 API calls 2 library calls 98344->98354 98346->98319 98348 5e065 98347->98348 98349 25a40 98347->98349 98355 76443 59 API calls Mailbox 98348->98355 98349->98344 98351 5e06f 98352 40ff6 Mailbox 59 API calls 98351->98352 98353 5e07b 98352->98353 98354->98344 98355->98351 98357 76641 98356->98357 98358 7665e 98356->98358 98357->98358 98360 76621 59 API calls Mailbox 98357->98360 98358->97841 98360->98357 98361 23633 98362 2366a 98361->98362 98363 236e7 98362->98363 98364 23688 98362->98364 98399 236e5 98362->98399 98368 5d31c 98363->98368 98369 236ed 98363->98369 98365 23695 98364->98365 98366 2375d PostQuitMessage 98364->98366 98370 236a0 98365->98370 98371 5d38f 98365->98371 98403 236d8 98366->98403 98367 236ca DefWindowProcW 98367->98403 98411 311d0 10 API calls Mailbox 98368->98411 98373 236f2 98369->98373 98374 23715 SetTimer RegisterWindowMessageW 98369->98374 98375 23767 98370->98375 98376 236a8 98370->98376 98426 82a16 71 API calls _memset 98371->98426 98380 5d2bf 98373->98380 98381 236f9 KillTimer 98373->98381 98377 2373e CreatePopupMenu 98374->98377 98374->98403 98409 24531 64 API calls _memset 98375->98409 98382 236b3 98376->98382 98393 5d374 98376->98393 98377->98403 98379 5d343 98412 311f3 341 API calls Mailbox 98379->98412 98386 5d2c4 98380->98386 98387 5d2f8 MoveWindow 98380->98387 98406 244cb Shell_NotifyIconW _memset 98381->98406 98389 2374b 98382->98389 98396 236be 98382->98396 98383 5d3a1 98383->98367 98383->98403 98390 5d2e7 SetFocus 98386->98390 98391 5d2c8 98386->98391 98387->98403 98408 245df 81 API calls _memset 98389->98408 98390->98403 98391->98396 98397 5d2d1 98391->98397 98392 2370c 98407 23114 DeleteObject DestroyWindow Mailbox 98392->98407 98393->98367 98425 7817e 59 API calls Mailbox 98393->98425 98396->98367 98413 244cb Shell_NotifyIconW _memset 98396->98413 98410 311d0 10 API calls Mailbox 98397->98410 98399->98367 98400 2375b 98400->98403 98404 5d368 98414 243db 98404->98414 98406->98392 98407->98403 98408->98400 98409->98400 98410->98403 98411->98379 98412->98396 98413->98404 98415 24406 _memset 98414->98415 98427 24213 98415->98427 98418 2448b 98420 244c1 Shell_NotifyIconW 98418->98420 98421 244a5 Shell_NotifyIconW 98418->98421 98422 244b3 98420->98422 98421->98422 98431 2410d 98422->98431 98424 244ba 98424->98399 98425->98399 98426->98383 98428 24227 98427->98428 98429 5d638 98427->98429 98428->98418 98453 83226 62 API calls _W_store_winword 98428->98453 98429->98428 98430 5d641 DestroyIcon 98429->98430 98430->98428 98432 24129 98431->98432 98452 24200 Mailbox 98431->98452 98433 27b76 59 API calls 98432->98433 98434 24137 98433->98434 98435 24144 98434->98435 98436 5d5dd LoadStringW 98434->98436 98437 27d2c 59 API calls 98435->98437 98438 5d5f7 98436->98438 98439 24159 98437->98439 98440 27c8e 59 API calls 98438->98440 98439->98438 98441 2416a 98439->98441 98446 5d601 98440->98446 98442 24174 98441->98442 98443 24205 98441->98443 98444 27c8e 59 API calls 98442->98444 98445 281a7 59 API calls 98443->98445 98449 2417e _memset _wcscpy 98444->98449 98445->98449 98446->98449 98454 27e0b 98446->98454 98448 5d623 98451 27e0b 59 API calls 98448->98451 98450 241e6 Shell_NotifyIconW 98449->98450 98450->98452 98451->98449 98452->98424 98453->98418 98455 5f173 98454->98455 98456 27e1f 98454->98456 98458 28189 59 API calls 98455->98458 98461 27db0 98456->98461 98460 5f17e __NMSG_WRITE _memmove 98458->98460 98459 27e2a 98459->98448 98462 27dbf __NMSG_WRITE 98461->98462 98463 28189 59 API calls 98462->98463 98464 27dd0 _memmove 98462->98464 98465 5f130 _memmove 98463->98465 98464->98459 98466 5ff06 98467 5ff10 98466->98467 98504 2ac90 Mailbox _memmove 98466->98504 98607 28e34 59 API calls Mailbox 98467->98607 98471 40ff6 59 API calls Mailbox 98491 2a097 Mailbox 98471->98491 98475 2b5d5 98478 281a7 59 API calls 98475->98478 98477 2b685 98612 8a0b5 89 API calls 4 library calls 98477->98612 98493 2a1b7 98478->98493 98479 6047f 98611 8a0b5 89 API calls 4 library calls 98479->98611 98480 2b5da 98617 8a0b5 89 API calls 4 library calls 98480->98617 98482 277c7 59 API calls 98482->98491 98484 281a7 59 API calls 98484->98491 98485 27f41 59 API calls 98485->98504 98486 77405 59 API calls 98486->98491 98487 6048e 98488 42f80 67 API calls __cinit 98488->98491 98490 766f4 Mailbox 59 API calls 98490->98493 98491->98471 98491->98475 98491->98479 98491->98480 98491->98482 98491->98484 98491->98486 98491->98488 98492 60e00 98491->98492 98491->98493 98496 2a6ba 98491->98496 98601 2ca20 341 API calls 2 library calls 98491->98601 98602 2ba60 60 API calls Mailbox 98491->98602 98616 8a0b5 89 API calls 4 library calls 98492->98616 98615 8a0b5 89 API calls 4 library calls 98496->98615 98497 766f4 Mailbox 59 API calls 98497->98504 98498 2b416 98606 2f803 341 API calls 98498->98606 98500 2a000 341 API calls 98500->98504 98501 60c94 98613 29df0 59 API calls Mailbox 98501->98613 98503 60ca2 98614 8a0b5 89 API calls 4 library calls 98503->98614 98504->98477 98504->98485 98504->98491 98504->98493 98504->98497 98504->98498 98504->98500 98504->98501 98504->98503 98507 2b37c 98504->98507 98508 40ff6 59 API calls Mailbox 98504->98508 98515 2ade2 Mailbox 98504->98515 98523 9c5f4 98504->98523 98555 87be0 98504->98555 98561 9bf80 98504->98561 98608 77405 59 API calls 98504->98608 98609 9c4a7 85 API calls 2 library calls 98504->98609 98506 60c86 98506->98490 98506->98493 98604 29e9c 60 API calls Mailbox 98507->98604 98508->98504 98510 2b38d 98605 29e9c 60 API calls Mailbox 98510->98605 98515->98477 98515->98493 98515->98506 98516 600e0 VariantClear 98515->98516 98517 32123 95 API calls 98515->98517 98518 25906 60 API calls 98515->98518 98519 9474d 341 API calls 98515->98519 98520 8d2e5 101 API calls 98515->98520 98521 9e237 130 API calls 98515->98521 98522 8d2e6 101 API calls 98515->98522 98603 29df0 59 API calls Mailbox 98515->98603 98610 77405 59 API calls 98515->98610 98516->98515 98517->98515 98518->98515 98519->98515 98520->98515 98521->98515 98522->98515 98524 277c7 59 API calls 98523->98524 98525 9c608 98524->98525 98526 277c7 59 API calls 98525->98526 98527 9c610 98526->98527 98528 277c7 59 API calls 98527->98528 98529 9c618 98528->98529 98530 29997 84 API calls 98529->98530 98554 9c626 98530->98554 98531 27d2c 59 API calls 98531->98554 98532 9c80f 98533 9c83c Mailbox 98532->98533 98535 29b9c 59 API calls 98532->98535 98533->98504 98534 9c7f6 98537 27e0b 59 API calls 98534->98537 98535->98533 98536 9c811 98539 27e0b 59 API calls 98536->98539 98541 9c803 98537->98541 98538 27a84 59 API calls 98538->98554 98543 9c820 98539->98543 98540 281a7 59 API calls 98540->98554 98542 27c8e 59 API calls 98541->98542 98542->98532 98545 27c8e 59 API calls 98543->98545 98544 27faf 59 API calls 98547 9c6bd CharUpperBuffW 98544->98547 98545->98532 98546 27faf 59 API calls 98548 9c77d CharUpperBuffW 98546->98548 98618 2859a 68 API calls 98547->98618 98619 2c707 69 API calls 2 library calls 98548->98619 98551 29997 84 API calls 98551->98554 98552 27e0b 59 API calls 98552->98554 98553 27c8e 59 API calls 98553->98554 98554->98531 98554->98532 98554->98533 98554->98534 98554->98536 98554->98538 98554->98540 98554->98544 98554->98546 98554->98551 98554->98552 98554->98553 98556 87bec 98555->98556 98557 40ff6 Mailbox 59 API calls 98556->98557 98558 87bfa 98557->98558 98559 87c08 98558->98559 98560 277c7 59 API calls 98558->98560 98559->98504 98560->98559 98562 9bfab 98561->98562 98563 9bfc5 98561->98563 98620 8a0b5 89 API calls 4 library calls 98562->98620 98621 9a528 59 API calls Mailbox 98563->98621 98566 9bfd0 98567 2a000 340 API calls 98566->98567 98568 9c031 98567->98568 98569 9c0c3 98568->98569 98572 9c072 98568->98572 98594 9bfbd Mailbox 98568->98594 98570 9c119 98569->98570 98571 9c0c9 98569->98571 98573 29997 84 API calls 98570->98573 98570->98594 98642 87ba4 59 API calls 98571->98642 98622 87581 59 API calls Mailbox 98572->98622 98574 9c12b 98573->98574 98577 27faf 59 API calls 98574->98577 98580 9c14f CharUpperBuffW 98577->98580 98578 9c0ec 98643 25ea1 59 API calls Mailbox 98578->98643 98579 9c0a2 98623 2f5c0 98579->98623 98584 9c169 98580->98584 98583 9c0f4 Mailbox 98644 2fe40 341 API calls 2 library calls 98583->98644 98585 9c1bc 98584->98585 98586 9c170 98584->98586 98588 29997 84 API calls 98585->98588 98645 87581 59 API calls Mailbox 98586->98645 98589 9c1c4 98588->98589 98646 29fbd 60 API calls 98589->98646 98592 9c19e 98593 2f5c0 340 API calls 98592->98593 98593->98594 98594->98504 98595 9c1ce 98595->98594 98596 29997 84 API calls 98595->98596 98597 9c1e9 98596->98597 98647 25ea1 59 API calls Mailbox 98597->98647 98599 9c1f9 98648 2fe40 341 API calls 2 library calls 98599->98648 98601->98491 98602->98491 98603->98515 98604->98510 98605->98498 98606->98477 98607->98504 98608->98504 98609->98504 98610->98515 98611->98487 98612->98506 98613->98506 98614->98506 98615->98493 98616->98480 98617->98493 98618->98554 98619->98554 98620->98594 98621->98566 98622->98579 98624 2f7b0 98623->98624 98625 2f61a 98623->98625 98628 27f41 59 API calls 98624->98628 98626 2f626 98625->98626 98627 64848 98625->98627 98738 2f3f0 341 API calls 2 library calls 98626->98738 98629 9bf80 341 API calls 98627->98629 98634 2f6ec Mailbox 98628->98634 98631 64856 98629->98631 98636 2f790 98631->98636 98740 8a0b5 89 API calls 4 library calls 98631->98740 98633 2f65d 98633->98631 98633->98634 98633->98636 98635 2f743 98634->98635 98640 83e73 3 API calls 98634->98640 98649 8cde5 98634->98649 98729 9e24b 98634->98729 98732 24faa 98634->98732 98635->98636 98739 29df0 59 API calls Mailbox 98635->98739 98636->98594 98640->98635 98642->98578 98643->98583 98644->98594 98645->98592 98646->98595 98647->98599 98648->98594 98650 277c7 59 API calls 98649->98650 98651 8ce1a 98650->98651 98652 277c7 59 API calls 98651->98652 98653 8ce23 98652->98653 98654 8ce37 98653->98654 98874 29c9c 59 API calls 98653->98874 98656 29997 84 API calls 98654->98656 98657 8ce54 98656->98657 98658 8cf55 98657->98658 98659 8ce76 98657->98659 98664 8cf85 Mailbox 98657->98664 98741 24f3d 98658->98741 98660 29997 84 API calls 98659->98660 98662 8ce82 98660->98662 98665 281a7 59 API calls 98662->98665 98664->98635 98667 8ce8e 98665->98667 98666 8cf81 98666->98664 98669 277c7 59 API calls 98666->98669 98673 8cea2 98667->98673 98674 8ced4 98667->98674 98668 24f3d 136 API calls 98668->98666 98670 8cfb6 98669->98670 98671 277c7 59 API calls 98670->98671 98672 8cfbf 98671->98672 98676 277c7 59 API calls 98672->98676 98677 281a7 59 API calls 98673->98677 98675 29997 84 API calls 98674->98675 98678 8cee1 98675->98678 98679 8cfc8 98676->98679 98680 8ceb2 98677->98680 98681 281a7 59 API calls 98678->98681 98682 277c7 59 API calls 98679->98682 98683 27e0b 59 API calls 98680->98683 98684 8ceed 98681->98684 98685 8cfd1 98682->98685 98686 8cebc 98683->98686 98875 84cd3 GetFileAttributesW 98684->98875 98688 29997 84 API calls 98685->98688 98689 29997 84 API calls 98686->98689 98691 8cfde 98688->98691 98692 8cec8 98689->98692 98690 8cef6 98693 8cf09 98690->98693 98696 27b52 59 API calls 98690->98696 98694 246f9 59 API calls 98691->98694 98695 27c8e 59 API calls 98692->98695 98698 29997 84 API calls 98693->98698 98703 8cf0f 98693->98703 98697 8cff9 98694->98697 98695->98674 98696->98693 98699 27b52 59 API calls 98697->98699 98700 8cf36 98698->98700 98702 8d008 98699->98702 98876 83a2b 75 API calls Mailbox 98700->98876 98704 8d03c 98702->98704 98706 27b52 59 API calls 98702->98706 98703->98664 98705 281a7 59 API calls 98704->98705 98707 8d04a 98705->98707 98708 8d019 98706->98708 98709 27c8e 59 API calls 98707->98709 98708->98704 98710 27d2c 59 API calls 98708->98710 98711 8d058 98709->98711 98712 8d02e 98710->98712 98713 27c8e 59 API calls 98711->98713 98714 27d2c 59 API calls 98712->98714 98715 8d066 98713->98715 98714->98704 98716 27c8e 59 API calls 98715->98716 98717 8d074 98716->98717 98718 29997 84 API calls 98717->98718 98719 8d080 98718->98719 98765 842ad 98719->98765 98721 8d091 98722 83e73 3 API calls 98721->98722 98723 8d09b 98722->98723 98724 29997 84 API calls 98723->98724 98728 8d0cc 98723->98728 98725 8d0b9 98724->98725 98819 893df 98725->98819 98727 24faa 84 API calls 98727->98664 98728->98727 98730 9cdf1 130 API calls 98729->98730 98731 9e25b 98730->98731 98731->98635 98733 24fb4 98732->98733 98737 24fbb 98732->98737 98734 455d6 __fcloseall 83 API calls 98733->98734 98734->98737 98735 24fca 98735->98635 98736 24fdb FreeLibrary 98736->98735 98737->98735 98737->98736 98738->98633 98739->98635 98740->98636 98877 24d13 98741->98877 98746 5dd0f 98748 24faa 84 API calls 98746->98748 98747 24f68 LoadLibraryExW 98887 24cc8 98747->98887 98750 5dd16 98748->98750 98752 24cc8 3 API calls 98750->98752 98754 5dd1e 98752->98754 98913 2506b 98754->98913 98755 24f8f 98755->98754 98756 24f9b 98755->98756 98758 24faa 84 API calls 98756->98758 98759 24fa0 98758->98759 98759->98666 98759->98668 98762 5dd45 98921 25027 98762->98921 98766 842c9 98765->98766 98767 842dc 98766->98767 98768 842ce 98766->98768 98770 277c7 59 API calls 98767->98770 98769 281a7 59 API calls 98768->98769 98771 842d7 Mailbox 98769->98771 98772 842e4 98770->98772 98771->98721 98773 277c7 59 API calls 98772->98773 98774 842ec 98773->98774 98775 277c7 59 API calls 98774->98775 98776 842f7 98775->98776 98777 277c7 59 API calls 98776->98777 98778 842ff 98777->98778 98779 277c7 59 API calls 98778->98779 98780 84307 98779->98780 98781 277c7 59 API calls 98780->98781 98782 8430f 98781->98782 98783 277c7 59 API calls 98782->98783 98784 84317 98783->98784 98785 277c7 59 API calls 98784->98785 98786 8431f 98785->98786 98787 246f9 59 API calls 98786->98787 98788 84336 98787->98788 98789 246f9 59 API calls 98788->98789 98790 8434f 98789->98790 98791 27b52 59 API calls 98790->98791 98792 8435b 98791->98792 98793 8436e 98792->98793 98794 27e8c 59 API calls 98792->98794 98795 27b52 59 API calls 98793->98795 98794->98793 98796 84377 98795->98796 98797 84387 98796->98797 98798 27e8c 59 API calls 98796->98798 98799 281a7 59 API calls 98797->98799 98798->98797 98800 84393 98799->98800 98801 27c8e 59 API calls 98800->98801 98802 8439f 98801->98802 99400 8445f 59 API calls 98802->99400 98804 843ae 99401 8445f 59 API calls 98804->99401 98806 843c1 98807 27b52 59 API calls 98806->98807 98808 843cb 98807->98808 98809 843d0 98808->98809 98810 843e2 98808->98810 98811 27e0b 59 API calls 98809->98811 98812 27b52 59 API calls 98810->98812 98813 843dd 98811->98813 98814 843eb 98812->98814 98818 27c8e 59 API calls 98813->98818 98815 84409 98814->98815 98817 27e0b 59 API calls 98814->98817 98816 27c8e 59 API calls 98815->98816 98816->98771 98817->98813 98818->98815 98820 893ec __ftell_nolock 98819->98820 98821 40ff6 Mailbox 59 API calls 98820->98821 98822 89449 98821->98822 98823 2538e 59 API calls 98822->98823 98824 89453 98823->98824 98825 891e9 GetSystemTimeAsFileTime 98824->98825 98826 8945e 98825->98826 98827 25045 85 API calls 98826->98827 98828 89471 _wcscmp 98827->98828 98829 89542 98828->98829 98830 89495 98828->98830 98831 899be 96 API calls 98829->98831 99432 899be 98830->99432 98847 8950e _wcscat 98831->98847 98835 2506b 74 API calls 98836 89567 98835->98836 98838 2506b 74 API calls 98836->98838 98837 8954b 98837->98728 98840 89577 98838->98840 98839 894c3 _wcscat _wcscpy 99439 4432e 58 API calls __wsplitpath_helper 98839->99439 98841 2506b 74 API calls 98840->98841 98843 89592 98841->98843 98844 2506b 74 API calls 98843->98844 98845 895a2 98844->98845 98846 2506b 74 API calls 98845->98846 98848 895bd 98846->98848 98847->98835 98847->98837 98849 2506b 74 API calls 98848->98849 98850 895cd 98849->98850 98851 2506b 74 API calls 98850->98851 98852 895dd 98851->98852 98853 2506b 74 API calls 98852->98853 98854 895ed 98853->98854 99402 89b6d GetTempPathW GetTempFileNameW 98854->99402 98856 895f9 98857 4548b 115 API calls 98856->98857 98859 8960a 98857->98859 98859->98837 98861 2506b 74 API calls 98859->98861 98872 896c4 98859->98872 99403 44a93 98859->99403 98861->98859 99416 455d6 98872->99416 98874->98654 98875->98690 98876->98703 98926 24d61 98877->98926 98880 24d3a 98881 24d53 98880->98881 98882 24d4a FreeLibrary 98880->98882 98884 4548b 98881->98884 98882->98881 98883 24d61 2 API calls 98883->98880 98930 454a0 98884->98930 98886 24f5c 98886->98746 98886->98747 99139 24d94 98887->99139 98890 24d08 98894 24dd0 98890->98894 98891 24cff FreeLibrary 98891->98890 98892 24d94 2 API calls 98893 24ced 98892->98893 98893->98890 98893->98891 98895 40ff6 Mailbox 59 API calls 98894->98895 98896 24de5 98895->98896 98897 2538e 59 API calls 98896->98897 98898 24df1 _memmove 98897->98898 98900 24f21 98898->98900 98901 24ee9 98898->98901 98904 24e2c 98898->98904 98899 25027 69 API calls 98909 24e35 98899->98909 99154 89ba5 95 API calls 98900->99154 99143 24fe9 CreateStreamOnHGlobal 98901->99143 98904->98899 98905 2506b 74 API calls 98905->98909 98907 24ec9 98907->98755 98908 5dcd0 98910 25045 85 API calls 98908->98910 98909->98905 98909->98907 98909->98908 99149 25045 98909->99149 98911 5dce4 98910->98911 98912 2506b 74 API calls 98911->98912 98912->98907 98914 5ddf6 98913->98914 98915 2507d 98913->98915 99178 45812 98915->99178 98918 89393 99377 891e9 98918->99377 98920 893a9 98920->98762 98922 25036 98921->98922 98925 5ddb9 98921->98925 99382 45e90 98922->99382 98924 2503e 98927 24d2e 98926->98927 98928 24d6a LoadLibraryA 98926->98928 98927->98880 98927->98883 98928->98927 98929 24d7b GetProcAddress 98928->98929 98929->98927 98933 454ac __ioinit 98930->98933 98931 454bf 98979 48d68 58 API calls __getptd_noexit 98931->98979 98933->98931 98935 454f0 98933->98935 98934 454c4 98980 48ff6 9 API calls __Wcsftime_l 98934->98980 98949 50738 98935->98949 98938 454f5 98939 454fe 98938->98939 98940 4550b 98938->98940 98981 48d68 58 API calls __getptd_noexit 98939->98981 98941 45535 98940->98941 98942 45515 98940->98942 98964 50857 98941->98964 98982 48d68 58 API calls __getptd_noexit 98942->98982 98946 454cf __ioinit @_EH4_CallFilterFunc@8 98946->98886 98950 50744 __ioinit 98949->98950 98984 49e4b 98950->98984 98952 507cd 99020 48a5d 98952->99020 98953 507c6 98991 5084e 98953->98991 98957 50843 __ioinit 98957->98938 98961 507fa EnterCriticalSection 98961->98953 98962 50752 98962->98952 98962->98953 98994 49ed3 98962->98994 99018 46e8d 59 API calls __lock 98962->99018 99019 46ef7 LeaveCriticalSection LeaveCriticalSection _doexit 98962->99019 98973 50877 __wopenfile 98964->98973 98965 50891 99046 48d68 58 API calls __getptd_noexit 98965->99046 98967 50a4c 98967->98965 98971 50aaf 98967->98971 98968 50896 99047 48ff6 9 API calls __Wcsftime_l 98968->99047 98970 45540 98983 45562 LeaveCriticalSection LeaveCriticalSection _fprintf 98970->98983 99043 587f1 98971->99043 98973->98965 98973->98967 98973->98973 99048 43a0b 60 API calls 2 library calls 98973->99048 98975 50a45 98975->98967 99049 43a0b 60 API calls 2 library calls 98975->99049 98977 50a64 98977->98967 99050 43a0b 60 API calls 2 library calls 98977->99050 98979->98934 98980->98946 98981->98946 98982->98946 98983->98946 98985 49e5c 98984->98985 98986 49e6f EnterCriticalSection 98984->98986 98987 49ed3 __mtinitlocknum 57 API calls 98985->98987 98986->98962 98988 49e62 98987->98988 98988->98986 99027 432f5 58 API calls 3 library calls 98988->99027 99028 49fb5 LeaveCriticalSection 98991->99028 98993 50855 98993->98957 98995 49edf __ioinit 98994->98995 98996 49f00 98995->98996 98997 49ee8 98995->98997 99000 48a5d __malloc_crt 58 API calls 98996->99000 99001 49f21 __ioinit 98996->99001 99029 4a3ab 58 API calls 2 library calls 98997->99029 98999 49eed 99030 4a408 58 API calls 6 library calls 98999->99030 99003 49f15 99000->99003 99001->98962 99005 49f1c 99003->99005 99006 49f2b 99003->99006 99004 49ef4 99031 432df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 99004->99031 99032 48d68 58 API calls __getptd_noexit 99005->99032 99009 49e4b __lock 58 API calls 99006->99009 99011 49f32 99009->99011 99012 49f57 99011->99012 99013 49f3f 99011->99013 99034 42f95 99012->99034 99033 4a06b InitializeCriticalSectionAndSpinCount 99013->99033 99016 49f4b 99040 49f73 LeaveCriticalSection _doexit 99016->99040 99018->98962 99019->98962 99021 48a6b 99020->99021 99022 4594c __malloc_crt 58 API calls 99021->99022 99023 48a9d 99021->99023 99025 48a7e 99021->99025 99022->99021 99023->98953 99026 4a06b InitializeCriticalSectionAndSpinCount 99023->99026 99025->99021 99025->99023 99042 4a372 Sleep 99025->99042 99026->98961 99028->98993 99029->98999 99030->99004 99032->99001 99033->99016 99035 42f9e RtlFreeHeap 99034->99035 99036 42fc7 _free 99034->99036 99035->99036 99037 42fb3 99035->99037 99036->99016 99041 48d68 58 API calls __getptd_noexit 99037->99041 99039 42fb9 GetLastError 99039->99036 99040->99001 99041->99039 99042->99025 99051 57fd5 99043->99051 99045 5880a 99045->98970 99046->98968 99047->98970 99048->98975 99049->98977 99050->98967 99054 57fe1 __ioinit 99051->99054 99052 57ff7 99136 48d68 58 API calls __getptd_noexit 99052->99136 99054->99052 99055 5802d 99054->99055 99062 5809e 99055->99062 99056 57ffc 99137 48ff6 9 API calls __Wcsftime_l 99056->99137 99059 58049 99138 58072 LeaveCriticalSection __unlock_fhandle 99059->99138 99061 58006 __ioinit 99061->99045 99063 580be 99062->99063 99064 4471a __wsopen_nolock 58 API calls 99063->99064 99066 580da 99064->99066 99065 49006 __invoke_watson 8 API calls 99067 587f0 99065->99067 99068 58114 99066->99068 99077 58137 99066->99077 99085 58211 99066->99085 99069 57fd5 __wsopen_helper 103 API calls 99067->99069 99070 48d34 __write 58 API calls 99068->99070 99071 5880a 99069->99071 99072 58119 99070->99072 99071->99059 99073 48d68 __Wcsftime_l 58 API calls 99072->99073 99074 58126 99073->99074 99076 48ff6 __Wcsftime_l 9 API calls 99074->99076 99075 581f5 99078 48d34 __write 58 API calls 99075->99078 99079 58130 99076->99079 99077->99075 99084 581d3 99077->99084 99080 581fa 99078->99080 99079->99059 99081 48d68 __Wcsftime_l 58 API calls 99080->99081 99082 58207 99081->99082 99083 48ff6 __Wcsftime_l 9 API calls 99082->99083 99083->99085 99086 4d4d4 __alloc_osfhnd 61 API calls 99084->99086 99085->99065 99087 582a1 99086->99087 99088 582ce 99087->99088 99089 582ab 99087->99089 99091 57f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99088->99091 99090 48d34 __write 58 API calls 99089->99090 99092 582b0 99090->99092 99099 582f0 99091->99099 99093 48d68 __Wcsftime_l 58 API calls 99092->99093 99095 582ba 99093->99095 99094 5836e GetFileType 99096 58379 GetLastError 99094->99096 99097 583bb 99094->99097 99101 48d68 __Wcsftime_l 58 API calls 99095->99101 99102 48d47 __dosmaperr 58 API calls 99096->99102 99107 4d76a __set_osfhnd 59 API calls 99097->99107 99098 5833c GetLastError 99100 48d47 __dosmaperr 58 API calls 99098->99100 99099->99094 99099->99098 99103 57f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99099->99103 99104 58361 99100->99104 99101->99079 99105 583a0 CloseHandle 99102->99105 99106 58331 99103->99106 99109 48d68 __Wcsftime_l 58 API calls 99104->99109 99105->99104 99108 583ae 99105->99108 99106->99094 99106->99098 99113 583d9 99107->99113 99110 48d68 __Wcsftime_l 58 API calls 99108->99110 99109->99085 99111 583b3 99110->99111 99111->99104 99112 58594 99112->99085 99115 58767 CloseHandle 99112->99115 99113->99112 99114 51b11 __lseeki64_nolock 60 API calls 99113->99114 99123 5845a 99113->99123 99116 58443 99114->99116 99117 57f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99115->99117 99120 48d34 __write 58 API calls 99116->99120 99116->99123 99119 5878e 99117->99119 99118 510ab 70 API calls __read_nolock 99118->99123 99121 58796 GetLastError 99119->99121 99122 587c2 99119->99122 99120->99123 99124 48d47 __dosmaperr 58 API calls 99121->99124 99122->99085 99123->99112 99123->99118 99125 50d2d __close_nolock 61 API calls 99123->99125 99126 5848c 99123->99126 99130 4dac6 __write 78 API calls 99123->99130 99131 58611 99123->99131 99134 51b11 60 API calls __lseeki64_nolock 99123->99134 99127 587a2 99124->99127 99125->99123 99126->99123 99128 599f2 __chsize_nolock 82 API calls 99126->99128 99129 4d67d __free_osfhnd 59 API calls 99127->99129 99128->99126 99129->99122 99130->99123 99132 50d2d __close_nolock 61 API calls 99131->99132 99133 58618 99132->99133 99135 48d68 __Wcsftime_l 58 API calls 99133->99135 99134->99123 99135->99085 99136->99056 99137->99061 99138->99061 99140 24ce1 99139->99140 99141 24d9d LoadLibraryA 99139->99141 99140->98892 99140->98893 99141->99140 99142 24dae GetProcAddress 99141->99142 99142->99140 99144 25003 FindResourceExW 99143->99144 99148 25020 99143->99148 99145 5dd5c LoadResource 99144->99145 99144->99148 99146 5dd71 SizeofResource 99145->99146 99145->99148 99147 5dd85 LockResource 99146->99147 99146->99148 99147->99148 99148->98904 99150 25054 99149->99150 99153 5ddd4 99149->99153 99155 45a7d 99150->99155 99152 25062 99152->98909 99154->98904 99157 45a89 __ioinit 99155->99157 99156 45a9b 99168 48d68 58 API calls __getptd_noexit 99156->99168 99157->99156 99158 45ac1 99157->99158 99170 46e4e 99158->99170 99161 45aa0 99169 48ff6 9 API calls __Wcsftime_l 99161->99169 99165 45ad6 99177 45af8 LeaveCriticalSection LeaveCriticalSection _fprintf 99165->99177 99167 45aab __ioinit 99167->99152 99168->99161 99169->99167 99171 46e80 EnterCriticalSection 99170->99171 99172 46e5e 99170->99172 99174 45ac7 99171->99174 99172->99171 99173 46e66 99172->99173 99175 49e4b __lock 58 API calls 99173->99175 99176 459ee 83 API calls 5 library calls 99174->99176 99175->99174 99176->99165 99177->99167 99181 4582d 99178->99181 99180 2508e 99180->98918 99182 45839 __ioinit 99181->99182 99183 45874 __ioinit 99182->99183 99184 4587c 99182->99184 99185 4584f _memset 99182->99185 99183->99180 99186 46e4e __lock_file 59 API calls 99184->99186 99208 48d68 58 API calls __getptd_noexit 99185->99208 99187 45882 99186->99187 99194 4564d 99187->99194 99190 45869 99209 48ff6 9 API calls __Wcsftime_l 99190->99209 99196 45668 _memset 99194->99196 99200 45683 99194->99200 99195 45673 99306 48d68 58 API calls __getptd_noexit 99195->99306 99196->99195 99196->99200 99205 456c3 99196->99205 99198 45678 99307 48ff6 9 API calls __Wcsftime_l 99198->99307 99210 458b6 LeaveCriticalSection LeaveCriticalSection _fprintf 99200->99210 99202 457d4 _memset 99309 48d68 58 API calls __getptd_noexit 99202->99309 99205->99200 99205->99202 99211 44916 99205->99211 99218 510ab 99205->99218 99286 50df7 99205->99286 99308 50f18 58 API calls 3 library calls 99205->99308 99208->99190 99209->99183 99210->99183 99212 44935 99211->99212 99213 44920 99211->99213 99212->99205 99310 48d68 58 API calls __getptd_noexit 99213->99310 99215 44925 99311 48ff6 9 API calls __Wcsftime_l 99215->99311 99217 44930 99217->99205 99219 510e3 99218->99219 99220 510cc 99218->99220 99221 5181b 99219->99221 99226 5111d 99219->99226 99321 48d34 58 API calls __getptd_noexit 99220->99321 99336 48d34 58 API calls __getptd_noexit 99221->99336 99223 510d1 99322 48d68 58 API calls __getptd_noexit 99223->99322 99228 51125 99226->99228 99234 5113c 99226->99234 99227 51820 99337 48d68 58 API calls __getptd_noexit 99227->99337 99323 48d34 58 API calls __getptd_noexit 99228->99323 99231 51131 99338 48ff6 9 API calls __Wcsftime_l 99231->99338 99232 5112a 99324 48d68 58 API calls __getptd_noexit 99232->99324 99233 51151 99325 48d34 58 API calls __getptd_noexit 99233->99325 99234->99233 99237 5116b 99234->99237 99239 51189 99234->99239 99266 510d8 99234->99266 99237->99233 99242 51176 99237->99242 99240 48a5d __malloc_crt 58 API calls 99239->99240 99243 51199 99240->99243 99312 55ebb 99242->99312 99245 511a1 99243->99245 99246 511bc 99243->99246 99244 5128a 99247 51303 ReadFile 99244->99247 99253 512a0 GetConsoleMode 99244->99253 99326 48d68 58 API calls __getptd_noexit 99245->99326 99328 51b11 60 API calls 3 library calls 99246->99328 99250 51325 99247->99250 99251 517e3 GetLastError 99247->99251 99250->99251 99259 512f5 99250->99259 99254 512e3 99251->99254 99255 517f0 99251->99255 99252 511a6 99327 48d34 58 API calls __getptd_noexit 99252->99327 99257 512b4 99253->99257 99258 51300 99253->99258 99268 512e9 99254->99268 99329 48d47 58 API calls 3 library calls 99254->99329 99334 48d68 58 API calls __getptd_noexit 99255->99334 99257->99258 99261 512ba ReadConsoleW 99257->99261 99258->99247 99259->99268 99269 5135a 99259->99269 99272 515c7 99259->99272 99261->99259 99263 512dd GetLastError 99261->99263 99262 517f5 99335 48d34 58 API calls __getptd_noexit 99262->99335 99263->99254 99266->99205 99267 42f95 _free 58 API calls 99267->99266 99268->99266 99268->99267 99271 513c6 ReadFile 99269->99271 99280 51447 99269->99280 99274 513e7 GetLastError 99271->99274 99282 513f1 99271->99282 99272->99268 99273 516cd ReadFile 99272->99273 99278 516f0 GetLastError 99273->99278 99279 516fe 99273->99279 99274->99282 99275 51504 99281 514b4 MultiByteToWideChar 99275->99281 99332 51b11 60 API calls 3 library calls 99275->99332 99276 514f4 99331 48d68 58 API calls __getptd_noexit 99276->99331 99278->99279 99279->99272 99333 51b11 60 API calls 3 library calls 99279->99333 99280->99268 99280->99275 99280->99276 99280->99281 99281->99263 99281->99268 99282->99269 99330 51b11 60 API calls 3 library calls 99282->99330 99287 50e02 99286->99287 99291 50e17 99286->99291 99372 48d68 58 API calls __getptd_noexit 99287->99372 99289 50e07 99373 48ff6 9 API calls __Wcsftime_l 99289->99373 99292 50e4c 99291->99292 99297 50e12 99291->99297 99374 56234 99291->99374 99294 44916 __stbuf 58 API calls 99292->99294 99295 50e60 99294->99295 99339 50f97 99295->99339 99297->99205 99298 50e67 99298->99297 99299 44916 __stbuf 58 API calls 99298->99299 99300 50e8a 99299->99300 99300->99297 99301 44916 __stbuf 58 API calls 99300->99301 99302 50e96 99301->99302 99302->99297 99303 44916 __stbuf 58 API calls 99302->99303 99304 50ea3 99303->99304 99305 44916 __stbuf 58 API calls 99304->99305 99305->99297 99306->99198 99307->99200 99308->99205 99309->99198 99310->99215 99311->99217 99313 55ec6 99312->99313 99315 55ed3 99312->99315 99314 48d68 __Wcsftime_l 58 API calls 99313->99314 99316 55ecb 99314->99316 99317 55edf 99315->99317 99318 48d68 __Wcsftime_l 58 API calls 99315->99318 99316->99244 99317->99244 99319 55f00 99318->99319 99320 48ff6 __Wcsftime_l 9 API calls 99319->99320 99320->99316 99321->99223 99322->99266 99323->99232 99324->99231 99325->99232 99326->99252 99327->99266 99328->99242 99329->99268 99330->99282 99331->99268 99332->99281 99333->99279 99334->99262 99335->99268 99336->99227 99337->99231 99338->99266 99340 50fa3 __ioinit 99339->99340 99341 50fc7 99340->99341 99342 50fb0 99340->99342 99344 5108b 99341->99344 99347 50fdb 99341->99347 99343 48d34 __write 58 API calls 99342->99343 99346 50fb5 99343->99346 99345 48d34 __write 58 API calls 99344->99345 99348 50ffe 99345->99348 99349 48d68 __Wcsftime_l 58 API calls 99346->99349 99350 51006 99347->99350 99351 50ff9 99347->99351 99356 48d68 __Wcsftime_l 58 API calls 99348->99356 99364 50fbc __ioinit 99349->99364 99353 51013 99350->99353 99354 51028 99350->99354 99352 48d34 __write 58 API calls 99351->99352 99352->99348 99357 48d34 __write 58 API calls 99353->99357 99355 4d446 ___lock_fhandle 59 API calls 99354->99355 99358 5102e 99355->99358 99359 51020 99356->99359 99360 51018 99357->99360 99362 51054 99358->99362 99363 51041 99358->99363 99366 48ff6 __Wcsftime_l 9 API calls 99359->99366 99361 48d68 __Wcsftime_l 58 API calls 99360->99361 99361->99359 99367 48d68 __Wcsftime_l 58 API calls 99362->99367 99365 510ab __read_nolock 70 API calls 99363->99365 99364->99298 99368 5104d 99365->99368 99366->99364 99369 51059 99367->99369 99371 51083 __read LeaveCriticalSection 99368->99371 99370 48d34 __write 58 API calls 99369->99370 99370->99368 99371->99364 99372->99289 99373->99297 99375 48a5d __malloc_crt 58 API calls 99374->99375 99376 56249 99375->99376 99376->99292 99380 4543a GetSystemTimeAsFileTime 99377->99380 99379 891f8 99379->98920 99381 45468 __aulldiv 99380->99381 99381->99379 99383 45e9c __ioinit 99382->99383 99384 45ec3 99383->99384 99385 45eae 99383->99385 99387 46e4e __lock_file 59 API calls 99384->99387 99396 48d68 58 API calls __getptd_noexit 99385->99396 99388 45ec9 99387->99388 99398 45b00 67 API calls 6 library calls 99388->99398 99389 45eb3 99397 48ff6 9 API calls __Wcsftime_l 99389->99397 99392 45ed4 99399 45ef4 LeaveCriticalSection LeaveCriticalSection _fprintf 99392->99399 99394 45ee6 99395 45ebe __ioinit 99394->99395 99395->98924 99396->99389 99397->99395 99398->99392 99399->99394 99400->98804 99401->98806 99402->98856 99404 44a9f __ioinit 99403->99404 99405 44ad5 99404->99405 99406 44abd 99404->99406 99415 44acd __ioinit 99404->99415 99408 46e4e __lock_file 59 API calls 99405->99408 99483 48d68 58 API calls __getptd_noexit 99406->99483 99415->98859 99417 455e2 __ioinit 99416->99417 99418 455f6 99417->99418 99419 4560e 99417->99419 99433 899d2 __tzset_nolock _wcscmp 99432->99433 99434 8949a 99433->99434 99435 2506b 74 API calls 99433->99435 99436 89393 GetSystemTimeAsFileTime 99433->99436 99437 25045 85 API calls 99433->99437 99434->98837 99438 4432e 58 API calls __wsplitpath_helper 99434->99438 99435->99433 99436->99433 99437->99433 99438->98839 99439->98847 99788 21016 99793 24ad2 99788->99793 99794 40ff6 Mailbox 59 API calls 99793->99794 99795 24ada 99794->99795 99796 2101b 99795->99796 99803 24a94 99795->99803 99800 42f80 99796->99800 99839 42e84 99800->99839 99802 21025 99804 24aaf 99803->99804 99805 24a9d 99803->99805 99807 24afe 99804->99807 99806 42f80 __cinit 67 API calls 99805->99806 99806->99804 99808 277c7 59 API calls 99807->99808 99809 24b16 GetVersionExW 99808->99809 99810 27d2c 59 API calls 99809->99810 99811 24b59 99810->99811 99812 27e8c 59 API calls 99811->99812 99815 24b86 99811->99815 99813 24b7a 99812->99813 99835 27886 99813->99835 99816 24bf1 GetCurrentProcess IsWow64Process 99815->99816 99818 5dc8d 99815->99818 99817 24c0a 99816->99817 99819 24c20 99817->99819 99820 24c89 GetSystemInfo 99817->99820 99831 24c95 99819->99831 99821 24c56 99820->99821 99821->99796 99824 24c32 99827 24c95 2 API calls 99824->99827 99825 24c7d GetSystemInfo 99826 24c47 99825->99826 99826->99821 99829 24c4d FreeLibrary 99826->99829 99828 24c3a GetNativeSystemInfo 99827->99828 99828->99826 99829->99821 99832 24c2e 99831->99832 99833 24c9e LoadLibraryA 99831->99833 99832->99824 99832->99825 99833->99832 99834 24caf GetProcAddress 99833->99834 99834->99832 99836 27894 99835->99836 99837 27e8c 59 API calls 99836->99837 99838 278a4 99837->99838 99838->99815 99840 42e90 __ioinit 99839->99840 99847 43457 99840->99847 99846 42eb7 __ioinit 99846->99802 99848 49e4b __lock 58 API calls 99847->99848 99849 42e99 99848->99849 99850 42ec8 DecodePointer DecodePointer 99849->99850 99851 42ef5 99850->99851 99852 42ea5 99850->99852 99851->99852 99864 489e4 59 API calls __Wcsftime_l 99851->99864 99861 42ec2 99852->99861 99854 42f58 EncodePointer EncodePointer 99854->99852 99855 42f07 99855->99854 99856 42f2c 99855->99856 99865 48aa4 61 API calls 2 library calls 99855->99865 99856->99852 99859 42f46 EncodePointer 99856->99859 99866 48aa4 61 API calls 2 library calls 99856->99866 99859->99854 99860 42f40 99860->99852 99860->99859 99867 43460 99861->99867 99864->99855 99865->99856 99866->99860 99870 49fb5 LeaveCriticalSection 99867->99870 99869 42ec7 99869->99846 99870->99869 99871 21066 99876 2f8cf 99871->99876 99873 2106c 99874 42f80 __cinit 67 API calls 99873->99874 99875 21076 99874->99875 99877 2f8f0 99876->99877 99909 40143 99877->99909 99881 2f937 99882 277c7 59 API calls 99881->99882 99883 2f941 99882->99883 99884 277c7 59 API calls 99883->99884 99885 2f94b 99884->99885 99886 277c7 59 API calls 99885->99886 99887 2f955 99886->99887 99888 277c7 59 API calls 99887->99888 99889 2f993 99888->99889 99890 277c7 59 API calls 99889->99890 99891 2fa5e 99890->99891 99919 360e7 99891->99919 99895 2fa90 99896 277c7 59 API calls 99895->99896 99897 2fa9a 99896->99897 99947 3ffde 99897->99947 99899 2fae1 99900 2faf1 GetStdHandle 99899->99900 99901 649d5 99900->99901 99902 2fb3d 99900->99902 99901->99902 99904 649de 99901->99904 99903 2fb45 OleInitialize 99902->99903 99903->99873 99954 86dda 64 API calls Mailbox 99904->99954 99906 649e5 99955 874a9 CreateThread 99906->99955 99908 649f1 CloseHandle 99908->99903 99956 4021c 99909->99956 99912 4021c 59 API calls 99913 40185 99912->99913 99914 277c7 59 API calls 99913->99914 99915 40191 99914->99915 99916 27d2c 59 API calls 99915->99916 99917 2f8f6 99916->99917 99918 403a2 6 API calls 99917->99918 99918->99881 99920 277c7 59 API calls 99919->99920 99921 360f7 99920->99921 99922 277c7 59 API calls 99921->99922 99923 360ff 99922->99923 99963 35bfd 99923->99963 99926 35bfd 59 API calls 99927 3610f 99926->99927 99928 277c7 59 API calls 99927->99928 99929 3611a 99928->99929 99930 40ff6 Mailbox 59 API calls 99929->99930 99931 2fa68 99930->99931 99932 36259 99931->99932 99933 36267 99932->99933 99934 277c7 59 API calls 99933->99934 99935 36272 99934->99935 99936 277c7 59 API calls 99935->99936 99937 3627d 99936->99937 99938 277c7 59 API calls 99937->99938 99939 36288 99938->99939 99940 277c7 59 API calls 99939->99940 99941 36293 99940->99941 99942 35bfd 59 API calls 99941->99942 99943 3629e 99942->99943 99944 40ff6 Mailbox 59 API calls 99943->99944 99945 362a5 RegisterWindowMessageW 99944->99945 99945->99895 99948 75cc3 99947->99948 99949 3ffee 99947->99949 99966 89d71 60 API calls 99948->99966 99950 40ff6 Mailbox 59 API calls 99949->99950 99952 3fff6 99950->99952 99952->99899 99953 75cce 99954->99906 99955->99908 99967 8748f 65 API calls 99955->99967 99957 277c7 59 API calls 99956->99957 99958 40227 99957->99958 99959 277c7 59 API calls 99958->99959 99960 4022f 99959->99960 99961 277c7 59 API calls 99960->99961 99962 4017b 99961->99962 99962->99912 99964 277c7 59 API calls 99963->99964 99965 35c05 99964->99965 99965->99926 99966->99953 99968 19d295b 99971 19d25d0 99968->99971 99970 19d29a7 99984 19d0000 99971->99984 99974 19d26a0 CreateFileW 99975 19d266f 99974->99975 99978 19d26ad 99974->99978 99976 19d26c9 VirtualAlloc 99975->99976 99975->99978 99982 19d27d0 FindCloseChangeNotification 99975->99982 99983 19d27e0 VirtualFree 99975->99983 99987 19d34e0 GetPEB 99975->99987 99977 19d26ea ReadFile 99976->99977 99976->99978 99977->99978 99981 19d2708 VirtualAlloc 99977->99981 99979 19d28bc VirtualFree 99978->99979 99980 19d28ca 99978->99980 99979->99980 99980->99970 99981->99975 99981->99978 99982->99975 99983->99975 99989 19d3480 GetPEB 99984->99989 99986 19d068b 99986->99975 99988 19d350a 99987->99988 99988->99974 99990 19d34aa 99989->99990 99990->99986 99991 21055 99996 22649 99991->99996 99994 42f80 __cinit 67 API calls 99995 21064 99994->99995 99997 277c7 59 API calls 99996->99997 99998 226b7 99997->99998 100003 23582 99998->100003 100001 22754 100002 2105a 100001->100002 100006 23416 59 API calls 2 library calls 100001->100006 100002->99994 100007 235b0 100003->100007 100006->100001 100008 235a1 100007->100008 100009 235bd 100007->100009 100008->100001 100009->100008 100010 235c4 RegOpenKeyExW 100009->100010 100010->100008 100011 235de RegQueryValueExW 100010->100011 100012 23614 RegCloseKey 100011->100012 100013 235ff 100011->100013 100012->100008 100013->100012 100014 47e93 100015 47e9f __ioinit 100014->100015 100051 4a048 GetStartupInfoW 100015->100051 100017 47ea4 100053 48dbc GetProcessHeap 100017->100053 100019 47efc 100020 47f07 100019->100020 100136 47fe3 58 API calls 3 library calls 100019->100136 100054 49d26 100020->100054 100023 47f0d 100025 47f18 __RTC_Initialize 100023->100025 100137 47fe3 58 API calls 3 library calls 100023->100137 100075 4d812 100025->100075 100027 47f27 100028 47f33 GetCommandLineW 100027->100028 100138 47fe3 58 API calls 3 library calls 100027->100138 100094 55173 GetEnvironmentStringsW 100028->100094 100031 47f32 100031->100028 100034 47f4d 100035 47f58 100034->100035 100139 432f5 58 API calls 3 library calls 100034->100139 100104 54fa8 100035->100104 100038 47f5e 100039 47f69 100038->100039 100140 432f5 58 API calls 3 library calls 100038->100140 100118 4332f 100039->100118 100042 47f71 100043 47f7c __wwincmdln 100042->100043 100141 432f5 58 API calls 3 library calls 100042->100141 100124 2492e 100043->100124 100046 47f90 100047 47f9f 100046->100047 100142 43598 58 API calls _doexit 100046->100142 100143 43320 58 API calls _doexit 100047->100143 100050 47fa4 __ioinit 100052 4a05e 100051->100052 100052->100017 100053->100019 100144 433c7 36 API calls 2 library calls 100054->100144 100056 49d2b 100145 49f7c InitializeCriticalSectionAndSpinCount __ioinit 100056->100145 100058 49d30 100059 49d34 100058->100059 100147 49fca TlsAlloc 100058->100147 100146 49d9c 61 API calls 2 library calls 100059->100146 100062 49d39 100062->100023 100063 49d46 100063->100059 100064 49d51 100063->100064 100148 48a15 100064->100148 100067 49d93 100156 49d9c 61 API calls 2 library calls 100067->100156 100070 49d72 100070->100067 100072 49d78 100070->100072 100071 49d98 100071->100023 100155 49c73 58 API calls 4 library calls 100072->100155 100074 49d80 GetCurrentThreadId 100074->100023 100076 4d81e __ioinit 100075->100076 100077 49e4b __lock 58 API calls 100076->100077 100078 4d825 100077->100078 100079 48a15 __calloc_crt 58 API calls 100078->100079 100080 4d836 100079->100080 100081 4d8a1 GetStartupInfoW 100080->100081 100082 4d841 __ioinit @_EH4_CallFilterFunc@8 100080->100082 100083 4d9e5 100081->100083 100088 4d8b6 100081->100088 100082->100027 100084 4daad 100083->100084 100089 4da32 GetStdHandle 100083->100089 100090 4da45 GetFileType 100083->100090 100169 4a06b InitializeCriticalSectionAndSpinCount 100083->100169 100170 4dabd LeaveCriticalSection _doexit 100084->100170 100085 4d904 100085->100083 100091 4d938 GetFileType 100085->100091 100168 4a06b InitializeCriticalSectionAndSpinCount 100085->100168 100087 48a15 __calloc_crt 58 API calls 100087->100088 100088->100083 100088->100085 100088->100087 100089->100083 100090->100083 100091->100085 100095 55184 100094->100095 100096 47f43 100094->100096 100097 48a5d __malloc_crt 58 API calls 100095->100097 100100 54d6b GetModuleFileNameW 100096->100100 100098 551aa _memmove 100097->100098 100099 551c0 FreeEnvironmentStringsW 100098->100099 100099->100096 100101 54d9f _wparse_cmdline 100100->100101 100102 48a5d __malloc_crt 58 API calls 100101->100102 100103 54ddf _wparse_cmdline 100101->100103 100102->100103 100103->100034 100105 54fc1 __NMSG_WRITE 100104->100105 100109 54fb9 100104->100109 100106 48a15 __calloc_crt 58 API calls 100105->100106 100114 54fea __NMSG_WRITE 100106->100114 100107 55041 100108 42f95 _free 58 API calls 100107->100108 100108->100109 100109->100038 100110 48a15 __calloc_crt 58 API calls 100110->100114 100111 55066 100112 42f95 _free 58 API calls 100111->100112 100112->100109 100114->100107 100114->100109 100114->100110 100114->100111 100115 5507d 100114->100115 100171 54857 58 API calls __Wcsftime_l 100114->100171 100172 49006 IsProcessorFeaturePresent 100115->100172 100117 55089 100117->100038 100119 4333b __IsNonwritableInCurrentImage 100118->100119 100187 4a711 100119->100187 100121 43359 __initterm_e 100122 42f80 __cinit 67 API calls 100121->100122 100123 43378 __cinit __IsNonwritableInCurrentImage 100121->100123 100122->100123 100123->100042 100125 24948 100124->100125 100135 249e7 100124->100135 100126 24982 IsThemeActive 100125->100126 100190 435ac 100126->100190 100130 249ae 100202 24a5b SystemParametersInfoW SystemParametersInfoW 100130->100202 100132 249ba 100203 23b4c 100132->100203 100134 249c2 SystemParametersInfoW 100134->100135 100135->100046 100136->100020 100137->100025 100138->100031 100142->100047 100143->100050 100144->100056 100145->100058 100146->100062 100147->100063 100149 48a1c 100148->100149 100151 48a57 100149->100151 100153 48a3a 100149->100153 100157 55446 100149->100157 100151->100067 100154 4a026 TlsSetValue 100151->100154 100153->100149 100153->100151 100165 4a372 Sleep 100153->100165 100154->100070 100155->100074 100156->100071 100158 55451 100157->100158 100160 5546c 100157->100160 100159 5545d 100158->100159 100158->100160 100166 48d68 58 API calls __getptd_noexit 100159->100166 100161 5547c RtlAllocateHeap 100160->100161 100163 55462 100160->100163 100167 435e1 DecodePointer 100160->100167 100161->100160 100161->100163 100163->100149 100165->100153 100166->100163 100167->100160 100168->100085 100169->100083 100170->100082 100171->100114 100173 49011 100172->100173 100178 48e99 100173->100178 100177 4902c 100177->100117 100179 48eb3 _memset ___raise_securityfailure 100178->100179 100180 48ed3 IsDebuggerPresent 100179->100180 100186 4a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 100180->100186 100182 48f97 ___raise_securityfailure 100183 4c836 __fltout2 6 API calls 100182->100183 100184 48fba 100183->100184 100185 4a380 GetCurrentProcess TerminateProcess 100184->100185 100185->100177 100186->100182 100188 4a714 EncodePointer 100187->100188 100188->100188 100189 4a72e 100188->100189 100189->100121 100191 49e4b __lock 58 API calls 100190->100191 100192 435b7 DecodePointer EncodePointer 100191->100192 100255 49fb5 LeaveCriticalSection 100192->100255 100194 249a7 100195 43614 100194->100195 100196 4361e 100195->100196 100197 43638 100195->100197 100196->100197 100256 48d68 58 API calls __getptd_noexit 100196->100256 100197->100130 100199 43628 100257 48ff6 9 API calls __Wcsftime_l 100199->100257 100201 43633 100201->100130 100202->100132 100204 23b59 __ftell_nolock 100203->100204 100205 277c7 59 API calls 100204->100205 100206 23b63 GetCurrentDirectoryW 100205->100206 100258 23778 100206->100258 100208 23b8c IsDebuggerPresent 100209 5d4ad MessageBoxA 100208->100209 100210 23b9a 100208->100210 100212 5d4c7 100209->100212 100210->100212 100213 23bb7 100210->100213 100242 23c73 100210->100242 100211 23c7a SetCurrentDirectoryW 100216 23c87 Mailbox 100211->100216 100457 27373 59 API calls Mailbox 100212->100457 100339 273e5 100213->100339 100216->100134 100217 5d4d7 100222 5d4ed SetCurrentDirectoryW 100217->100222 100222->100216 100242->100211 100255->100194 100256->100199 100257->100201 100259 277c7 59 API calls 100258->100259 100260 2378e 100259->100260 100466 23d43 100260->100466 100262 237ac 100263 24864 61 API calls 100262->100263 100264 237c0 100263->100264 100265 27f41 59 API calls 100264->100265 100266 237cd 100265->100266 100267 24f3d 136 API calls 100266->100267 100268 237e6 100267->100268 100269 5d3ae 100268->100269 100270 237ee Mailbox 100268->100270 100512 897e5 100269->100512 100274 281a7 59 API calls 100270->100274 100273 5d3cd 100276 42f95 _free 58 API calls 100273->100276 100277 23801 100274->100277 100275 24faa 84 API calls 100275->100273 100278 5d3da 100276->100278 100480 293ea 100277->100480 100281 24faa 84 API calls 100278->100281 100282 5d3e3 100281->100282 100286 23ee2 59 API calls 100282->100286 100283 27f41 59 API calls 100284 2381a 100283->100284 100483 28620 100284->100483 100288 5d3fe 100286->100288 100287 2382c Mailbox 100289 27f41 59 API calls 100287->100289 100290 23ee2 59 API calls 100288->100290 100291 23852 100289->100291 100292 5d41a 100290->100292 100293 28620 69 API calls 100291->100293 100294 24864 61 API calls 100292->100294 100296 23861 Mailbox 100293->100296 100295 5d43f 100294->100295 100297 23ee2 59 API calls 100295->100297 100299 277c7 59 API calls 100296->100299 100298 5d44b 100297->100298 100301 281a7 59 API calls 100298->100301 100300 2387f 100299->100300 100487 23ee2 100300->100487 100302 5d459 100301->100302 100304 23ee2 59 API calls 100302->100304 100306 5d468 100304->100306 100312 281a7 59 API calls 100306->100312 100308 23899 100308->100282 100309 238a3 100308->100309 100310 4313d _W_store_winword 60 API calls 100309->100310 100311 238ae 100310->100311 100311->100288 100313 238b8 100311->100313 100314 5d48a 100312->100314 100315 4313d _W_store_winword 60 API calls 100313->100315 100316 23ee2 59 API calls 100314->100316 100317 238c3 100315->100317 100318 5d497 100316->100318 100317->100292 100319 238cd 100317->100319 100318->100318 100320 4313d _W_store_winword 60 API calls 100319->100320 100321 238d8 100320->100321 100321->100306 100322 23919 100321->100322 100324 23ee2 59 API calls 100321->100324 100322->100306 100323 23926 100322->100323 100326 2942e 59 API calls 100323->100326 100325 238fc 100324->100325 100327 281a7 59 API calls 100325->100327 100328 23936 100326->100328 100329 2390a 100327->100329 100330 291b0 59 API calls 100328->100330 100331 23ee2 59 API calls 100329->100331 100332 23944 100330->100332 100331->100322 100503 29040 100332->100503 100334 293ea 59 API calls 100336 23961 100334->100336 100335 29040 60 API calls 100335->100336 100336->100334 100336->100335 100337 23ee2 59 API calls 100336->100337 100338 239a7 Mailbox 100336->100338 100337->100336 100338->100208 100340 273f2 __ftell_nolock 100339->100340 100341 2740b 100340->100341 100342 5ee4b _memset 100340->100342 100559 248ae 100341->100559 100344 5ee67 GetOpenFileNameW 100342->100344 100346 5eeb6 100344->100346 100348 27d2c 59 API calls 100346->100348 100457->100217 100467 23d50 __ftell_nolock 100466->100467 100468 27d2c 59 API calls 100467->100468 100472 23eb6 Mailbox 100467->100472 100470 23d82 100468->100470 100469 27b52 59 API calls 100469->100470 100470->100469 100476 23db8 Mailbox 100470->100476 100471 23e89 100471->100472 100473 27f41 59 API calls 100471->100473 100472->100262 100475 23eaa 100473->100475 100474 27f41 59 API calls 100474->100476 100477 23f84 59 API calls 100475->100477 100476->100471 100476->100472 100476->100474 100479 27b52 59 API calls 100476->100479 100547 23f84 100476->100547 100477->100472 100479->100476 100481 40ff6 Mailbox 59 API calls 100480->100481 100482 2380d 100481->100482 100482->100283 100484 2862b 100483->100484 100486 28652 100484->100486 100553 28b13 69 API calls Mailbox 100484->100553 100486->100287 100488 23f05 100487->100488 100489 23eec 100487->100489 100491 27d2c 59 API calls 100488->100491 100490 281a7 59 API calls 100489->100490 100492 2388b 100490->100492 100491->100492 100493 4313d 100492->100493 100494 431be 100493->100494 100495 43149 100493->100495 100556 431d0 60 API calls 3 library calls 100494->100556 100502 4316e 100495->100502 100554 48d68 58 API calls __getptd_noexit 100495->100554 100498 431cb 100498->100308 100499 43155 100555 48ff6 9 API calls __Wcsftime_l 100499->100555 100501 43160 100501->100308 100502->100308 100504 5f5a5 100503->100504 100506 29057 100503->100506 100504->100506 100558 28d3b 59 API calls Mailbox 100504->100558 100507 291a0 100506->100507 100508 29158 100506->100508 100511 2915f 100506->100511 100557 29e9c 60 API calls Mailbox 100507->100557 100510 40ff6 Mailbox 59 API calls 100508->100510 100510->100511 100511->100336 100513 25045 85 API calls 100512->100513 100514 89854 100513->100514 100515 899be 96 API calls 100514->100515 100516 89866 100515->100516 100517 2506b 74 API calls 100516->100517 100545 5d3c1 100516->100545 100518 89881 100517->100518 100519 2506b 74 API calls 100518->100519 100520 89891 100519->100520 100521 2506b 74 API calls 100520->100521 100522 898ac 100521->100522 100523 2506b 74 API calls 100522->100523 100524 898c7 100523->100524 100525 25045 85 API calls 100524->100525 100526 898de 100525->100526 100527 4594c __malloc_crt 58 API calls 100526->100527 100528 898e5 100527->100528 100529 4594c __malloc_crt 58 API calls 100528->100529 100530 898ef 100529->100530 100531 2506b 74 API calls 100530->100531 100532 89903 100531->100532 100533 89393 GetSystemTimeAsFileTime 100532->100533 100534 89916 100533->100534 100535 8992b 100534->100535 100536 89940 100534->100536 100537 42f95 _free 58 API calls 100535->100537 100538 899a5 100536->100538 100539 89946 100536->100539 100540 89931 100537->100540 100542 42f95 _free 58 API calls 100538->100542 100541 88d90 116 API calls 100539->100541 100543 42f95 _free 58 API calls 100540->100543 100544 8999d 100541->100544 100542->100545 100543->100545 100546 42f95 _free 58 API calls 100544->100546 100545->100273 100545->100275 100546->100545 100548 23f92 100547->100548 100552 23fb4 _memmove 100547->100552 100550 40ff6 Mailbox 59 API calls 100548->100550 100549 40ff6 Mailbox 59 API calls 100551 23fc8 100549->100551 100550->100552 100551->100476 100552->100549 100553->100486 100554->100499 100555->100501 100556->100498 100557->100511 100558->100506 100621 51b90 100559->100621 100622 248bb GetFullPathNameW 100621->100622 100846 2568a 100847 25c18 59 API calls 100846->100847 100848 2569c 100847->100848 100849 25632 61 API calls 100848->100849 100850 256aa 100849->100850 100852 256ba Mailbox 100850->100852 100853 281c1 61 API calls Mailbox 100850->100853 100853->100852 100854 2e70b 100857 2d260 100854->100857 100856 2e719 100858 2d27d 100857->100858 100886 2d4dd 100857->100886 100859 62b0a 100858->100859 100860 62abb 100858->100860 100890 2d2a4 100858->100890 100901 9a6fb 341 API calls __cinit 100859->100901 100863 62abe 100860->100863 100870 62ad9 100860->100870 100864 62aca 100863->100864 100863->100890 100899 9ad0f 341 API calls 100864->100899 100866 42f80 __cinit 67 API calls 100866->100890 100868 62cdf 100868->100868 100869 2d6ab 100869->100856 100870->100886 100900 9b1b7 341 API calls 3 library calls 100870->100900 100871 2d594 100893 28bb2 68 API calls 100871->100893 100875 2d5a3 100875->100856 100876 62c26 100905 9aa66 89 API calls 100876->100905 100880 28620 69 API calls 100880->100890 100886->100869 100906 8a0b5 89 API calls 4 library calls 100886->100906 100887 2a000 341 API calls 100887->100890 100888 281a7 59 API calls 100888->100890 100890->100866 100890->100869 100890->100871 100890->100876 100890->100880 100890->100886 100890->100887 100890->100888 100891 288a0 68 API calls __cinit 100890->100891 100892 286a2 68 API calls 100890->100892 100894 2859a 68 API calls 100890->100894 100895 2d0dc 341 API calls 100890->100895 100896 29f3a 59 API calls Mailbox 100890->100896 100897 2d060 89 API calls 100890->100897 100898 2cedd 341 API calls 100890->100898 100902 28bb2 68 API calls 100890->100902 100903 29e9c 60 API calls Mailbox 100890->100903 100904 76d03 60 API calls 100890->100904 100891->100890 100892->100890 100893->100875 100894->100890 100895->100890 100896->100890 100897->100890 100898->100890 100899->100869 100900->100886 100901->100890 100902->100890 100903->100890 100904->100890 100905->100886 100906->100868 100907 19d23b0 100908 19d0000 GetPEB 100907->100908 100909 19d2455 100908->100909 100921 19d22a0 100909->100921 100922 19d22a9 Sleep 100921->100922 100923 19d22b7 100922->100923 100924 2107d 100929 271eb 100924->100929 100926 2108c 100927 42f80 __cinit 67 API calls 100926->100927 100928 21096 100927->100928 100930 271fb __ftell_nolock 100929->100930 100931 277c7 59 API calls 100930->100931 100932 272b1 100931->100932 100933 24864 61 API calls 100932->100933 100934 272ba 100933->100934 100960 4074f 100934->100960 100937 27e0b 59 API calls 100938 272d3 100937->100938 100939 23f84 59 API calls 100938->100939 100940 272e2 100939->100940 100941 277c7 59 API calls 100940->100941 100942 272eb 100941->100942 100943 27eec 59 API calls 100942->100943 100944 272f4 RegOpenKeyExW 100943->100944 100945 5ecda RegQueryValueExW 100944->100945 100950 27316 Mailbox 100944->100950 100946 5ecf7 100945->100946 100947 5ed6c RegCloseKey 100945->100947 100948 40ff6 Mailbox 59 API calls 100946->100948 100947->100950 100959 5ed7e _wcscat Mailbox __NMSG_WRITE 100947->100959 100949 5ed10 100948->100949 100951 2538e 59 API calls 100949->100951 100950->100926 100952 5ed1b RegQueryValueExW 100951->100952 100954 5ed38 100952->100954 100956 5ed52 100952->100956 100953 27b52 59 API calls 100953->100959 100955 27d2c 59 API calls 100954->100955 100955->100956 100956->100947 100957 27f41 59 API calls 100957->100959 100958 23f84 59 API calls 100958->100959 100959->100950 100959->100953 100959->100957 100959->100958 100961 51b90 __ftell_nolock 100960->100961 100962 4075c GetFullPathNameW 100961->100962 100963 4077e 100962->100963 100964 27d2c 59 API calls 100963->100964 100965 272c5 100964->100965 100965->100937

                      Executed Functions

                      Function 00023B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00023B7A
                      • IsDebuggerPresent.KERNEL32 ref: 00023B8C
                      • GetFullPathNameW.KERNEL32(00007FFF,?,?,000E62F8,000E62E0,?,?), ref: 00023BFD
                        • Part of subcall function 00027D2C: _memmove.LIBCMT ref: 00027D66
                        • Part of subcall function 00030A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00023C26,000E62F8,?,?,?), ref: 00030ACE
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00023C81
                      • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,000D93F0,00000010), ref: 0005D4BC
                      • SetCurrentDirectoryW.KERNEL32(?,000E62F8,?,?,?), ref: 0005D4F4
                      • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,000D5D40,000E62F8,?,?,?), ref: 0005D57A
                      • ShellExecuteW.SHELL32(00000000,?,?), ref: 0005D581
                        • Part of subcall function 00023A58: GetSysColorBrush.USER32(0000000F), ref: 00023A62
                        • Part of subcall function 00023A58: LoadCursorW.USER32(00000000,00007F00), ref: 00023A71
                        • Part of subcall function 00023A58: LoadIconW.USER32(00000063), ref: 00023A88
                        • Part of subcall function 00023A58: LoadIconW.USER32(000000A4), ref: 00023A9A
                        • Part of subcall function 00023A58: LoadIconW.USER32(000000A2), ref: 00023AAC
                        • Part of subcall function 00023A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00023AD2
                        • Part of subcall function 00023A58: RegisterClassExW.USER32(?), ref: 00023B28
                        • Part of subcall function 000239E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00023A15
                        • Part of subcall function 000239E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00023A36
                        • Part of subcall function 000239E7: ShowWindow.USER32(00000000,?,?), ref: 00023A4A
                        • Part of subcall function 000239E7: ShowWindow.USER32(00000000,?,?), ref: 00023A53
                        • Part of subcall function 000243DB: _memset.LIBCMT ref: 00024401
                        • Part of subcall function 000243DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 000244A6
                      Strings
                      • This is a third-party compiled AutoIt script., xrefs: 0005D4B4
                      • runas, xrefs: 0005D575
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                      • String ID: This is a third-party compiled AutoIt script.$runas
                      • API String ID: 529118366-3287110873
                      • Opcode ID: a2b372761bd9e46104b734c910b22a69c87d5356d0a3fafb041da7309b9850db
                      • Instruction ID: 59495b6d71ac02a001ae0aadc255618a257d9aa499bcb827c34bbd84f844366d
                      • Opcode Fuzzy Hash: a2b372761bd9e46104b734c910b22a69c87d5356d0a3fafb041da7309b9850db
                      • Instruction Fuzzy Hash: A0515830D08699AEDF21EBB0FC45EFE7B78AF15740F00416AFA157A1A3DA394605CB21
                      Function 00024AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 996 24afe-24b5e call 277c7 GetVersionExW call 27d2c 1001 24b64 996->1001 1002 24c69-24c6b 996->1002 1004 24b67-24b6c 1001->1004 1003 5db90-5db9c 1002->1003 1005 5db9d-5dba1 1003->1005 1006 24b72 1004->1006 1007 24c70-24c71 1004->1007 1009 5dba4-5dbb0 1005->1009 1010 5dba3 1005->1010 1008 24b73-24baa call 27e8c call 27886 1006->1008 1007->1008 1018 24bb0-24bb1 1008->1018 1019 5dc8d-5dc90 1008->1019 1009->1005 1012 5dbb2-5dbb7 1009->1012 1010->1009 1012->1004 1014 5dbbd-5dbc4 1012->1014 1014->1003 1016 5dbc6 1014->1016 1020 5dbcb-5dbce 1016->1020 1018->1020 1021 24bb7-24bc2 1018->1021 1022 5dc92 1019->1022 1023 5dca9-5dcad 1019->1023 1024 5dbd4-5dbf2 1020->1024 1025 24bf1-24c08 GetCurrentProcess IsWow64Process 1020->1025 1026 5dc13-5dc19 1021->1026 1027 24bc8-24bca 1021->1027 1028 5dc95 1022->1028 1030 5dcaf-5dcb8 1023->1030 1031 5dc98-5dca1 1023->1031 1024->1025 1029 5dbf8-5dbfe 1024->1029 1032 24c0a 1025->1032 1033 24c0d-24c1e 1025->1033 1038 5dc23-5dc29 1026->1038 1039 5dc1b-5dc1e 1026->1039 1034 24bd0-24bd3 1027->1034 1035 5dc2e-5dc3a 1027->1035 1028->1031 1036 5dc00-5dc03 1029->1036 1037 5dc08-5dc0e 1029->1037 1030->1028 1040 5dcba-5dcbd 1030->1040 1031->1023 1032->1033 1041 24c20-24c30 call 24c95 1033->1041 1042 24c89-24c93 GetSystemInfo 1033->1042 1043 24bd9-24be8 1034->1043 1044 5dc5a-5dc5d 1034->1044 1046 5dc44-5dc4a 1035->1046 1047 5dc3c-5dc3f 1035->1047 1036->1025 1037->1025 1038->1025 1039->1025 1040->1031 1055 24c32-24c3f call 24c95 1041->1055 1056 24c7d-24c87 GetSystemInfo 1041->1056 1045 24c56-24c66 1042->1045 1049 5dc4f-5dc55 1043->1049 1050 24bee 1043->1050 1044->1025 1052 5dc63-5dc78 1044->1052 1046->1025 1047->1025 1049->1025 1050->1025 1053 5dc82-5dc88 1052->1053 1054 5dc7a-5dc7d 1052->1054 1053->1025 1054->1025 1061 24c41-24c45 GetNativeSystemInfo 1055->1061 1062 24c76-24c7b 1055->1062 1057 24c47-24c4b 1056->1057 1057->1045 1060 24c4d-24c50 FreeLibrary 1057->1060 1060->1045 1061->1057 1062->1061
                      APIs
                      • GetVersionExW.KERNEL32(?), ref: 00024B2B
                        • Part of subcall function 00027D2C: _memmove.LIBCMT ref: 00027D66
                      • GetCurrentProcess.KERNEL32(?,000AFAEC,00000000,00000000,?), ref: 00024BF8
                      • IsWow64Process.KERNEL32(00000000), ref: 00024BFF
                      • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00024C45
                      • FreeLibrary.KERNEL32(00000000), ref: 00024C50
                      • GetSystemInfo.KERNEL32(00000000), ref: 00024C81
                      • GetSystemInfo.KERNEL32(00000000), ref: 00024C8D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                      • String ID:
                      • API String ID: 1986165174-0
                      • Opcode ID: 46deadc8d893287a7924d8d0ab2da59761642693fb6273df0820bdd5227818d6
                      • Instruction ID: 0c1ebfa1ad7318c9b30df4ddeb522eaa95cde16ac6bffa48f5c12955a800260a
                      • Opcode Fuzzy Hash: 46deadc8d893287a7924d8d0ab2da59761642693fb6273df0820bdd5227818d6
                      • Instruction Fuzzy Hash: F591E53154ABD1DEC772CB6894611ABFFE4AF2A300B544D9EE4CB93A01D224F90CC759
                      Function 00024FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1063 24fe9-25001 CreateStreamOnHGlobal 1064 25003-2501a FindResourceExW 1063->1064 1065 25021-25026 1063->1065 1066 25020 1064->1066 1067 5dd5c-5dd6b LoadResource 1064->1067 1066->1065 1067->1066 1068 5dd71-5dd7f SizeofResource 1067->1068 1068->1066 1069 5dd85-5dd90 LockResource 1068->1069 1069->1066 1070 5dd96-5ddb4 1069->1070 1070->1066
                      APIs
                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00024EEE,?,?,00000000,00000000), ref: 00024FF9
                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00024EEE,?,?,00000000,00000000), ref: 00025010
                      • LoadResource.KERNEL32(?,00000000,?,?,00024EEE,?,?,00000000,00000000,?,?,?,?,?,?,00024F8F), ref: 0005DD60
                      • SizeofResource.KERNEL32(?,00000000,?,?,00024EEE,?,?,00000000,00000000,?,?,?,?,?,?,00024F8F), ref: 0005DD75
                      • LockResource.KERNEL32(00024EEE,?,?,00024EEE,?,?,00000000,00000000,?,?,?,?,?,?,00024F8F,00000000), ref: 0005DD88
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                      • String ID: SCRIPT
                      • API String ID: 3051347437-3967369404
                      • Opcode ID: 99752618041d6cf41ba63375118349edd80ef8add2ca3e8d3364232aff0589f5
                      • Instruction ID: 18680caa990782d191ccce07ef4d5461bae001782b58da9c93d04a1eb58047c5
                      • Opcode Fuzzy Hash: 99752618041d6cf41ba63375118349edd80ef8add2ca3e8d3364232aff0589f5
                      • Instruction Fuzzy Hash: 2B115E75240B01AFE7218BA5EC98F777BB9EBCAB52F104168F805CA260DB75EC008660
                      Function 00084696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesW.KERNELBASE(?,0005E7C1), ref: 000846A6
                      • FindFirstFileW.KERNELBASE(?,?), ref: 000846B7
                      • FindClose.KERNEL32(00000000), ref: 000846C7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: FileFind$AttributesCloseFirst
                      • String ID:
                      • API String ID: 48322524-0
                      • Opcode ID: 8d455b3c7ab02936f2144ba0d8a6b5884688bb0f266583a6441bcd006af5db49
                      • Instruction ID: 29fc1ba1ae33f3ce3f24b5192fb83bfd32589e3ca2edf0d72a094197f5302e39
                      • Opcode Fuzzy Hash: 8d455b3c7ab02936f2144ba0d8a6b5884688bb0f266583a6441bcd006af5db49
                      • Instruction Fuzzy Hash: DEE0D8329108025B56107778EC4D4FA779CAF07335F100715F8B5C10E0FBB45D608796
                      Function 0002E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                      Download Yara Rule
                      Strings
                      • Variable must be of type 'Object'., xrefs: 0006428C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID:
                      • String ID: Variable must be of type 'Object'.
                      • API String ID: 0-109567571
                      • Opcode ID: 3a7c8c5686bafab0c44408aaa0b68868ac727114439143b465363a3471319f73
                      • Instruction ID: 80903c9ed852d550bdbe776e39b48f9f3ab19a8766e1d4869dc4dfff17ab9a7b
                      • Opcode Fuzzy Hash: 3a7c8c5686bafab0c44408aaa0b68868ac727114439143b465363a3471319f73
                      • Instruction Fuzzy Hash: C9A29174A04265CFDB64CF54E480AAEB7F2FF59300F64806AE906AB351D735ED42CB91
                      Function 00030B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                      Download Yara Rule
                      APIs
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00030BBB
                      • timeGetTime.WINMM ref: 00030E76
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00030FB3
                      • TranslateMessage.USER32(?), ref: 00030FC7
                      • DispatchMessageW.USER32(?), ref: 00030FD5
                      • Sleep.KERNEL32(0000000A), ref: 00030FDF
                      • LockWindowUpdate.USER32(00000000,?,?), ref: 0003105A
                      • DestroyWindow.USER32 ref: 00031066
                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00031080
                      • Sleep.KERNEL32(0000000A,?,?), ref: 000652AD
                      • TranslateMessage.USER32(?), ref: 0006608A
                      • DispatchMessageW.USER32(?), ref: 00066098
                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 000660AC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                      • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                      • API String ID: 4003667617-3242690629
                      • Opcode ID: 5c57d7d29b32d13e2bd2b8610fdf4a197b5bea4bff38a77763b27554b19f3a3e
                      • Instruction ID: c76b51f1b3127b59e6805af7abd8e5ef147b757a13131a24ccef1c68e3ed5914
                      • Opcode Fuzzy Hash: 5c57d7d29b32d13e2bd2b8610fdf4a197b5bea4bff38a77763b27554b19f3a3e
                      • Instruction Fuzzy Hash: E2B2D170608741DFD729DF24C894BAEB7E5BF84304F14492DF58A972A2DB75E884CB82
                      Function 000893DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 524 893df-8948f call 51b90 call 40ff6 call 2538e call 891e9 call 25045 call 4378c 537 89542-89549 call 899be 524->537 538 89495-8949c call 899be 524->538 543 8954b-8954d 537->543 544 89552 537->544 538->543 545 894a2-89540 call 4432e call 42ffc call 42fcd call 4432e call 42fcd * 2 538->545 546 897b4-897b5 543->546 548 89555-89611 call 2506b * 8 call 89b6d call 4548b 544->548 545->548 551 897d2-897e2 call 25371 546->551 583 8961a-89635 call 8922f 548->583 584 89613-89615 548->584 587 8963b-89643 583->587 588 896c7-896d3 call 455d6 583->588 584->546 589 8964b 587->589 590 89645-89649 587->590 595 896e9-896ed 588->595 596 896d5-896e4 DeleteFileW 588->596 592 89650-8966e call 2506b 589->592 590->592 600 89698-896ae call 88bdd call 44a93 592->600 601 89670-89675 592->601 598 8978f-897a3 CopyFileW 595->598 599 896f3-8977c call 442ee call 89c74 call 88d90 595->599 596->546 603 897a5-897b2 DeleteFileW 598->603 604 897b7-897cd DeleteFileW call 89b2c 598->604 599->604 620 8977e-8978d DeleteFileW 599->620 617 896b3-896be 600->617 605 89678-8968b call 89367 601->605 603->546 604->551 615 8968d-89696 605->615 615->600 617->587 619 896c4 617->619 619->588 620->546
                      APIs
                        • Part of subcall function 000891E9: __time64.LIBCMT ref: 000891F3
                        • Part of subcall function 00025045: _fseek.LIBCMT ref: 0002505D
                      • __wsplitpath.LIBCMT ref: 000894BE
                        • Part of subcall function 0004432E: __wsplitpath_helper.LIBCMT ref: 0004436E
                      • _wcscpy.LIBCMT ref: 000894D1
                      • _wcscat.LIBCMT ref: 000894E4
                      • __wsplitpath.LIBCMT ref: 00089509
                      • _wcscat.LIBCMT ref: 0008951F
                      • _wcscat.LIBCMT ref: 00089532
                        • Part of subcall function 0008922F: _memmove.LIBCMT ref: 00089268
                        • Part of subcall function 0008922F: _memmove.LIBCMT ref: 00089277
                      • _wcscmp.LIBCMT ref: 00089479
                        • Part of subcall function 000899BE: _wcscmp.LIBCMT ref: 00089AAE
                        • Part of subcall function 000899BE: _wcscmp.LIBCMT ref: 00089AC1
                      • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 000896DC
                      • _wcsncpy.LIBCMT ref: 0008974F
                      • DeleteFileW.KERNEL32(?,?), ref: 00089785
                      • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0008979B
                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000897AC
                      • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 000897BE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                      • String ID:
                      • API String ID: 1500180987-0
                      • Opcode ID: 7b15023be6d4240b5b69dab16c318821b521d01c8181c87b569ba4027920e3c1
                      • Instruction ID: 006f3ee1412282465246aaad555513eca089c6182abbeda6504033001056c7d4
                      • Opcode Fuzzy Hash: 7b15023be6d4240b5b69dab16c318821b521d01c8181c87b569ba4027920e3c1
                      • Instruction Fuzzy Hash: 4AC13FB1D00229AEDF21EF95CC85AEEB7BDFF45310F0440AAF609E6152DB709A448F65
                      Function 00023015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSysColorBrush.USER32(0000000F), ref: 00023074
                      • RegisterClassExW.USER32(00000030), ref: 0002309E
                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000230AF
                      • InitCommonControlsEx.COMCTL32(?), ref: 000230CC
                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000230DC
                      • LoadIconW.USER32(000000A9), ref: 000230F2
                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00023101
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                      • API String ID: 2914291525-1005189915
                      • Opcode ID: c6ccf895a836d0b55b38754ad21977232b74c74347c39fdddec6731eac22863f
                      • Instruction ID: 618288bf6938e5a7cb6efaf90db4af8acc37dfd9c81cb266490edf5d297ff01e
                      • Opcode Fuzzy Hash: c6ccf895a836d0b55b38754ad21977232b74c74347c39fdddec6731eac22863f
                      • Instruction Fuzzy Hash: 13313AB1844346EFEB508FE4E885ADDBBF0FB1A750F10452AE580EA2A1D7BA0585CF51
                      Function 00023041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSysColorBrush.USER32(0000000F), ref: 00023074
                      • RegisterClassExW.USER32(00000030), ref: 0002309E
                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000230AF
                      • InitCommonControlsEx.COMCTL32(?), ref: 000230CC
                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000230DC
                      • LoadIconW.USER32(000000A9), ref: 000230F2
                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00023101
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                      • API String ID: 2914291525-1005189915
                      • Opcode ID: a2a8bf035f1ed4ec8b80263fca5217c7ca29ca544eec2248f24856f3104dc725
                      • Instruction ID: 4d6ee1e5ff8111a5306236483820098305a95ce6db0817ff8d69137afa3a4ffa
                      • Opcode Fuzzy Hash: a2a8bf035f1ed4ec8b80263fca5217c7ca29ca544eec2248f24856f3104dc725
                      • Instruction Fuzzy Hash: 7821E8B1900259AFEB00DFD4E988BEDBBF4FB19750F00422AF511AA2A0D7BA45448F91
                      Function 000271EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00024864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,000E62F8,?,000237C0,?), ref: 00024882
                        • Part of subcall function 0004074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,000272C5), ref: 00040771
                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00027308
                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0005ECF1
                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0005ED32
                      • RegCloseKey.ADVAPI32(?), ref: 0005ED70
                      • _wcscat.LIBCMT ref: 0005EDC9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                      • API String ID: 2673923337-2727554177
                      • Opcode ID: c1b5742260e84403bc5335c241275acd8f5713f25e723b90d2dd97ce40ad644c
                      • Instruction ID: ba47e932e369705ecefdab4b37ca134c119a0dcdfa7f88c39df606791807bbd5
                      • Opcode Fuzzy Hash: c1b5742260e84403bc5335c241275acd8f5713f25e723b90d2dd97ce40ad644c
                      • Instruction Fuzzy Hash: 6F71A0715083419ED314DF65EC819AFB7F8FF94700F80052EF689AB1A1EB349949CB66
                      Function 00023A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSysColorBrush.USER32(0000000F), ref: 00023A62
                      • LoadCursorW.USER32(00000000,00007F00), ref: 00023A71
                      • LoadIconW.USER32(00000063), ref: 00023A88
                      • LoadIconW.USER32(000000A4), ref: 00023A9A
                      • LoadIconW.USER32(000000A2), ref: 00023AAC
                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00023AD2
                      • RegisterClassExW.USER32(?), ref: 00023B28
                        • Part of subcall function 00023041: GetSysColorBrush.USER32(0000000F), ref: 00023074
                        • Part of subcall function 00023041: RegisterClassExW.USER32(00000030), ref: 0002309E
                        • Part of subcall function 00023041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 000230AF
                        • Part of subcall function 00023041: InitCommonControlsEx.COMCTL32(?), ref: 000230CC
                        • Part of subcall function 00023041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 000230DC
                        • Part of subcall function 00023041: LoadIconW.USER32(000000A9), ref: 000230F2
                        • Part of subcall function 00023041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00023101
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                      • String ID: #$0$AutoIt v3
                      • API String ID: 423443420-4155596026
                      • Opcode ID: adbc8df17e2879580e9867f1df8fbbd0432f3ee02132fa26ced523ec8b53b9f0
                      • Instruction ID: 8ab886a87e3952ec2fcf9e84a20736c82eccba5d94fbd4287528034bc8fb4c5d
                      • Opcode Fuzzy Hash: adbc8df17e2879580e9867f1df8fbbd0432f3ee02132fa26ced523ec8b53b9f0
                      • Instruction Fuzzy Hash: CB213C71D00755AFFB109FA4FC89BAD7BB4EB18B51F00412AE604BA2A0D3BE55548F54
                      Function 00023633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 767 23633-23681 769 23683-23686 767->769 770 236e1-236e3 767->770 772 236e7 769->772 773 23688-2368f 769->773 770->769 771 236e5 770->771 776 236ca-236d2 DefWindowProcW 771->776 777 5d31c-5d34a call 311d0 call 311f3 772->777 778 236ed-236f0 772->778 774 23695-2369a 773->774 775 2375d-23765 PostQuitMessage 773->775 779 236a0-236a2 774->779 780 5d38f-5d3a3 call 82a16 774->780 783 23711-23713 775->783 782 236d8-236de 776->782 812 5d34f-5d356 777->812 784 236f2-236f3 778->784 785 23715-2373c SetTimer RegisterWindowMessageW 778->785 786 23767-23776 call 24531 779->786 787 236a8-236ad 779->787 780->783 803 5d3a9 780->803 783->782 791 5d2bf-5d2c2 784->791 792 236f9-2370c KillTimer call 244cb call 23114 784->792 785->783 788 2373e-23749 CreatePopupMenu 785->788 786->783 793 5d374-5d37b 787->793 794 236b3-236b8 787->794 788->783 798 5d2c4-5d2c6 791->798 799 5d2f8-5d317 MoveWindow 791->799 792->783 793->776 809 5d381-5d38a call 7817e 793->809 801 2374b-2375b call 245df 794->801 802 236be-236c4 794->802 806 5d2e7-5d2f3 SetFocus 798->806 807 5d2c8-5d2cb 798->807 799->783 801->783 802->776 802->812 803->776 806->783 807->802 813 5d2d1-5d2e2 call 311d0 807->813 809->776 812->776 817 5d35c-5d36f call 244cb call 243db 812->817 813->783 817->776
                      APIs
                      • DefWindowProcW.USER32(?,?,?,?), ref: 000236D2
                      • KillTimer.USER32(?,00000001), ref: 000236FC
                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0002371F
                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0002372A
                      • CreatePopupMenu.USER32 ref: 0002373E
                      • PostQuitMessage.USER32(00000000), ref: 0002375F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                      • String ID: TaskbarCreated
                      • API String ID: 129472671-2362178303
                      • Opcode ID: 77e8308d5380870c6e8d1151ad76acb68400eab1a63035e2e88f00c7d82546e0
                      • Instruction ID: ac42ddb67cebc12b090bfa027d105c7a48dd91558ab7a3437d3dab0cd32b0228
                      • Opcode Fuzzy Hash: 77e8308d5380870c6e8d1151ad76acb68400eab1a63035e2e88f00c7d82546e0
                      • Instruction Fuzzy Hash: 7A4160B1208555BBEF345F64FC4DBBE379CE711740F04012AFA46E62A2CE6E9E019761
                      Function 00023778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                      Download Yara Rule

                      Control-flow Graph

                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                      • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                      • API String ID: 1825951767-3513169116
                      • Opcode ID: 4cf1c365ce8195e35f5f77244736477694b8409786bfc58968080c9e3674ebfe
                      • Instruction ID: cef09aba2ebe461b09369c2d66eca130cd9e8d788d5290e02f2c800bd8df27b8
                      • Opcode Fuzzy Hash: 4cf1c365ce8195e35f5f77244736477694b8409786bfc58968080c9e3674ebfe
                      • Instruction Fuzzy Hash: 0BA15E71D102799ADF14EBA0EC96EEEB778BF14300F04042AF516B7192DF799A09CB61
                      Function 019D25D0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 942 19d25d0-19d267e call 19d0000 945 19d2685-19d26ab call 19d34e0 CreateFileW 942->945 948 19d26ad 945->948 949 19d26b2-19d26c2 945->949 950 19d27fd-19d2801 948->950 954 19d26c9-19d26e3 VirtualAlloc 949->954 955 19d26c4 949->955 952 19d2843-19d2846 950->952 953 19d2803-19d2807 950->953 956 19d2849-19d2850 952->956 957 19d2809-19d280c 953->957 958 19d2813-19d2817 953->958 959 19d26ea-19d2701 ReadFile 954->959 960 19d26e5 954->960 955->950 961 19d28a5-19d28ba 956->961 962 19d2852-19d285d 956->962 957->958 963 19d2819-19d2823 958->963 964 19d2827-19d282b 958->964 969 19d2708-19d2748 VirtualAlloc 959->969 970 19d2703 959->970 960->950 965 19d28bc-19d28c7 VirtualFree 961->965 966 19d28ca-19d28d2 961->966 971 19d285f 962->971 972 19d2861-19d286d 962->972 963->964 967 19d282d-19d2837 964->967 968 19d283b 964->968 965->966 967->968 968->952 973 19d274f-19d276a call 19d3730 969->973 974 19d274a 969->974 970->950 971->961 975 19d286f-19d287f 972->975 976 19d2881-19d288d 972->976 982 19d2775-19d277f 973->982 974->950 978 19d28a3 975->978 979 19d288f-19d2898 976->979 980 19d289a-19d28a0 976->980 978->956 979->978 980->978 983 19d2781-19d27b0 call 19d3730 982->983 984 19d27b2-19d27c6 call 19d3540 982->984 983->982 990 19d27c8 984->990 991 19d27ca-19d27ce 984->991 990->950 992 19d27da-19d27de 991->992 993 19d27d0-19d27d4 FindCloseChangeNotification 991->993 994 19d27ee-19d27f7 992->994 995 19d27e0-19d27eb VirtualFree 992->995 993->992 994->945 994->950 995->994
                      APIs
                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 019D26A1
                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 019D28C7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1644337710.00000000019D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_19d0000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CreateFileFreeVirtual
                      • String ID:
                      • API String ID: 204039940-0
                      • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                      • Instruction ID: 21d0df3078cc3d79e22831d5fe516a849b728ebd8bcc7ff5798da1de2db890fc
                      • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                      • Instruction Fuzzy Hash: 79A13874E00209EBDB14CFA4C895BEEBBB5FF48305F208559E605BB280D775AA81CF51
                      Function 000239E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1073 239e7-23a57 CreateWindowExW * 2 ShowWindow * 2
                      APIs
                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00023A15
                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00023A36
                      • ShowWindow.USER32(00000000,?,?), ref: 00023A4A
                      • ShowWindow.USER32(00000000,?,?), ref: 00023A53
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Window$CreateShow
                      • String ID: AutoIt v3$edit
                      • API String ID: 1584632944-3779509399
                      • Opcode ID: f7799cbaf064ef9e6801f7dc914553efcbdbb1bc8113f7755a016c1ab4c652db
                      • Instruction ID: 5001c0861a0648eb570f7e28e490c3215e54672a0a12617a26d0894e23bdcac4
                      • Opcode Fuzzy Hash: f7799cbaf064ef9e6801f7dc914553efcbdbb1bc8113f7755a016c1ab4c652db
                      • Instruction Fuzzy Hash: F6F0DA716416D07EFA3117A7BC89E773E7DD7D7FA0B00412EBA04BA170C6AA1851DAB0
                      Function 019D23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1074 19d23b0-19d24cb call 19d0000 call 19d22a0 CreateFileW 1081 19d24cd 1074->1081 1082 19d24d2-19d24e2 1074->1082 1083 19d2582-19d2587 1081->1083 1085 19d24e9-19d2503 VirtualAlloc 1082->1085 1086 19d24e4 1082->1086 1087 19d2505 1085->1087 1088 19d2507-19d251e ReadFile 1085->1088 1086->1083 1087->1083 1089 19d2520 1088->1089 1090 19d2522-19d255c call 19d22e0 call 19d12a0 1088->1090 1089->1083 1095 19d255e-19d2573 call 19d2330 1090->1095 1096 19d2578-19d2580 ExitProcess 1090->1096 1095->1096 1096->1083
                      APIs
                        • Part of subcall function 019D22A0: Sleep.KERNELBASE(000001F4), ref: 019D22B1
                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 019D24C1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1644337710.00000000019D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_19d0000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CreateFileSleep
                      • String ID: 4GPXXALJBQXOZMWHMNSXJ
                      • API String ID: 2694422964-1622066102
                      • Opcode ID: 2c067320126bdffff9c87dece9f6c52309a74a7e89ba9c5bcfda8271da0f040d
                      • Instruction ID: 4422aebfec36812809deb7cd7186cf928f6c47674686398b17b931cb0fb704dd
                      • Opcode Fuzzy Hash: 2c067320126bdffff9c87dece9f6c52309a74a7e89ba9c5bcfda8271da0f040d
                      • Instruction Fuzzy Hash: 8C518571D04289DAEF11D7A4C814BEEBB78AF55304F048198E609BB2C1D7B91B48CB65
                      Function 0002410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1098 2410d-24123 1099 24200-24204 1098->1099 1100 24129-2413e call 27b76 1098->1100 1103 24144-24164 call 27d2c 1100->1103 1104 5d5dd-5d5ec LoadStringW 1100->1104 1106 5d5f7-5d60f call 27c8e call 27143 1103->1106 1109 2416a-2416e 1103->1109 1104->1106 1116 2417e-241fb call 43020 call 2463e call 42ffc Shell_NotifyIconW call 25a64 1106->1116 1120 5d615-5d633 call 27e0b call 27143 call 27e0b 1106->1120 1110 24174-24179 call 27c8e 1109->1110 1111 24205-2420e call 281a7 1109->1111 1110->1116 1111->1116 1116->1099 1120->1116
                      APIs
                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0005D5EC
                        • Part of subcall function 00027D2C: _memmove.LIBCMT ref: 00027D66
                      • _memset.LIBCMT ref: 0002418D
                      • _wcscpy.LIBCMT ref: 000241E1
                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000241F1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                      • String ID: Line:
                      • API String ID: 3942752672-1585850449
                      • Opcode ID: 2e2b42614179a5630e71f8063c51c40f405ba240da6b9e13c601e036aaf91d21
                      • Instruction ID: d56f45ef2e1a46c69d82ba6606571794de6a0c560714a60588180d9a2910a470
                      • Opcode Fuzzy Hash: 2e2b42614179a5630e71f8063c51c40f405ba240da6b9e13c601e036aaf91d21
                      • Instruction Fuzzy Hash: 3631E7710087649AE771EB60FC46FDB77ECAF54700F10451EF688A6092EB749648C793
                      Function 0004564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1133 4564d-45666 1134 45683 1133->1134 1135 45668-4566d 1133->1135 1136 45685-4568b 1134->1136 1135->1134 1137 4566f-45671 1135->1137 1138 45673-45678 call 48d68 1137->1138 1139 4568c-45691 1137->1139 1151 4567e call 48ff6 1138->1151 1140 45693-4569d 1139->1140 1141 4569f-456a3 1139->1141 1140->1141 1143 456c3-456d2 1140->1143 1144 456a5-456b0 call 43020 1141->1144 1145 456b3-456b5 1141->1145 1149 456d4-456d7 1143->1149 1150 456d9 1143->1150 1144->1145 1145->1138 1148 456b7-456c1 1145->1148 1148->1138 1148->1143 1153 456de-456e3 1149->1153 1150->1153 1151->1134 1155 457cc-457cf 1153->1155 1156 456e9-456f0 1153->1156 1155->1136 1157 45731-45733 1156->1157 1158 456f2-456fa 1156->1158 1159 45735-45737 1157->1159 1160 4579d-4579e call 50df7 1157->1160 1158->1157 1161 456fc 1158->1161 1164 45739-45741 1159->1164 1165 4575b-45766 1159->1165 1172 457a3-457a7 1160->1172 1162 45702-45704 1161->1162 1163 457fa 1161->1163 1167 45706-45708 1162->1167 1168 4570b-45710 1162->1168 1169 457fe-45807 1163->1169 1170 45751-45755 1164->1170 1171 45743-4574f 1164->1171 1173 45768 1165->1173 1174 4576a-4576d 1165->1174 1167->1168 1175 457d4-457d8 1168->1175 1176 45716-4572f call 50f18 1168->1176 1169->1136 1177 45757-45759 1170->1177 1171->1177 1172->1169 1178 457a9-457ae 1172->1178 1173->1174 1174->1175 1179 4576f-4577b call 44916 call 510ab 1174->1179 1183 457ea-457f5 call 48d68 1175->1183 1184 457da-457e7 call 43020 1175->1184 1193 45792-4579b 1176->1193 1177->1174 1178->1175 1182 457b0-457c1 1178->1182 1194 45780-45785 1179->1194 1189 457c4-457c6 1182->1189 1183->1151 1184->1183 1189->1155 1189->1156 1193->1189 1195 4580c-45810 1194->1195 1196 4578b-4578e 1194->1196 1195->1169 1196->1163 1197 45790 1196->1197 1197->1193
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                      • String ID:
                      • API String ID: 1559183368-0
                      • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                      • Instruction ID: 62a3a678b0562c79db2853142902857f38e424ac4f1a7ed5f0e35176c70e1c81
                      • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                      • Instruction Fuzzy Hash: 8851E2B0A04B05DBDB249FB9DC846AE77F1AF40322F248739F825972D2D7709D548B48
                      Function 000269CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00024F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,000E62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00024F6F
                      • _free.LIBCMT ref: 0005E68C
                      • _free.LIBCMT ref: 0005E6D3
                        • Part of subcall function 00026BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00026D0D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _free$CurrentDirectoryLibraryLoad
                      • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                      • API String ID: 2861923089-1757145024
                      • Opcode ID: 21a6dcb5e6cf501f5a746cdb3351622ce5955d91a5bd8b1a4ca845fb2277c4e5
                      • Instruction ID: 2fc4b74c3b20a350c3dc7777fef10cd1990e52237e1a8354c086ccaab2d747f3
                      • Opcode Fuzzy Hash: 21a6dcb5e6cf501f5a746cdb3351622ce5955d91a5bd8b1a4ca845fb2277c4e5
                      • Instruction Fuzzy Hash: F791B171910269DFCF18EFA4DC919EEB7B4FF14341F14446AF855AB292EB309A08CB50
                      Function 000235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,000235A1,SwapMouseButtons,00000004,?), ref: 000235D4
                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,000235A1,SwapMouseButtons,00000004,?,?,?,?,00022754), ref: 000235F5
                      • RegCloseKey.KERNELBASE(00000000,?,?,000235A1,SwapMouseButtons,00000004,?,?,?,?,00022754), ref: 00023617
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID: Control Panel\Mouse
                      • API String ID: 3677997916-824357125
                      • Opcode ID: 60ab174540a16fe49397fc72fc2c66fb50e00f91c29c2cdf9218df420558102a
                      • Instruction ID: 2a3ce3604dea90835735dd5e1ef2260aded0f389bc41fd8f90bcc676488f8170
                      • Opcode Fuzzy Hash: 60ab174540a16fe49397fc72fc2c66fb50e00f91c29c2cdf9218df420558102a
                      • Instruction Fuzzy Hash: 59111875611228BFDB208FA4EC48EBFB7BCEF05740F118569E805D7210E6759E509B64
                      Function 019D12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessW.KERNELBASE(?,00000000), ref: 019D1ACD
                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 019D1AF1
                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 019D1B13
                      Memory Dump Source
                      • Source File: 00000000.00000002.1644337710.00000000019D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_19d0000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                      • String ID:
                      • API String ID: 2438371351-0
                      • Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                      • Instruction ID: 72fffca5cbc701ea7d581e42fe9d743de2e260a9932123e3c02b71e0329868cb
                      • Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                      • Instruction Fuzzy Hash: BA621B30A14258DBEB24CFA4C840BDEB776EF58301F1095A9D20DEB394E7799E81CB59
                      Function 000897E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00025045: _fseek.LIBCMT ref: 0002505D
                        • Part of subcall function 000899BE: _wcscmp.LIBCMT ref: 00089AAE
                        • Part of subcall function 000899BE: _wcscmp.LIBCMT ref: 00089AC1
                      • _free.LIBCMT ref: 0008992C
                      • _free.LIBCMT ref: 00089933
                      • _free.LIBCMT ref: 0008999E
                        • Part of subcall function 00042F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00049C64), ref: 00042FA9
                        • Part of subcall function 00042F95: GetLastError.KERNEL32(00000000,?,00049C64), ref: 00042FBB
                      • _free.LIBCMT ref: 000899A6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                      • String ID:
                      • API String ID: 1552873950-0
                      • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                      • Instruction ID: 8c593ef4fb99951ba123fb449e8a44f0d00410e353378d04e9272da64c0c1e7e
                      • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                      • Instruction Fuzzy Hash: D2513FF1904218AFDF249F64DC81AEEBBB9FF48310F1444AEF649A7242DB7159908F58
                      Function 0004493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                      • String ID:
                      • API String ID: 2782032738-0
                      • Opcode ID: 6b900c82ae833c016f0ad4fafe5841f230cacf6ecaddb2f96621bb99e00bcb06
                      • Instruction ID: e12ee50f043c9e9a44681a69de29f68d42b45efa3ffa5f5ffaf9ff0b2a848e73
                      • Opcode Fuzzy Hash: 6b900c82ae833c016f0ad4fafe5841f230cacf6ecaddb2f96621bb99e00bcb06
                      • Instruction Fuzzy Hash: DB41D3F1A00606ABDF28CEA9C884BAF77E6EF80360B24853DE855C7680D770DD509B4D
                      Function 000273E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 0005EE62
                      • GetOpenFileNameW.COMDLG32(?), ref: 0005EEAC
                        • Part of subcall function 000248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000248A1,?,?,000237C0,?), ref: 000248CE
                        • Part of subcall function 000409D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000409F4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Name$Path$FileFullLongOpen_memset
                      • String ID: X
                      • API String ID: 3777226403-3081909835
                      • Opcode ID: e8c96d8ea31d0f5d4acdc7c0e1c059b85391df8a04d17eaac3868e3f91c2dcc0
                      • Instruction ID: 02e556ca10aeaaae3fb07c1ccf0eedfc05cdfdb6954dddc74ea3283f2fb3e2ee
                      • Opcode Fuzzy Hash: e8c96d8ea31d0f5d4acdc7c0e1c059b85391df8a04d17eaac3868e3f91c2dcc0
                      • Instruction Fuzzy Hash: C221C371A102989BDB55DF94D845BEE7BFC9F49300F00405AE908F7282DBB85A898BA1
                      Function 0008901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: __fread_nolock_memmove
                      • String ID: EA06
                      • API String ID: 1988441806-3962188686
                      • Opcode ID: 254d2bdf3e9bf87b477a30e76ade45ec2894836563825223bdce9475969bac85
                      • Instruction ID: f5fb6d1418874d31f2b3de37a0b9c171e8def88431bb96997b8c9f98f85060e2
                      • Opcode Fuzzy Hash: 254d2bdf3e9bf87b477a30e76ade45ec2894836563825223bdce9475969bac85
                      • Instruction Fuzzy Hash: 3801F9719042186EDB28D6A8CC16EFE7BF89B01301F00419EF592D2182E9B5A604CB60
                      Function 00089B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                      Download Yara Rule
                      APIs
                      • GetTempPathW.KERNEL32(00000104,?), ref: 00089B82
                      • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00089B99
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Temp$FileNamePath
                      • String ID: aut
                      • API String ID: 3285503233-3010740371
                      • Opcode ID: 880c391208979aa3ba5b5ca3a82d5e2d9c0c898186bfa4f7fa4238b01f47bf79
                      • Instruction ID: c71dd691fc4de41933d8e580dbb6fc8d9ea24c0b57a8bd144be16adc8777a3de
                      • Opcode Fuzzy Hash: 880c391208979aa3ba5b5ca3a82d5e2d9c0c898186bfa4f7fa4238b01f47bf79
                      • Instruction Fuzzy Hash: DFD05E7954030EABEB109BD0DC0EFEA772CEB45701F0042A1BF94951A1DEB855988BA1
                      Function 0009CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bc4a300089c8c9b0555250ed79b00feeddd1f7ff509c4dba5b8f5f319e77763e
                      • Instruction ID: 26fbcd88bd33700271bec33531e56c0b70d0f60f9d154bcc900a28bfdef079a0
                      • Opcode Fuzzy Hash: bc4a300089c8c9b0555250ed79b00feeddd1f7ff509c4dba5b8f5f319e77763e
                      • Instruction Fuzzy Hash: CFF13971A083019FCB14DF28C485A6ABBE5FF88314F54892EF8999B352D731E945CF82
                      Function 0002F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 000403A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 000403D3
                        • Part of subcall function 000403A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 000403DB
                        • Part of subcall function 000403A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 000403E6
                        • Part of subcall function 000403A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 000403F1
                        • Part of subcall function 000403A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 000403F9
                        • Part of subcall function 000403A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00040401
                        • Part of subcall function 00036259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0002FA90), ref: 000362B4
                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0002FB2D
                      • OleInitialize.OLE32(00000000), ref: 0002FBAA
                      • CloseHandle.KERNEL32(00000000), ref: 000649F2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                      • String ID:
                      • API String ID: 1986988660-0
                      • Opcode ID: 3f8bdb2257285280c295ef3f1aad704040a95c522cb92188e1bab6f925c6f4bf
                      • Instruction ID: 32ab0b072173ded55667d691266c08d45d0ffb2de63607f14b40a8bd9148ef59
                      • Opcode Fuzzy Hash: 3f8bdb2257285280c295ef3f1aad704040a95c522cb92188e1bab6f925c6f4bf
                      • Instruction Fuzzy Hash: C481DBF09052D18EE385DF7AF8906957AE4FBB8B94710813AD019EB2A2EB3F4504CF51
                      Function 000243DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00024401
                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 000244A6
                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 000244C3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: IconNotifyShell_$_memset
                      • String ID:
                      • API String ID: 1505330794-0
                      • Opcode ID: 42887fa617d3d146dbea65977506490b502c681ff78640f9f20c9ed766e3d43c
                      • Instruction ID: 6561a473293567855f7a92b5776ec27ded136e4046681df77e7c85c7be53f9c0
                      • Opcode Fuzzy Hash: 42887fa617d3d146dbea65977506490b502c681ff78640f9f20c9ed766e3d43c
                      • Instruction Fuzzy Hash: DA31A2B05047518FD760EF34E88479BBBF8FB59708F00092EF69A97241D7B5A948CB92
                      Function 0004594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __FF_MSGBANNER.LIBCMT ref: 00045963
                        • Part of subcall function 0004A3AB: __NMSG_WRITE.LIBCMT ref: 0004A3D2
                        • Part of subcall function 0004A3AB: __NMSG_WRITE.LIBCMT ref: 0004A3DC
                      • __NMSG_WRITE.LIBCMT ref: 0004596A
                        • Part of subcall function 0004A408: GetModuleFileNameW.KERNEL32(00000000,000E43BA,00000104,?,00000001,00000000), ref: 0004A49A
                        • Part of subcall function 0004A408: ___crtMessageBoxW.LIBCMT ref: 0004A548
                        • Part of subcall function 000432DF: ___crtCorExitProcess.LIBCMT ref: 000432E5
                        • Part of subcall function 000432DF: ExitProcess.KERNEL32 ref: 000432EE
                        • Part of subcall function 00048D68: __getptd_noexit.LIBCMT ref: 00048D68
                      • RtlAllocateHeap.NTDLL(00C20000,00000000,00000001,00000000,?,?,?,00041013,?), ref: 0004598F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                      • String ID:
                      • API String ID: 1372826849-0
                      • Opcode ID: ac9c1c99020ad6e4aaebe3e892c3b3289d1262d82e5b315503fe8404252c274f
                      • Instruction ID: 40a85d6e2f264524537eaa79ed0b49c66f188ba51f2a66a7dbbb5aeb6baa0fb1
                      • Opcode Fuzzy Hash: ac9c1c99020ad6e4aaebe3e892c3b3289d1262d82e5b315503fe8404252c274f
                      • Instruction Fuzzy Hash: 1101F5B1741B15EFE6213B65EC42AAE73889F42B72F10003AF500AA1C3EE709D01876C
                      Function 00089B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,000897D2,?,?,?,?,?,00000004), ref: 00089B45
                      • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,000897D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00089B5B
                      • CloseHandle.KERNEL32(00000000,?,000897D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00089B62
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: File$CloseCreateHandleTime
                      • String ID:
                      • API String ID: 3397143404-0
                      • Opcode ID: 1eb6199764db9ca3ee88c54aad16e40df1a57ec20438aa024c2ea35fd48f62f0
                      • Instruction ID: 7ab24c73deee24441b275d1e452b6ddda1fe9ba6c4d22d2738be51329290402d
                      • Opcode Fuzzy Hash: 1eb6199764db9ca3ee88c54aad16e40df1a57ec20438aa024c2ea35fd48f62f0
                      • Instruction Fuzzy Hash: 6CE08632280615BBEB312B94EC09FEA7B58AB06761F144120FB54690E087B566119798
                      Function 00088F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00088FA5
                        • Part of subcall function 00042F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00049C64), ref: 00042FA9
                        • Part of subcall function 00042F95: GetLastError.KERNEL32(00000000,?,00049C64), ref: 00042FBB
                      • _free.LIBCMT ref: 00088FB6
                      • _free.LIBCMT ref: 00088FC8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                      • Instruction ID: d736c901bb6f7e37f689c77202147aeb030f0280d9fbfcd8b94b5e7b2cba55c2
                      • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                      • Instruction Fuzzy Hash: 61E012E17097114ACA64B578AD40BD35BEE6F483A07D8083DB549DB143DE24F8858728
                      Function 0002AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID:
                      • String ID: CALL
                      • API String ID: 0-4196123274
                      • Opcode ID: 049dbab4a8d7d7aaa7ba6857160d7ff219e2ea6c119d5685f74e183771ea807d
                      • Instruction ID: 0e126c309daba177ad1ec42b7c76e4fb1d5347b0fefc591a437cb813fe891145
                      • Opcode Fuzzy Hash: 049dbab4a8d7d7aaa7ba6857160d7ff219e2ea6c119d5685f74e183771ea807d
                      • Instruction Fuzzy Hash: DF225B70608351CFDB24DF14D494B6ABBE1BF85300F15896DE88A9B362DB35ED85CB82
                      Function 00024DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID: EA06
                      • API String ID: 4104443479-3962188686
                      • Opcode ID: 15d52919bc02baf68a7f3742adddabf4ee6c9fd2da86ac2f1d366466366c5b01
                      • Instruction ID: ed06e0fbca534421f62c7a27046e8a159b06602bd0f175e9a1603cbb5a6a97b5
                      • Opcode Fuzzy Hash: 15d52919bc02baf68a7f3742adddabf4ee6c9fd2da86ac2f1d366466366c5b01
                      • Instruction Fuzzy Hash: 15417A71A041745BEF319B64EC917FE7FA6AB45300F694075EC829B283C6719D8487A1
                      Function 0002492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                      Download Yara Rule
                      APIs
                      • IsThemeActive.UXTHEME ref: 00024992
                        • Part of subcall function 000435AC: __lock.LIBCMT ref: 000435B2
                        • Part of subcall function 000435AC: DecodePointer.KERNEL32(00000001,?,000249A7,000781BC), ref: 000435BE
                        • Part of subcall function 000435AC: EncodePointer.KERNEL32(?,?,000249A7,000781BC), ref: 000435C9
                        • Part of subcall function 00024A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00024A73
                        • Part of subcall function 00024A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00024A88
                        • Part of subcall function 00023B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00023B7A
                        • Part of subcall function 00023B4C: IsDebuggerPresent.KERNEL32 ref: 00023B8C
                        • Part of subcall function 00023B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,000E62F8,000E62E0,?,?), ref: 00023BFD
                        • Part of subcall function 00023B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00023C81
                      • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 000249D2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                      • String ID:
                      • API String ID: 1438897964-0
                      • Opcode ID: 6bdec02011c0928c1eb40ff61d92b0193f559ee406c98d0b6c8a1f3f272e363b
                      • Instruction ID: dc19a1e4d2c49ecf8f6a205274cdeec5e30e14de58dd3c342a9901f83155f0ca
                      • Opcode Fuzzy Hash: 6bdec02011c0928c1eb40ff61d92b0193f559ee406c98d0b6c8a1f3f272e363b
                      • Instruction Fuzzy Hash: 3311CDB19083619BD300EF28EC8594AFFF8EB94B50F00851EF5449B2B2DB759544CB96
                      Function 00025DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00025981,?,?,?,?), ref: 00025E27
                      • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00025981,?,?,?,?), ref: 0005E19C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: 10df8d0295379612b80bc253892bcbcfbe6adfe2a309bf545e829540192812a3
                      • Instruction ID: 35dd566cbc2ccee96e7f4918cd16c242557073fba6dd88f69aaa6c25913f6146
                      • Opcode Fuzzy Hash: 10df8d0295379612b80bc253892bcbcfbe6adfe2a309bf545e829540192812a3
                      • Instruction Fuzzy Hash: 2301B570244718BEF7780E24DC8AF763BDCEB01769F108318BEE55A1E0C6B45E498B58
                      Function 00040FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0004594C: __FF_MSGBANNER.LIBCMT ref: 00045963
                        • Part of subcall function 0004594C: __NMSG_WRITE.LIBCMT ref: 0004596A
                        • Part of subcall function 0004594C: RtlAllocateHeap.NTDLL(00C20000,00000000,00000001,00000000,?,?,?,00041013,?), ref: 0004598F
                      • std::exception::exception.LIBCMT ref: 0004102C
                      • __CxxThrowException@8.LIBCMT ref: 00041041
                        • Part of subcall function 000487DB: RaiseException.KERNEL32(?,?,?,000DBAF8,00000000,?,?,?,?,00041046,?,000DBAF8,?,00000001), ref: 00048830
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                      • String ID:
                      • API String ID: 3902256705-0
                      • Opcode ID: 52f2a1ad6c4a21fb0246a9b76b5c717d342c535820f37182bd029f463e2bf5ff
                      • Instruction ID: cdea33f764125e8bad43f57dc884dca6850ddd28be75fa450b6fea1209c3a8ec
                      • Opcode Fuzzy Hash: 52f2a1ad6c4a21fb0246a9b76b5c717d342c535820f37182bd029f463e2bf5ff
                      • Instruction Fuzzy Hash: 76F0A4B5504219A6CB20BA58EC159DF7BE89F01351F104836F904A6693DFB1CAD082A9
                      Function 0004582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: __lock_file_memset
                      • String ID:
                      • API String ID: 26237723-0
                      • Opcode ID: 711f06b039057e10f3e73c39641f26b83c8f1c77ce958a8fcb8cb7cfcdaf36b1
                      • Instruction ID: 32ac9f1535a8619cd9ce4248ccb2bfd0c60e4dd41a9183b73582265bbea134ea
                      • Opcode Fuzzy Hash: 711f06b039057e10f3e73c39641f26b83c8f1c77ce958a8fcb8cb7cfcdaf36b1
                      • Instruction Fuzzy Hash: 8101A7F1C00608EBCF22AF698C065DF7BA1AF45361F148239F8146B1A3DF318A11DB99
                      Function 000455D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00048D68: __getptd_noexit.LIBCMT ref: 00048D68
                      • __lock_file.LIBCMT ref: 0004561B
                        • Part of subcall function 00046E4E: __lock.LIBCMT ref: 00046E71
                      • __fclose_nolock.LIBCMT ref: 00045626
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                      • String ID:
                      • API String ID: 2800547568-0
                      • Opcode ID: e9b99a39175f8ef581ac9388580d97e33a7b356bc6b7f129e94c93986b5ba567
                      • Instruction ID: f381c4fd21ba481f6cd3f21596a2b2107950b429ad9c5552fb7bc7e9e391e9d1
                      • Opcode Fuzzy Hash: e9b99a39175f8ef581ac9388580d97e33a7b356bc6b7f129e94c93986b5ba567
                      • Instruction Fuzzy Hash: FAF090F1801A049BDB20BB758C027AE77E16F41736F568629A414AB1C3CF7C89019B9D
                      Function 019D129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessW.KERNELBASE(?,00000000), ref: 019D1ACD
                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 019D1AF1
                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 019D1B13
                      Memory Dump Source
                      • Source File: 00000000.00000002.1644337710.00000000019D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_19d0000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                      • String ID:
                      • API String ID: 2438371351-0
                      • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                      • Instruction ID: 48de49d331c03a124325469c9b81798736bdd9b11436806bc038f3cff0401b86
                      • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                      • Instruction Fuzzy Hash: 7512DE24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CB5A
                      Function 00032123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 21a507151cf5eb0eef120083b262194b3b12adc85d8695d17d95972d084ad095
                      • Instruction ID: 26e842c3c0d9cb6337b304d63b4ecebbf59a5e58262e8c5c20849554f2831b0a
                      • Opcode Fuzzy Hash: 21a507151cf5eb0eef120083b262194b3b12adc85d8695d17d95972d084ad095
                      • Instruction Fuzzy Hash: 0B517035600614AFCF15EBA4DD92EBE77EAAF45310F148168F946AB293CB31ED00CB55
                      Function 00025C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00025CF6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: FilePointer
                      • String ID:
                      • API String ID: 973152223-0
                      • Opcode ID: 8e2a7be4822e8276d8d9566bf89b691cee0910a9ba7054b668bc5c58e4691169
                      • Instruction ID: 756d94ade12aa60c8aab54fe40feec9ff2f19e31a07a32465804a023b7511dcd
                      • Opcode Fuzzy Hash: 8e2a7be4822e8276d8d9566bf89b691cee0910a9ba7054b668bc5c58e4691169
                      • Instruction Fuzzy Hash: 45316E71A00B29AFCB18CF2DD8846ADB7B5FF48311F248629D81993710E731BD50DB94
                      Function 000600D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ClearVariant
                      • String ID:
                      • API String ID: 1473721057-0
                      • Opcode ID: 8c9b10ce512e31cdb1c3e2bd4210dacc05d63f489cd288033dd3fcfa812d8579
                      • Instruction ID: 2e2c600c177a78dbaab6f0ba2389bd1ab84d5dadefad3ad3daee7772dc442785
                      • Opcode Fuzzy Hash: 8c9b10ce512e31cdb1c3e2bd4210dacc05d63f489cd288033dd3fcfa812d8579
                      • Instruction Fuzzy Hash: 0B412C74604351CFDB24DF14C484B5ABBE1BF45314F1988ACE8898B762C776EC85CB52
                      Function 000280D7 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID:
                      • API String ID: 4104443479-0
                      • Opcode ID: 46acc021f7701719685bd31058d1bf319928b5265fe0d6ec76a5632e42df60c5
                      • Instruction ID: a0845e8a4efa97620768c69cc371120e5141c2fdd3b06eaf004501e9d665a7bf
                      • Opcode Fuzzy Hash: 46acc021f7701719685bd31058d1bf319928b5265fe0d6ec76a5632e42df60c5
                      • Instruction Fuzzy Hash: 38114C79201605DFC724DF28E481A56B7E9FF48314720C82EE98ACB662DB32E891CB54
                      Function 00024F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00024D13: FreeLibrary.KERNEL32(00000000,?), ref: 00024D4D
                        • Part of subcall function 0004548B: __wfsopen.LIBCMT ref: 00045496
                      • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,000E62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00024F6F
                        • Part of subcall function 00024CC8: FreeLibrary.KERNEL32(00000000), ref: 00024D02
                        • Part of subcall function 00024DD0: _memmove.LIBCMT ref: 00024E1A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Library$Free$Load__wfsopen_memmove
                      • String ID:
                      • API String ID: 1396898556-0
                      • Opcode ID: ba5577efc39ea01e241ae8013bdd7b08fe6337354c2ed853683138c5dcf61cf2
                      • Instruction ID: ae5227e719b415c37c1c018a911d4a6941e00b7491a96a055de152962293cc08
                      • Opcode Fuzzy Hash: ba5577efc39ea01e241ae8013bdd7b08fe6337354c2ed853683138c5dcf61cf2
                      • Instruction Fuzzy Hash: AA110A31600725ABCF20FF74EC46FEE77A89F80701F20843AF945AA1C3DA719A159B60
                      Function 000601AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ClearVariant
                      • String ID:
                      • API String ID: 1473721057-0
                      • Opcode ID: f7bc39333603c9ca03a805099979f04de13a9b1081834560a0b0bca5258f1974
                      • Instruction ID: 4323a775309fdb89a46099a4a58bf2c2339a7c60fe4f49fb393ccc16f16361fd
                      • Opcode Fuzzy Hash: f7bc39333603c9ca03a805099979f04de13a9b1081834560a0b0bca5258f1974
                      • Instruction Fuzzy Hash: 4A2122B4608351CFCB24DF64D444A5BBBE1BF89314F058968E88A87722DB31E895CB93
                      Function 00025D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                      Download Yara Rule
                      APIs
                      • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00025807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00025D76
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: FileRead
                      • String ID:
                      • API String ID: 2738559852-0
                      • Opcode ID: 0f4ea8731ec7d55a40a3adc89a8b99bcd5c1db2ae12a68aa59578016cc6b8702
                      • Instruction ID: 0d11cfe3a7f5fa8b7ee7b3aba082649e12c9a7d46f69c1463f1c78a5c3b173ea
                      • Opcode Fuzzy Hash: 0f4ea8731ec7d55a40a3adc89a8b99bcd5c1db2ae12a68aa59578016cc6b8702
                      • Instruction Fuzzy Hash: 34113635200B11AFD3708F15E888B66B7E9EF45761F10C92EE8AA86A50D7B0E945CF64
                      Function 00044A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                      Download Yara Rule
                      APIs
                      • __lock_file.LIBCMT ref: 00044AD6
                        • Part of subcall function 00048D68: __getptd_noexit.LIBCMT ref: 00048D68
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: __getptd_noexit__lock_file
                      • String ID:
                      • API String ID: 2597487223-0
                      • Opcode ID: 0fe976e352a3e43c5ff88b4b914461821c3add4b6ca49c620ee62584acb61267
                      • Instruction ID: c699034296d7640d6fb96ddfbf01c2220438ce6a8b9326608f092e2519c97620
                      • Opcode Fuzzy Hash: 0fe976e352a3e43c5ff88b4b914461821c3add4b6ca49c620ee62584acb61267
                      • Instruction Fuzzy Hash: FAF0A4B19402099BDF61BF648C063DF36A1AF00325F048535B414AA1D3DB788960DF9A
                      Function 00024FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNEL32(?,?,000E62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00024FDE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: FreeLibrary
                      • String ID:
                      • API String ID: 3664257935-0
                      • Opcode ID: 0aefe5898e7cd187d03d73978cde31cb0bf901365052c61b36113a09805c48fc
                      • Instruction ID: efba7f84e8ece1f4337762a9779c595e63be56e593df0486c81ec32d1302bbfb
                      • Opcode Fuzzy Hash: 0aefe5898e7cd187d03d73978cde31cb0bf901365052c61b36113a09805c48fc
                      • Instruction Fuzzy Hash: 85F03971505B22CFCBB49F64E9D4826BBF1FF443293208A3EE1D682A11C771A844DF40
                      Function 000409D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                      Download Yara Rule
                      APIs
                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 000409F4
                        • Part of subcall function 00027D2C: _memmove.LIBCMT ref: 00027D66
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: LongNamePath_memmove
                      • String ID:
                      • API String ID: 2514874351-0
                      • Opcode ID: ecf38dced8a388b151f7878efeaa9758f322f9e27027ebfc3d3339e280e2b522
                      • Instruction ID: e01241b4e75189e3d3d8b193b0f8b928f1d7ce388d419a66e988fe82077a2fe6
                      • Opcode Fuzzy Hash: ecf38dced8a388b151f7878efeaa9758f322f9e27027ebfc3d3339e280e2b522
                      • Instruction Fuzzy Hash: 95E0CD3690522857D720D6989C05FFA77EDDFC9791F0401B5FD4CD7206DD649C818690
                      Function 00089129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: __fread_nolock
                      • String ID:
                      • API String ID: 2638373210-0
                      • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                      • Instruction ID: c61b45d1247f7dc00cb35705892de14a139bd2c1daba7137bc0f844e163f0849
                      • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                      • Instruction Fuzzy Hash: 28E092B0118B005FDB749A24D8147E373E0BB06315F04081CF2DA93342EF6378418759
                      Function 00025DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                      Download Yara Rule
                      APIs
                      • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0005E16B,?,?,00000000), ref: 00025DBF
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: FilePointer
                      • String ID:
                      • API String ID: 973152223-0
                      • Opcode ID: 9bbf94906ba4847260756282487f30e2f5f22cf22487ee7bd97b90c7b8ce1b57
                      • Instruction ID: 7d2585062367221c3fc5ca4078409e71d61c0e4737a16b4185925a4a58b1f58b
                      • Opcode Fuzzy Hash: 9bbf94906ba4847260756282487f30e2f5f22cf22487ee7bd97b90c7b8ce1b57
                      • Instruction Fuzzy Hash: D8D0C77464020CBFE710DB80DC46FA9777CD705710F100194FD0456290D6B27D508795
                      Function 0004548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: __wfsopen
                      • String ID:
                      • API String ID: 197181222-0
                      • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                      • Instruction ID: e4171871104fbfd64784cb47b57fd0d88e9267d9ad3cdb70c67bfcb74de66a89
                      • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                      • Instruction Fuzzy Hash: E7B092B688020C77DE012E82EC02A993B199B80679F808020FB0C1C163A673AAA09689
                      Function 0008D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(00000002,00000000), ref: 0008D46A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ErrorLast
                      • String ID:
                      • API String ID: 1452528299-0
                      • Opcode ID: 37a155552ace7a7d435256d3f47ebe0df1f955b011a9c1976c8a9a8e08d1f74f
                      • Instruction ID: 83345b0fe4fa3aff7f3cb6b2a7e61b4a418194ca3d3a0d2075fd416b57272c1b
                      • Opcode Fuzzy Hash: 37a155552ace7a7d435256d3f47ebe0df1f955b011a9c1976c8a9a8e08d1f74f
                      • Instruction Fuzzy Hash: 177165302087128FCB54EF24D491AAEB7E4BF88314F04466EF59697292DB30ED49CB56
                      Function 00040E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                      • Instruction ID: 13463da374d3229c46ff72b3a43bd0f5d249c660f7a73c37c52d4dca8350bf16
                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                      • Instruction Fuzzy Hash: 393127B1A00106DFC768DF49C480969F7A2FF99300B248AB5E609EB651D731EDD1CBC8
                      Function 019D229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNELBASE(000001F4), ref: 019D22B1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1644337710.00000000019D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_19d0000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                      • Instruction ID: a5f95e29d01722a620f4a0ee0e2acf895cbfbdb9ea102d837112e5cb79daabf3
                      • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                      • Instruction Fuzzy Hash: 80E0BF7494010EEFDB00EFA4D5496DE7BB4EF04311F1045A1FD05D7681DB309E549A72
                      Function 019D22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNELBASE(000001F4), ref: 019D22B1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1644337710.00000000019D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 019D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_19d0000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                      • Instruction ID: 0b5b2ec88b5c4549644fe99d0cf4123fd4a44eb24de67f15fd6eefcd88f4c5a7
                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                      • Instruction Fuzzy Hash: 6FE0E67494010EDFDB00EFB4D54969E7FB4EF04301F104161FD05D2281D6309D509A72

                      Non-executed Functions

                      Function 000ACDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00022612: GetWindowLongW.USER32(?,000000EB), ref: 00022623
                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 000ACE50
                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000ACE91
                      • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 000ACED6
                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000ACF00
                      • SendMessageW.USER32 ref: 000ACF29
                      • _wcsncpy.LIBCMT ref: 000ACFA1
                      • GetKeyState.USER32(00000011), ref: 000ACFC2
                      • GetKeyState.USER32(00000009), ref: 000ACFCF
                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 000ACFE5
                      • GetKeyState.USER32(00000010), ref: 000ACFEF
                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 000AD018
                      • SendMessageW.USER32 ref: 000AD03F
                      • SendMessageW.USER32(?,00001030,?,000AB602), ref: 000AD145
                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 000AD15B
                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 000AD16E
                      • SetCapture.USER32(?), ref: 000AD177
                      • ClientToScreen.USER32(?,?), ref: 000AD1DC
                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 000AD1E9
                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000AD203
                      • ReleaseCapture.USER32 ref: 000AD20E
                      • GetCursorPos.USER32(?), ref: 000AD248
                      • ScreenToClient.USER32(?,?), ref: 000AD255
                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 000AD2B1
                      • SendMessageW.USER32 ref: 000AD2DF
                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 000AD31C
                      • SendMessageW.USER32 ref: 000AD34B
                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 000AD36C
                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 000AD37B
                      • GetCursorPos.USER32(?), ref: 000AD39B
                      • ScreenToClient.USER32(?,?), ref: 000AD3A8
                      • GetParent.USER32(?), ref: 000AD3C8
                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 000AD431
                      • SendMessageW.USER32 ref: 000AD462
                      • ClientToScreen.USER32(?,?), ref: 000AD4C0
                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 000AD4F0
                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 000AD51A
                      • SendMessageW.USER32 ref: 000AD53D
                      • ClientToScreen.USER32(?,?), ref: 000AD58F
                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 000AD5C3
                        • Part of subcall function 000225DB: GetWindowLongW.USER32(?,000000EB), ref: 000225EC
                      • GetWindowLongW.USER32(?,000000F0), ref: 000AD65F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                      • String ID: @GUI_DRAGID$F
                      • API String ID: 3977979337-4164748364
                      • Opcode ID: c3e9c1235fc89244c637d5ee956cd56c9b3fdb7aa031ddce9693305c710515cc
                      • Instruction ID: 116e3375dac4f7c13c8c8dc741c4c32b04b1cb0c518c3fc8d3bb7a22c84fbe9c
                      • Opcode Fuzzy Hash: c3e9c1235fc89244c637d5ee956cd56c9b3fdb7aa031ddce9693305c710515cc
                      • Instruction Fuzzy Hash: BE42BF30204641EFE724CFA8C984FAABBE5FF4A754F15061DF696972A1C732D840CB92
                      Function 000A804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 000A873F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: %d/%02d/%02d
                      • API String ID: 3850602802-328681919
                      • Opcode ID: 42f3f7ada493b201eeb8fdfc3686369256bce28285550aab96d682c749bb5491
                      • Instruction ID: 5568d5ca8d1c7ab9aaf14bc578f9b8e1e1dd7991d69f53459b1c05a4c866f860
                      • Opcode Fuzzy Hash: 42f3f7ada493b201eeb8fdfc3686369256bce28285550aab96d682c749bb5491
                      • Instruction Fuzzy Hash: 3712E171500605AFEB648FA4CC49FAE7BF8EF4A350F248129F915EA2E1DF748941CB50
                      Function 0003710E Relevance: 50.6, APIs: 19, Strings: 7, Instructions: 5093COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _memmove$_memset
                      • String ID: 0w$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                      • API String ID: 1357608183-1077906630
                      • Opcode ID: 4a6e3e9b6e78baf29540baa1d8a348412567b82eedb5320e27d9380fa892ecf0
                      • Instruction ID: 162a3bf8cbfadd9967c4887a84650a218fe7be319508b55a29141df3a11a2ba4
                      • Opcode Fuzzy Hash: 4a6e3e9b6e78baf29540baa1d8a348412567b82eedb5320e27d9380fa892ecf0
                      • Instruction Fuzzy Hash: 1E93AF71E04219DBDB25CF98C881BADB7F1FF48310F24C16AE949AB281E7749E81DB54
                      Function 00024A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32(00000000,?), ref: 00024A3D
                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0005DA8E
                      • IsIconic.USER32(?), ref: 0005DA97
                      • ShowWindow.USER32(?,00000009), ref: 0005DAA4
                      • SetForegroundWindow.USER32(?), ref: 0005DAAE
                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0005DAC4
                      • GetCurrentThreadId.KERNEL32 ref: 0005DACB
                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0005DAD7
                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 0005DAE8
                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 0005DAF0
                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 0005DAF8
                      • SetForegroundWindow.USER32(?), ref: 0005DAFB
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0005DB10
                      • keybd_event.USER32(00000012,00000000), ref: 0005DB1B
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0005DB25
                      • keybd_event.USER32(00000012,00000000), ref: 0005DB2A
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0005DB33
                      • keybd_event.USER32(00000012,00000000), ref: 0005DB38
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0005DB42
                      • keybd_event.USER32(00000012,00000000), ref: 0005DB47
                      • SetForegroundWindow.USER32(?), ref: 0005DB4A
                      • AttachThreadInput.USER32(?,?,00000000), ref: 0005DB71
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                      • String ID: Shell_TrayWnd
                      • API String ID: 4125248594-2988720461
                      • Opcode ID: c175ee1701fbae0d835879c6be26fee6c684eca05566f7249bccf4f2e5bd4c91
                      • Instruction ID: 4401df5492c8b13d78bb980850dbec69606405fb2c58cae80ad9a3a1f8223fbe
                      • Opcode Fuzzy Hash: c175ee1701fbae0d835879c6be26fee6c684eca05566f7249bccf4f2e5bd4c91
                      • Instruction Fuzzy Hash: 19315071A80719BBFB316FB19C49F7F3EACEB45B51F114026FE04EA1D0D6B45900AAA1
                      Function 00078858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00078CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00078D0D
                        • Part of subcall function 00078CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00078D3A
                        • Part of subcall function 00078CC3: GetLastError.KERNEL32 ref: 00078D47
                      • _memset.LIBCMT ref: 0007889B
                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 000788ED
                      • CloseHandle.KERNEL32(?), ref: 000788FE
                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00078915
                      • GetProcessWindowStation.USER32 ref: 0007892E
                      • SetProcessWindowStation.USER32(00000000), ref: 00078938
                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00078952
                        • Part of subcall function 00078713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00078851), ref: 00078728
                        • Part of subcall function 00078713: CloseHandle.KERNEL32(?,?,00078851), ref: 0007873A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                      • String ID: $default$winsta0
                      • API String ID: 2063423040-1027155976
                      • Opcode ID: 2bc9bd4be08da84c7d6a1dfe89ee6de12d60c8f14c256d4aaa2e68c115b4dcbf
                      • Instruction ID: eaa0e90e8c9c6e2195ee4e9bbec4313cdd0101a6d548a39a2ea9f628c81fa242
                      • Opcode Fuzzy Hash: 2bc9bd4be08da84c7d6a1dfe89ee6de12d60c8f14c256d4aaa2e68c115b4dcbf
                      • Instruction Fuzzy Hash: 3E815A71D40209BFEF11DFA4DC49AEE7BB8EF04304F18C16AF918A6161DB398E149B65
                      Function 0009425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                      Download Yara Rule
                      APIs
                      • OpenClipboard.USER32(000AF910), ref: 00094284
                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 00094292
                      • GetClipboardData.USER32(0000000D), ref: 0009429A
                      • CloseClipboard.USER32 ref: 000942A6
                      • GlobalLock.KERNEL32(00000000), ref: 000942C2
                      • CloseClipboard.USER32 ref: 000942CC
                      • GlobalUnlock.KERNEL32(00000000,00000000), ref: 000942E1
                      • IsClipboardFormatAvailable.USER32(00000001), ref: 000942EE
                      • GetClipboardData.USER32(00000001), ref: 000942F6
                      • GlobalLock.KERNEL32(00000000), ref: 00094303
                      • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00094337
                      • CloseClipboard.USER32 ref: 00094447
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                      • String ID:
                      • API String ID: 3222323430-0
                      • Opcode ID: 51f3dd652b5fa893c1e362e996a1aa48b67e6585a0a9b2805edd53ef61530026
                      • Instruction ID: 22ba8b0e8c0e8b3aea1cd8bc23d3b86195b28e3f3aff900b85d6100d33743093
                      • Opcode Fuzzy Hash: 51f3dd652b5fa893c1e362e996a1aa48b67e6585a0a9b2805edd53ef61530026
                      • Instruction Fuzzy Hash: 8E519531204702ABEB11AFA0EC85FBF77A8AF45B01F104529F595D21E2DF74D9059B62
                      Function 0008C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?), ref: 0008C9F8
                      • FindClose.KERNEL32(00000000), ref: 0008CA4C
                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0008CA71
                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0008CA88
                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0008CAAF
                      • __swprintf.LIBCMT ref: 0008CAFB
                      • __swprintf.LIBCMT ref: 0008CB3E
                        • Part of subcall function 00027F41: _memmove.LIBCMT ref: 00027F82
                      • __swprintf.LIBCMT ref: 0008CB92
                        • Part of subcall function 000438D8: __woutput_l.LIBCMT ref: 00043931
                      • __swprintf.LIBCMT ref: 0008CBE0
                        • Part of subcall function 000438D8: __flsbuf.LIBCMT ref: 00043953
                        • Part of subcall function 000438D8: __flsbuf.LIBCMT ref: 0004396B
                      • __swprintf.LIBCMT ref: 0008CC2F
                      • __swprintf.LIBCMT ref: 0008CC7E
                      • __swprintf.LIBCMT ref: 0008CCCD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                      • API String ID: 3953360268-2428617273
                      • Opcode ID: 1d4b7c139c8f0e704c9f91eb61362c6c1602c159b0eb076a3f121b4fe01e1daa
                      • Instruction ID: 7fa58151bf9a264378d9207a5ca1c344b3e22fe810fce2b397eb3ae191be12fc
                      • Opcode Fuzzy Hash: 1d4b7c139c8f0e704c9f91eb61362c6c1602c159b0eb076a3f121b4fe01e1daa
                      • Instruction Fuzzy Hash: E3A13EB1508315ABD710FBA4D986DEFB7ECBF94700F404929F585D6192EA34DA08CB62
                      Function 0008F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0008F221
                      • _wcscmp.LIBCMT ref: 0008F236
                      • _wcscmp.LIBCMT ref: 0008F24D
                      • GetFileAttributesW.KERNEL32(?), ref: 0008F25F
                      • SetFileAttributesW.KERNEL32(?,?), ref: 0008F279
                      • FindNextFileW.KERNEL32(00000000,?), ref: 0008F291
                      • FindClose.KERNEL32(00000000), ref: 0008F29C
                      • FindFirstFileW.KERNEL32(*.*,?), ref: 0008F2B8
                      • _wcscmp.LIBCMT ref: 0008F2DF
                      • _wcscmp.LIBCMT ref: 0008F2F6
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0008F308
                      • SetCurrentDirectoryW.KERNEL32(000DA5A0), ref: 0008F326
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0008F330
                      • FindClose.KERNEL32(00000000), ref: 0008F33D
                      • FindClose.KERNEL32(00000000), ref: 0008F34F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                      • String ID: *.*
                      • API String ID: 1803514871-438819550
                      • Opcode ID: d2242fc374754e6ea6ba01650c17a2a23cc0295e9e75e2ab347eec9574180b5d
                      • Instruction ID: 2f2c5ea25de13dde9969195671b6b5e21dbc883803182061516c08d668b974a6
                      • Opcode Fuzzy Hash: d2242fc374754e6ea6ba01650c17a2a23cc0295e9e75e2ab347eec9574180b5d
                      • Instruction Fuzzy Hash: 2431C77660061A6ADB20EBB4EC48AFE77ECAF09361F100276E980D3190DB34DB45CB64
                      Function 000A0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000A0BDE
                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,000AF910,00000000,?,00000000,?,?), ref: 000A0C4C
                      • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 000A0C94
                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 000A0D1D
                      • RegCloseKey.ADVAPI32(?), ref: 000A103D
                      • RegCloseKey.ADVAPI32(00000000), ref: 000A104A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Close$ConnectCreateRegistryValue
                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                      • API String ID: 536824911-966354055
                      • Opcode ID: d5ffbdcca445b7a0696f0abed853979b1c9f7a5c19839346b9556fea71f573c4
                      • Instruction ID: d270395988bd91e7e56e2face432b673ca88ff4c3107cfe329b52f158f53afd5
                      • Opcode Fuzzy Hash: d5ffbdcca445b7a0696f0abed853979b1c9f7a5c19839346b9556fea71f573c4
                      • Instruction Fuzzy Hash: CC0290756006119FDB14EF54D881E6AB7E5FF89720F04886DF98A9B362CB31ED41CB81
                      Function 0008F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0008F37E
                      • _wcscmp.LIBCMT ref: 0008F393
                      • _wcscmp.LIBCMT ref: 0008F3AA
                        • Part of subcall function 000845C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 000845DC
                      • FindNextFileW.KERNEL32(00000000,?), ref: 0008F3D9
                      • FindClose.KERNEL32(00000000), ref: 0008F3E4
                      • FindFirstFileW.KERNEL32(*.*,?), ref: 0008F400
                      • _wcscmp.LIBCMT ref: 0008F427
                      • _wcscmp.LIBCMT ref: 0008F43E
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0008F450
                      • SetCurrentDirectoryW.KERNEL32(000DA5A0), ref: 0008F46E
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0008F478
                      • FindClose.KERNEL32(00000000), ref: 0008F485
                      • FindClose.KERNEL32(00000000), ref: 0008F497
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                      • String ID: *.*
                      • API String ID: 1824444939-438819550
                      • Opcode ID: 2dd7860034e4ec4a1273c93a290f3f03da8e3afc02297715a11d388f187fb8e5
                      • Instruction ID: 53ce67be7a769ec7ac630dec84bbeefa000bc35f089f237fe50da188d7139198
                      • Opcode Fuzzy Hash: 2dd7860034e4ec4a1273c93a290f3f03da8e3afc02297715a11d388f187fb8e5
                      • Instruction Fuzzy Hash: 3631B97150161B6ADF20BBB4EC88AFE77ECAF45360F100276E990931A1D774DE44CB64
                      Function 000781F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0007874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00078766
                        • Part of subcall function 0007874A: GetLastError.KERNEL32(?,0007822A,?,?,?), ref: 00078770
                        • Part of subcall function 0007874A: GetProcessHeap.KERNEL32(00000008,?,?,0007822A,?,?,?), ref: 0007877F
                        • Part of subcall function 0007874A: HeapAlloc.KERNEL32(00000000,?,0007822A,?,?,?), ref: 00078786
                        • Part of subcall function 0007874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0007879D
                        • Part of subcall function 000787E7: GetProcessHeap.KERNEL32(00000008,00078240,00000000,00000000,?,00078240,?), ref: 000787F3
                        • Part of subcall function 000787E7: HeapAlloc.KERNEL32(00000000,?,00078240,?), ref: 000787FA
                        • Part of subcall function 000787E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00078240,?), ref: 0007880B
                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0007825B
                      • _memset.LIBCMT ref: 00078270
                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0007828F
                      • GetLengthSid.ADVAPI32(?), ref: 000782A0
                      • GetAce.ADVAPI32(?,00000000,?), ref: 000782DD
                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000782F9
                      • GetLengthSid.ADVAPI32(?), ref: 00078316
                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00078325
                      • HeapAlloc.KERNEL32(00000000), ref: 0007832C
                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0007834D
                      • CopySid.ADVAPI32(00000000), ref: 00078354
                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00078385
                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000783AB
                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 000783BF
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                      • String ID:
                      • API String ID: 3996160137-0
                      • Opcode ID: 8076a299490017258e9dc849de0897ee0084a83123bafd44f96c9ad3a8091db2
                      • Instruction ID: ccbf356f144325235a0a89d4d6ee439b1738598c95797b0c4802c5382a93a39d
                      • Opcode Fuzzy Hash: 8076a299490017258e9dc849de0897ee0084a83123bafd44f96c9ad3a8091db2
                      • Instruction Fuzzy Hash: 48615C71D4060AABDF109F94DC48EEEBBB9FF04700F14C169E919A6291DB399A05CB64
                      Function 00036843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID:
                      • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                      • API String ID: 0-4052911093
                      • Opcode ID: 8a29528383c35a063b63f40de9907d0b3c69e4331c4a6c08c4fb00712dc241fc
                      • Instruction ID: 0e7c9d49b003f25de9c20a6f1cec72928a6779960f990cde2a062f37ac64b074
                      • Opcode Fuzzy Hash: 8a29528383c35a063b63f40de9907d0b3c69e4331c4a6c08c4fb00712dc241fc
                      • Instruction Fuzzy Hash: 1F727D71E002199BDB65CF58C8907EEB7F9FF48310F14C16AE949EB280DB759A81CB94
                      Function 000A0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 000A10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000A0038,?,?), ref: 000A10BC
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000A0737
                        • Part of subcall function 00029997: __itow.LIBCMT ref: 000299C2
                        • Part of subcall function 00029997: __swprintf.LIBCMT ref: 00029A0C
                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 000A07D6
                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 000A086E
                      • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 000A0AAD
                      • RegCloseKey.ADVAPI32(00000000), ref: 000A0ABA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                      • String ID:
                      • API String ID: 1240663315-0
                      • Opcode ID: 2dfb50051fdfc27c2b0d6c04b8430ad889264964b866dae82c44df85a0ea260e
                      • Instruction ID: 3f3fa37779b0022b4a7d61e9823cb9e51bd95ed865c0ad9b7eb077cd13902554
                      • Opcode Fuzzy Hash: 2dfb50051fdfc27c2b0d6c04b8430ad889264964b866dae82c44df85a0ea260e
                      • Instruction Fuzzy Hash: 9CE15E31604315AFCB14DF68C895E6ABBE4EF89714F04896DF44ADB262DA31E901CB52
                      Function 00080219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?), ref: 00080241
                      • GetAsyncKeyState.USER32(000000A0), ref: 000802C2
                      • GetKeyState.USER32(000000A0), ref: 000802DD
                      • GetAsyncKeyState.USER32(000000A1), ref: 000802F7
                      • GetKeyState.USER32(000000A1), ref: 0008030C
                      • GetAsyncKeyState.USER32(00000011), ref: 00080324
                      • GetKeyState.USER32(00000011), ref: 00080336
                      • GetAsyncKeyState.USER32(00000012), ref: 0008034E
                      • GetKeyState.USER32(00000012), ref: 00080360
                      • GetAsyncKeyState.USER32(0000005B), ref: 00080378
                      • GetKeyState.USER32(0000005B), ref: 0008038A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: State$Async$Keyboard
                      • String ID:
                      • API String ID: 541375521-0
                      • Opcode ID: 367b55c698236e9deb9517e2c3b1e21a2c944fee657e51ed8773b8fc4707bbd4
                      • Instruction ID: 7cf7e3e09dd4f7e25684a203b93d6af4a330451b1e34795c1fc658f15db33277
                      • Opcode Fuzzy Hash: 367b55c698236e9deb9517e2c3b1e21a2c944fee657e51ed8773b8fc4707bbd4
                      • Instruction Fuzzy Hash: 5F419C34904BCA6EFFF1AAA488083B5BEE47F12344F08409DD5C5561C2DBD55ECC8792
                      Function 00094458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                      • String ID:
                      • API String ID: 1737998785-0
                      • Opcode ID: f671718eca3ab529f0d70b71340ac228bc0735b8816d5d7a4974671abe26fcbd
                      • Instruction ID: db1b5f0fe93956a83404785903f9d300ddca717cce503121d43b8902446b636d
                      • Opcode Fuzzy Hash: f671718eca3ab529f0d70b71340ac228bc0735b8816d5d7a4974671abe26fcbd
                      • Instruction Fuzzy Hash: 8721A335700A219FEB109FA4EC49F7D7BA8EF05711F10802AF946DB262DB39AC01DB95
                      Function 00083A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 000248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000248A1,?,?,000237C0,?), ref: 000248CE
                        • Part of subcall function 00084CD3: GetFileAttributesW.KERNEL32(?,00083947), ref: 00084CD4
                      • FindFirstFileW.KERNEL32(?,?), ref: 00083ADF
                      • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00083B87
                      • MoveFileW.KERNEL32(?,?), ref: 00083B9A
                      • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00083BB7
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00083BD9
                      • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00083BF5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                      • String ID: \*.*
                      • API String ID: 4002782344-1173974218
                      • Opcode ID: 84d6c8da5105fbced3fc998e6933ca73de90351a24b1c1bd4c53e40b0cc43d76
                      • Instruction ID: 5e5d2f1b9f6192c98e6de39a5dc5b6b31b46917bff5e6ccedd9e488837a97bc9
                      • Opcode Fuzzy Hash: 84d6c8da5105fbced3fc998e6933ca73de90351a24b1c1bd4c53e40b0cc43d76
                      • Instruction Fuzzy Hash: CE51803180515D9ACF15FBA0DE929EDB7B8AF54700F6441A9E48677092EF306F09CBA1
                      Function 0008F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00027F41: _memmove.LIBCMT ref: 00027F82
                      • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0008F6AB
                      • Sleep.KERNEL32(0000000A), ref: 0008F6DB
                      • _wcscmp.LIBCMT ref: 0008F6EF
                      • _wcscmp.LIBCMT ref: 0008F70A
                      • FindNextFileW.KERNEL32(?,?), ref: 0008F7A8
                      • FindClose.KERNEL32(00000000), ref: 0008F7BE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                      • String ID: *.*
                      • API String ID: 713712311-438819550
                      • Opcode ID: 3a68b8dee70ff696f85c3b707364cdca550303d9a5b07f2510bbad5172bbae23
                      • Instruction ID: 7a47762ed609786abdfc700aad65049356948844c03a7ae39d8cfd312fc280a1
                      • Opcode Fuzzy Hash: 3a68b8dee70ff696f85c3b707364cdca550303d9a5b07f2510bbad5172bbae23
                      • Instruction Fuzzy Hash: D1419D7190421A9BDF50EFB4CC85AFEBBB8FF05310F144566E854A21A1EB309E54CBA0
                      Function 00034140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID:
                      • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                      • API String ID: 0-1546025612
                      • Opcode ID: 23bace0aade576b1f8ff356b7d1e3eb97c4f38fc9385c4ba82da8244f07b6f78
                      • Instruction ID: e05d5e8fc59ad0c3cbffedf2c9b1cf7c6cd4f98708da7e1215a150686a896922
                      • Opcode Fuzzy Hash: 23bace0aade576b1f8ff356b7d1e3eb97c4f38fc9385c4ba82da8244f07b6f78
                      • Instruction Fuzzy Hash: 8BA29F70E0421ACBDF75CF58C9807ADB7F6BF54314F2485AAD859AB280E770AE81CB51
                      Function 000358C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _memmove
                      • String ID:
                      • API String ID: 4104443479-0
                      • Opcode ID: 69dd07173d4170340f3cdd3cc299b206bd9996f4bf5c1118de102eafb541236f
                      • Instruction ID: 758877df815134e4d7f32b9d961e1439ffb3acd80dcece2b5f056b06a3c74b21
                      • Opcode Fuzzy Hash: 69dd07173d4170340f3cdd3cc299b206bd9996f4bf5c1118de102eafb541236f
                      • Instruction Fuzzy Hash: 10128E70A00609DFDF14DFA5D981AEEB7F9FF48300F108669E406A7261EB39AD11CB55
                      Function 0008545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00078CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00078D0D
                        • Part of subcall function 00078CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00078D3A
                        • Part of subcall function 00078CC3: GetLastError.KERNEL32 ref: 00078D47
                      • ExitWindowsEx.USER32(?,00000000), ref: 0008549B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                      • String ID: $@$SeShutdownPrivilege
                      • API String ID: 2234035333-194228
                      • Opcode ID: a669b63139d06d448e19a53fa0d1d5ff2153efed4cd6e1e25d63966b7a518385
                      • Instruction ID: 6932bb854e7364009a856104d16ebc72a811f00a957959fb701effbb204e5a77
                      • Opcode Fuzzy Hash: a669b63139d06d448e19a53fa0d1d5ff2153efed4cd6e1e25d63966b7a518385
                      • Instruction Fuzzy Hash: AB014C31A95B115AF77872B4DC4ABBA7298FB01757F201031FD87D20C3D5644C8083A0
                      Function 00096596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                      Download Yara Rule
                      APIs
                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 000965EF
                      • WSAGetLastError.WSOCK32(00000000), ref: 000965FE
                      • bind.WSOCK32(00000000,?,00000010), ref: 0009661A
                      • listen.WSOCK32(00000000,00000005), ref: 00096629
                      • WSAGetLastError.WSOCK32(00000000), ref: 00096643
                      • closesocket.WSOCK32(00000000,00000000), ref: 00096657
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ErrorLast$bindclosesocketlistensocket
                      • String ID:
                      • API String ID: 1279440585-0
                      • Opcode ID: 99273aa7a041762dcf1074bb6e0e64c1214b8e35e1c82db754e7b3b2ae4187dc
                      • Instruction ID: 4ed8fa9d5b28e63c45f22834c0c7b959bc616b53332e85286c56b877d9b15bb2
                      • Opcode Fuzzy Hash: 99273aa7a041762dcf1074bb6e0e64c1214b8e35e1c82db754e7b3b2ae4187dc
                      • Instruction Fuzzy Hash: 9621CE30600610AFDF10AF64D845A7EB7E9EF45720F108159F95AA73D2CB34AD01DB51
                      Function 00035680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00040FF6: std::exception::exception.LIBCMT ref: 0004102C
                        • Part of subcall function 00040FF6: __CxxThrowException@8.LIBCMT ref: 00041041
                      • _memmove.LIBCMT ref: 0007062F
                      • _memmove.LIBCMT ref: 00070744
                      • _memmove.LIBCMT ref: 000707EB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _memmove$Exception@8Throwstd::exception::exception
                      • String ID:
                      • API String ID: 1300846289-0
                      • Opcode ID: 8a0f2de50501da513a848d633cca4f78cea639647fdb98892478bf22ebf971a7
                      • Instruction ID: 304bfeaafc2ae5ba20971461eb10eb152718e41bf612aacead6d402313df0657
                      • Opcode Fuzzy Hash: 8a0f2de50501da513a848d633cca4f78cea639647fdb98892478bf22ebf971a7
                      • Instruction Fuzzy Hash: 9F029FB0E00205DBDF15DF64D981AAEBBF5EF44300F14C069E80AEB296EB35DA54CB95
                      Function 00021287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00022612: GetWindowLongW.USER32(?,000000EB), ref: 00022623
                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 000219FA
                      • GetSysColor.USER32(0000000F), ref: 00021A4E
                      • SetBkColor.GDI32(?,00000000), ref: 00021A61
                        • Part of subcall function 00021290: DefDlgProcW.USER32(?,00000020,?), ref: 000212D8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ColorProc$LongWindow
                      • String ID:
                      • API String ID: 3744519093-0
                      • Opcode ID: 149555587d2ece5f9f3553890e99fbe6fadcd9d4f55d617ed54537f74f7a8e86
                      • Instruction ID: 5b9996ea693029a6699284b0244ace42b3e4c03fe66945d33c641213cdd8b4d4
                      • Opcode Fuzzy Hash: 149555587d2ece5f9f3553890e99fbe6fadcd9d4f55d617ed54537f74f7a8e86
                      • Instruction Fuzzy Hash: E1A17B711054A4BEF638AB687C49EFF35DCDB66382F14011AF802D6192CF279D0192B7
                      Function 00096A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 000980A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 000980CB
                      • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00096AB1
                      • WSAGetLastError.WSOCK32(00000000), ref: 00096ADA
                      • bind.WSOCK32(00000000,?,00000010), ref: 00096B13
                      • WSAGetLastError.WSOCK32(00000000), ref: 00096B20
                      • closesocket.WSOCK32(00000000,00000000), ref: 00096B34
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ErrorLast$bindclosesocketinet_addrsocket
                      • String ID:
                      • API String ID: 99427753-0
                      • Opcode ID: e45db4ae28b01a52a6397c87e616497ee449fbcd1d9fcb0be647fef8b6764eb6
                      • Instruction ID: d54d9bd88aaba754d4991a53ed0ea02037245384304897e549ac3cd300f19c14
                      • Opcode Fuzzy Hash: e45db4ae28b01a52a6397c87e616497ee449fbcd1d9fcb0be647fef8b6764eb6
                      • Instruction Fuzzy Hash: 8C41A575A00620AFEF10AF64EC86FBE77A59B49710F04805CF95AAB3D3DA755D008B91
                      Function 000A55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                      • String ID:
                      • API String ID: 292994002-0
                      • Opcode ID: 7fbca9ee00aba455a273311925bfd40b3a7b01510d9246d657959d7ae2303823
                      • Instruction ID: 78c1f75075e48b9ff63ed4fb6492e021d426538a877ec2a62155a051aca6b35f
                      • Opcode Fuzzy Hash: 7fbca9ee00aba455a273311925bfd40b3a7b01510d9246d657959d7ae2303823
                      • Instruction Fuzzy Hash: 3211C431B00A216FE7215FA6DC44AAF77D9FF46722F444029F846D7241CB349901CAA5
                      Function 0008C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                      Download Yara Rule
                      APIs
                      • CoInitialize.OLE32(00000000), ref: 0008C69D
                      • CoCreateInstance.OLE32(000B2D6C,00000000,00000001,000B2BDC,?), ref: 0008C6B5
                        • Part of subcall function 00027F41: _memmove.LIBCMT ref: 00027F82
                      • CoUninitialize.OLE32 ref: 0008C922
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CreateInitializeInstanceUninitialize_memmove
                      • String ID: .lnk
                      • API String ID: 2683427295-24824748
                      • Opcode ID: 01d756b1f721d1df0392052e72836f22e63691c743a2cd3e10034f71020ec1c5
                      • Instruction ID: 968c7611e86a7a8eace6c6db154ef2bed30072366f3211ecf8b0fbd727dfc759
                      • Opcode Fuzzy Hash: 01d756b1f721d1df0392052e72836f22e63691c743a2cd3e10034f71020ec1c5
                      • Instruction Fuzzy Hash: 86A13B71108215AFD700EF54D892EABB7E8EF84704F04496CF59697192EB71AA09CBA2
                      Function 0009C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00061D88,?), ref: 0009C312
                      • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0009C324
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: GetSystemWow64DirectoryW$kernel32.dll
                      • API String ID: 2574300362-1816364905
                      • Opcode ID: 558901d82c30cb6f26452cde43987b183f9a165d87c43259fa733721bae922c8
                      • Instruction ID: 770c2beecbd7dd0e3d39841d12e2aa404553b5775b4d294a892dd8fdce506242
                      • Opcode Fuzzy Hash: 558901d82c30cb6f26452cde43987b183f9a165d87c43259fa733721bae922c8
                      • Instruction Fuzzy Hash: 4FE0C270A10B03CFFF304FA9C814E9676E4EF09745B80C439E8A5C6210E774D840CB60
                      Function 00033190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: __itow__swprintf
                      • String ID:
                      • API String ID: 674341424-0
                      • Opcode ID: 8cb46668ec8e75aa8b215e9dbeb0a416a008fb93655d4a34e794216270c9df0a
                      • Instruction ID: 9695c5d4c978edc46c3384dcc90581b2a1abec775aaa63abbd88c00ea3e6f3a1
                      • Opcode Fuzzy Hash: 8cb46668ec8e75aa8b215e9dbeb0a416a008fb93655d4a34e794216270c9df0a
                      • Instruction Fuzzy Hash: 9122C0716083119FD725DF24C891BAFB7E9BF84704F10492DF89A97292DB31EA44CB92
                      Function 0009F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32 ref: 0009F151
                      • Process32FirstW.KERNEL32(00000000,?), ref: 0009F15F
                        • Part of subcall function 00027F41: _memmove.LIBCMT ref: 00027F82
                      • Process32NextW.KERNEL32(00000000,?), ref: 0009F21F
                      • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0009F22E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                      • String ID:
                      • API String ID: 2576544623-0
                      • Opcode ID: e33db532adaa2b1271beadfa0af9bcf7749515cb381a49eee7467a96c0262065
                      • Instruction ID: a4e7c892a6c4c33417a618b82d78fa18a9d2bf7fad4c12080fe2088b786f5c62
                      • Opcode Fuzzy Hash: e33db532adaa2b1271beadfa0af9bcf7749515cb381a49eee7467a96c0262065
                      • Instruction Fuzzy Hash: 9F515E715087119FD710EF24EC86EABBBE8FF98710F14482DF59597252EB709904CB92
                      Function 0007EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0007EB19
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: lstrlen
                      • String ID: ($|
                      • API String ID: 1659193697-1631851259
                      • Opcode ID: 64db8027c85aa1915a7459f64e01bc0ab9d4f4bc5cef5b2b43e967fdafb5bcc8
                      • Instruction ID: ffbcacf0bb34d1dbcf7408763f5bc841a4f554bc082e36f7a8dfa77c04d7e78a
                      • Opcode Fuzzy Hash: 64db8027c85aa1915a7459f64e01bc0ab9d4f4bc5cef5b2b43e967fdafb5bcc8
                      • Instruction Fuzzy Hash: 3E323675A007059FD728CF29C481A6AB7F1FF48310B15C5AEE89ADB7A2E770E941CB44
                      Function 000925E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                      Download Yara Rule
                      APIs
                      • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 000926D5
                      • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0009270C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Internet$AvailableDataFileQueryRead
                      • String ID:
                      • API String ID: 599397726-0
                      • Opcode ID: adcaa93bbab766719a40da939c76a904c9cc422970e88de5444361f18b8fca4a
                      • Instruction ID: 72d7bdf71d9fd01ffda5623c49df968d37ace2b499edfd2f0d8aaa021ca07de4
                      • Opcode Fuzzy Hash: adcaa93bbab766719a40da939c76a904c9cc422970e88de5444361f18b8fca4a
                      • Instruction Fuzzy Hash: D941E4B5604709BFEF20DE94DC85EFFB7FCEB40724F10406AF601A6541EA719E81A664
                      Function 0008B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 0008B5AE
                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0008B608
                      • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0008B655
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ErrorMode$DiskFreeSpace
                      • String ID:
                      • API String ID: 1682464887-0
                      • Opcode ID: e0d4f4f365e76f61b1390dc1b3a42577db2f21edf0f0e9d6190184281e7da6e4
                      • Instruction ID: 4128373ec557c415f75661aaab8f9377e76308564fbd991832f9aaf53eb054e0
                      • Opcode Fuzzy Hash: e0d4f4f365e76f61b1390dc1b3a42577db2f21edf0f0e9d6190184281e7da6e4
                      • Instruction Fuzzy Hash: 9C219035A00618EFDB00EFA5D881AEDBBB8FF49310F0480A9E845AB352DB359915CB51
                      Function 00078CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00040FF6: std::exception::exception.LIBCMT ref: 0004102C
                        • Part of subcall function 00040FF6: __CxxThrowException@8.LIBCMT ref: 00041041
                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00078D0D
                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00078D3A
                      • GetLastError.KERNEL32 ref: 00078D47
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                      • String ID:
                      • API String ID: 1922334811-0
                      • Opcode ID: 49223bed83b0373f1ed5351d0f33f06bc08a22d3bca1c66c0bb8f8eb576f91d7
                      • Instruction ID: df1f308de4baf4272538ed3044616cb91409d55e751a1881e41b45982e5ed218
                      • Opcode Fuzzy Hash: 49223bed83b0373f1ed5351d0f33f06bc08a22d3bca1c66c0bb8f8eb576f91d7
                      • Instruction Fuzzy Hash: D811B2B1814205AFE7289F64DC89D6BB7FCFB04710B10C52EF44597641DB34AC408B24
                      Function 00084021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0008404B
                      • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00084088
                      • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00084091
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CloseControlCreateDeviceFileHandle
                      • String ID:
                      • API String ID: 33631002-0
                      • Opcode ID: 18ffa93fc303170159a4986c20c7a216660c99fbdd7049c71e3071c9974ba6fa
                      • Instruction ID: 0cb0986772b590f9c90a3a65bd469c17f9faf9c0c95ef6cdcf60a33acef74eb9
                      • Opcode Fuzzy Hash: 18ffa93fc303170159a4986c20c7a216660c99fbdd7049c71e3071c9974ba6fa
                      • Instruction Fuzzy Hash: F61152B1D04229BEE720DBE8DC44FBFBBBCEB09750F100656BA44E7191D2785D458BA1
                      Function 00084C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                      Download Yara Rule
                      APIs
                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00084C2C
                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00084C43
                      • FreeSid.ADVAPI32(?), ref: 00084C53
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: AllocateCheckFreeInitializeMembershipToken
                      • String ID:
                      • API String ID: 3429775523-0
                      • Opcode ID: a0722ab54917a20cfa07e1e4a95b63b5e5a3cec17763dd8736f468535abd2f0b
                      • Instruction ID: 81205d09fcd23289719d49d791c20b1161e7d013c202b959bc0faf44e7774009
                      • Opcode Fuzzy Hash: a0722ab54917a20cfa07e1e4a95b63b5e5a3cec17763dd8736f468535abd2f0b
                      • Instruction Fuzzy Hash: 20F03775A11209BBEB04DFE09C89EBEBBBCEB08201F0044A9A901E2181E6746A048B50
                      Function 0002E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ea125c0918c6cf0ce2798f761ab16795c46a311613e0d93ac1c38fb19d562ab9
                      • Instruction ID: 2ac166cdca09dbd41cf73655a071ddedbaae90b847ae1748e62b7f7f3afe3e58
                      • Opcode Fuzzy Hash: ea125c0918c6cf0ce2798f761ab16795c46a311613e0d93ac1c38fb19d562ab9
                      • Instruction Fuzzy Hash: 1522D070A40266CFDB24DF54E484ABEB7F1FF08310F148169E956AB342E774AE85CB91
                      Function 0008C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?), ref: 0008C966
                      • FindClose.KERNEL32(00000000), ref: 0008C996
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Find$CloseFileFirst
                      • String ID:
                      • API String ID: 2295610775-0
                      • Opcode ID: d80ae8ceeab444ac2a6ef3d2f42258412bb5ef6cdb7505a2e990d77440466da8
                      • Instruction ID: 38a8914bfd27ed7703c27f840f61abab5f2bfd01a51e146cb66a76859769caa5
                      • Opcode Fuzzy Hash: d80ae8ceeab444ac2a6ef3d2f42258412bb5ef6cdb7505a2e990d77440466da8
                      • Instruction Fuzzy Hash: EC11A5326006109FD710EF29D845A6AF7E5FF45320F00895EF8A9D7291DB34AC00CB91
                      Function 0008A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0009977D,?,000AFB84,?), ref: 0008A302
                      • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0009977D,?,000AFB84,?), ref: 0008A314
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ErrorFormatLastMessage
                      • String ID:
                      • API String ID: 3479602957-0
                      • Opcode ID: 3f7afcbb39e49d66203385d49d2ed76a73ac5b6c1f324b305ac37bc6a6afa669
                      • Instruction ID: 2e819b905cf25382be291918d73f8075f3764f9cea3dd123bc967ecfb32038ee
                      • Opcode Fuzzy Hash: 3f7afcbb39e49d66203385d49d2ed76a73ac5b6c1f324b305ac37bc6a6afa669
                      • Instruction Fuzzy Hash: FCF0823564422DBBEB20AFA4CC48FEA776DBF09762F004166B948D6181D6309A44CBE1
                      Function 00078713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00078851), ref: 00078728
                      • CloseHandle.KERNEL32(?,?,00078851), ref: 0007873A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: AdjustCloseHandlePrivilegesToken
                      • String ID:
                      • API String ID: 81990902-0
                      • Opcode ID: fc51eeacaedf3a53d82060f90b1d3cc0c9cc6f9e86e75413d88763a4642cb5f8
                      • Instruction ID: 934bd15e194a8ee619c020e0f51444cc93725645dd99674e9cfb785028c241f8
                      • Opcode Fuzzy Hash: fc51eeacaedf3a53d82060f90b1d3cc0c9cc6f9e86e75413d88763a4642cb5f8
                      • Instruction Fuzzy Hash: 61E04672000A01EEEB252B60EC08DB37BE9EB003507208839B49680431CB62ACE0DB10
                      Function 0004A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00048F97,?,?,?,00000001), ref: 0004A39A
                      • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0004A3A3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: b0dc7734f3bc00b3aad154c24d373d23a4fcfde39065b05d78ea1b097cc91fd5
                      • Instruction ID: 8eb26ffcfb958aed445ca6e6b707e421638f24306f76202c051f4e7373a61562
                      • Opcode Fuzzy Hash: b0dc7734f3bc00b3aad154c24d373d23a4fcfde39065b05d78ea1b097cc91fd5
                      • Instruction Fuzzy Hash: 54B0923205460AABEF002BD1EC59BA83F68EB46AA2F404020F60D84060CBE656508A91
                      Function 0004F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b1a05da662e97d70db29166ec363e4228a43aeb62d956b8b368dea606a04f578
                      • Instruction ID: d2bf8c326c1dbaa3a822b533bbe4d6fa34f1d2d13dd07ddc025e12de07a2e377
                      • Opcode Fuzzy Hash: b1a05da662e97d70db29166ec363e4228a43aeb62d956b8b368dea606a04f578
                      • Instruction Fuzzy Hash: 6C322661D69F024DEB639634DC72335A288EFB73C4F15D737E819B5AA6EB28C4834104
                      Function 0005267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 26e56efa24915c3821e3d2c1245e37eb3c34e25c70ef4d231ea3487f2f1bcb40
                      • Instruction ID: 4af3f52b1f99cb0e9be554e98cd873ca6ca3bdd1908291c8f6626f055663cf7d
                      • Opcode Fuzzy Hash: 26e56efa24915c3821e3d2c1245e37eb3c34e25c70ef4d231ea3487f2f1bcb40
                      • Instruction Fuzzy Hash: 37B10120E2AF414DE72396398835336BB8CAFBB6C5F51D71BFC2674D22EB2585834241
                      Function 00088B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                      • __time64.LIBCMT ref: 00088B25
                        • Part of subcall function 0004543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,000891F8,00000000,?,?,?,?,000893A9,00000000,?), ref: 00045443
                        • Part of subcall function 0004543A: __aulldiv.LIBCMT ref: 00045463
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Time$FileSystem__aulldiv__time64
                      • String ID:
                      • API String ID: 2893107130-0
                      • Opcode ID: c861c6dfa021452ff5ba5dee3d8c328cc7a49ce03266da40b8ec2ef5c1513037
                      • Instruction ID: b2c157183f4e1700615efe1372b1f8536bb34ae229639697ef0e10d7c5e01714
                      • Opcode Fuzzy Hash: c861c6dfa021452ff5ba5dee3d8c328cc7a49ce03266da40b8ec2ef5c1513037
                      • Instruction Fuzzy Hash: 6021E4726356108FD729CF25D841A52B3E1EFA4311B688E6CD0E9CF2D0CA74BD05CB94
                      Function 000941FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • BlockInput.USER32(00000001), ref: 00094218
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: BlockInput
                      • String ID:
                      • API String ID: 3456056419-0
                      • Opcode ID: cfb20d26386464b543d252ffc221d976486ae073a10ccbfcdc3b9f3417a9661e
                      • Instruction ID: 533e650673cd890328e4a45fac536ab98dcd550bbcf39565ae1fbc018a67de93
                      • Opcode Fuzzy Hash: cfb20d26386464b543d252ffc221d976486ae073a10ccbfcdc3b9f3417a9661e
                      • Instruction Fuzzy Hash: 87E04F312442149FDB10EF59E845E9AF7E8AF98760F008026FC49C7352DA70E8418BA1
                      Function 00084EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                      Download Yara Rule
                      APIs
                      • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00084EEC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: mouse_event
                      • String ID:
                      • API String ID: 2434400541-0
                      • Opcode ID: 12b139488363ee047c0270769aa6b64c491aa26a2e7c3ca64e532383d28f3154
                      • Instruction ID: c906b816188a35d86bca43fa4f4c0326521d9dc40f19b45a2a25b470846a4659
                      • Opcode Fuzzy Hash: 12b139488363ee047c0270769aa6b64c491aa26a2e7c3ca64e532383d28f3154
                      • Instruction Fuzzy Hash: 04D05E98560B0779FCA86B249C5FF7B1148F300782FD0414AB182894C2E8D46C505230
                      Function 00078C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                      Download Yara Rule
                      APIs
                      • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,000788D1), ref: 00078CB3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: LogonUser
                      • String ID:
                      • API String ID: 1244722697-0
                      • Opcode ID: 3a5463da9a0227678c840ae311c0b8bf845fe028d2e3d3f80935487788226c36
                      • Instruction ID: e18e4c36d1f743d5186b0e1ead8d6fbbdcb94de6c1fe4f1fdd30bb5488b639af
                      • Opcode Fuzzy Hash: 3a5463da9a0227678c840ae311c0b8bf845fe028d2e3d3f80935487788226c36
                      • Instruction Fuzzy Hash: 49D05E322A090EABEF018EA4DC01EBE3B69EB04B01F408111FE15C50A1C775D835AF60
                      Function 00062230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                      Download Yara Rule
                      APIs
                      • GetUserNameW.ADVAPI32(?,?), ref: 00062242
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: NameUser
                      • String ID:
                      • API String ID: 2645101109-0
                      • Opcode ID: 9a983c11dad0175610b219bd6a15976c462777aab2d9cc076736aa8821ed42f5
                      • Instruction ID: 462de1c136c305e4da2285551dd380f07527a222feb70c70b7e3f0fcec939941
                      • Opcode Fuzzy Hash: 9a983c11dad0175610b219bd6a15976c462777aab2d9cc076736aa8821ed42f5
                      • Instruction Fuzzy Hash: A5C04CF1800509DBDB15DB90D988DFE77BCAB04304F144055A141F2100D7749B448A71
                      Function 0004A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0004A36A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: 0bb39d376d1f8ef43fcbe03ac48761fadad4f7302f9007889786d5d61363de59
                      • Instruction ID: 1b875fd39ac93c63c5ac2bdcce6490b8030891be5f9fdd52e8e2afb2f633c5fe
                      • Opcode Fuzzy Hash: 0bb39d376d1f8ef43fcbe03ac48761fadad4f7302f9007889786d5d61363de59
                      • Instruction Fuzzy Hash: 38A0123100010DA78F001B81EC044547F5CD7011907004020F40C4002187B255104580
                      Function 00038A0E Relevance: .6, Instructions: 608COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 689e8ea8154284cb4c9deacbb10cc0e4bb8e60c7fad3288210c62a44febdaa9e
                      • Instruction ID: 82aadfde6812fc2c55fc957eb6fb1bd59904894ea9b2f79e4b80617ea561474b
                      • Opcode Fuzzy Hash: 689e8ea8154284cb4c9deacbb10cc0e4bb8e60c7fad3288210c62a44febdaa9e
                      • Instruction Fuzzy Hash: F0226B30A15716CBDF798B14C8846BDB7F5FB01301F64C4AAF84A8B191EB789D82CB65
                      Function 00042405 Relevance: .3, Instructions: 345COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                      • Instruction ID: cc6b09288ee43faaa0e013c6bca19d707b08ab7ba306ba87009fe5ceab873f5c
                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                      • Instruction Fuzzy Hash: D3C1A4B230509309EBAD4639943417EBAE16BA27B139A077DF4B3CB4C4FF20D569D624
                      Function 0004283A Relevance: .3, Instructions: 341COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                      • Instruction ID: 3ea8159766f592d1e98463ff4166845e8fa4f2f007035fa5654d0e7e7038ed7b
                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                      • Instruction Fuzzy Hash: 69C1B6B220519309EBAD4639843407EBBE16B927B139A077DF4B2DB5C4FF20D568D624
                      Function 00041BB8 Relevance: .3, Instructions: 323COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                      • Instruction ID: bcd7f92e71f6db39c3ad7804a2937a47abcef2d107e5d894e628ec4f48217b22
                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                      • Instruction Fuzzy Hash: E1C1C4B220515309EFAD463AD4340BEBBE16BA27B135A077DE4B2CB4C4FF20D5A9D614
                      Function 00097B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteObject.GDI32(00000000), ref: 00097B70
                      • DeleteObject.GDI32(00000000), ref: 00097B82
                      • DestroyWindow.USER32 ref: 00097B90
                      • GetDesktopWindow.USER32 ref: 00097BAA
                      • GetWindowRect.USER32(00000000), ref: 00097BB1
                      • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00097CF2
                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00097D02
                      • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00097D4A
                      • GetClientRect.USER32(00000000,?), ref: 00097D56
                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00097D90
                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00097DB2
                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00097DC5
                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00097DD0
                      • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00097DD9
                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00097DE8
                      • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00097DF1
                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00097DF8
                      • GlobalFree.KERNEL32(00000000), ref: 00097E03
                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00097E15
                      • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,000B2CAC,00000000), ref: 00097E2B
                      • GlobalFree.KERNEL32(00000000), ref: 00097E3B
                      • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00097E61
                      • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00097E80
                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00097EA2
                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0009808F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                      • String ID: $AutoIt v3$DISPLAY$static
                      • API String ID: 2211948467-2373415609
                      • Opcode ID: 8f1bdf2fa610b7deb06b716ced0b0fa113194a9548ba9028933f1726dd411d69
                      • Instruction ID: 083f5f188e8529779afc97137a753925172f101a1368107d6ae83f47e5d06d67
                      • Opcode Fuzzy Hash: 8f1bdf2fa610b7deb06b716ced0b0fa113194a9548ba9028933f1726dd411d69
                      • Instruction Fuzzy Hash: D9027C71910115EFEF14DFA4DC89EAE7BB9EF49310F148168F909AB2A1CB35AD01CB60
                      Function 000A37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?,000AF910), ref: 000A38AF
                      • IsWindowVisible.USER32(?), ref: 000A38D3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: BuffCharUpperVisibleWindow
                      • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                      • API String ID: 4105515805-45149045
                      • Opcode ID: 5b9e21f075fabca15999bca5877be8dbf20498d07149aef81a1f3476dcbebebb
                      • Instruction ID: 860f231b65a2c74f2550d6b5d3397550a66566fe7336d9d91a258515897cc349
                      • Opcode Fuzzy Hash: 5b9e21f075fabca15999bca5877be8dbf20498d07149aef81a1f3476dcbebebb
                      • Instruction Fuzzy Hash: 5CD1A230604315DBCB24EF50C851EAEB7E1AF55354F11846DB8866B3A3CB35EE0ACB96
                      Function 000AA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                      Download Yara Rule
                      APIs
                      • SetTextColor.GDI32(?,00000000), ref: 000AA89F
                      • GetSysColorBrush.USER32(0000000F), ref: 000AA8D0
                      • GetSysColor.USER32(0000000F), ref: 000AA8DC
                      • SetBkColor.GDI32(?,000000FF), ref: 000AA8F6
                      • SelectObject.GDI32(?,?), ref: 000AA905
                      • InflateRect.USER32(?,000000FF,000000FF), ref: 000AA930
                      • GetSysColor.USER32(00000010), ref: 000AA938
                      • CreateSolidBrush.GDI32(00000000), ref: 000AA93F
                      • FrameRect.USER32(?,?,00000000), ref: 000AA94E
                      • DeleteObject.GDI32(00000000), ref: 000AA955
                      • InflateRect.USER32(?,000000FE,000000FE), ref: 000AA9A0
                      • FillRect.USER32(?,?,?), ref: 000AA9D2
                      • GetWindowLongW.USER32(?,000000F0), ref: 000AA9FD
                        • Part of subcall function 000AAB60: GetSysColor.USER32(00000012), ref: 000AAB99
                        • Part of subcall function 000AAB60: SetTextColor.GDI32(?,?), ref: 000AAB9D
                        • Part of subcall function 000AAB60: GetSysColorBrush.USER32(0000000F), ref: 000AABB3
                        • Part of subcall function 000AAB60: GetSysColor.USER32(0000000F), ref: 000AABBE
                        • Part of subcall function 000AAB60: GetSysColor.USER32(00000011), ref: 000AABDB
                        • Part of subcall function 000AAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 000AABE9
                        • Part of subcall function 000AAB60: SelectObject.GDI32(?,00000000), ref: 000AABFA
                        • Part of subcall function 000AAB60: SetBkColor.GDI32(?,00000000), ref: 000AAC03
                        • Part of subcall function 000AAB60: SelectObject.GDI32(?,?), ref: 000AAC10
                        • Part of subcall function 000AAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 000AAC2F
                        • Part of subcall function 000AAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000AAC46
                        • Part of subcall function 000AAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 000AAC5B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                      • String ID:
                      • API String ID: 4124339563-0
                      • Opcode ID: 6ed427be710231eaa18a205dcb70e2d6b207f018db084514f64234a090ab01d7
                      • Instruction ID: 9c023b59c5781348ab7d9755574f26fdbce02f914caa49d79f8e7da625908da1
                      • Opcode Fuzzy Hash: 6ed427be710231eaa18a205dcb70e2d6b207f018db084514f64234a090ab01d7
                      • Instruction Fuzzy Hash: 54A1A271508702AFE7109FA4DC08E6B7BE9FF8A321F104B29F562961E1D738D844CB52
                      Function 00022C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(?,?,?), ref: 00022CA2
                      • DeleteObject.GDI32(00000000), ref: 00022CE8
                      • DeleteObject.GDI32(00000000), ref: 00022CF3
                      • DestroyIcon.USER32(00000000,?,?,?), ref: 00022CFE
                      • DestroyWindow.USER32(00000000,?,?,?), ref: 00022D09
                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 0005C68B
                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0005C6C4
                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0005CAED
                        • Part of subcall function 00021B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00022036,?,00000000,?,?,?,?,000216CB,00000000,?), ref: 00021B9A
                      • SendMessageW.USER32(?,00001053), ref: 0005CB2A
                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0005CB41
                      • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0005CB57
                      • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0005CB62
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                      • String ID: 0
                      • API String ID: 464785882-4108050209
                      • Opcode ID: 0fb6ca54442d59681d990b37a01fd5b937cb2bdc2b303041c5eb2a9157746e7c
                      • Instruction ID: 80e72c2f23d5ca30b4a69373fbd3b891eecd0a64392a9e8703b1dba64cd7e284
                      • Opcode Fuzzy Hash: 0fb6ca54442d59681d990b37a01fd5b937cb2bdc2b303041c5eb2a9157746e7c
                      • Instruction Fuzzy Hash: 3312BE30604715EFEB60CF24C888FAABBE5BF09311F544569E886DB662C731EC46CB91
                      Function 000977BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(00000000), ref: 000977F1
                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 000978B0
                      • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 000978EE
                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00097900
                      • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00097946
                      • GetClientRect.USER32(00000000,?), ref: 00097952
                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00097996
                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 000979A5
                      • GetStockObject.GDI32(00000011), ref: 000979B5
                      • SelectObject.GDI32(00000000,00000000), ref: 000979B9
                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 000979C9
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 000979D2
                      • DeleteDC.GDI32(00000000), ref: 000979DB
                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00097A07
                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 00097A1E
                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00097A59
                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00097A6D
                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 00097A7E
                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00097AAE
                      • GetStockObject.GDI32(00000011), ref: 00097AB9
                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00097AC4
                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00097ACE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                      • API String ID: 2910397461-517079104
                      • Opcode ID: 49f0f68c5e9f8e40bbfca02ba49f265a459e8fc34d0752f8d54edd6b238bdf48
                      • Instruction ID: 51017950bff24cf81f43db6780fe6c0fdbe0f5128bd6d99808bdced6323edf89
                      • Opcode Fuzzy Hash: 49f0f68c5e9f8e40bbfca02ba49f265a459e8fc34d0752f8d54edd6b238bdf48
                      • Instruction Fuzzy Hash: 89A18E71A40615BFEB149BA4DC8AFBF7BB9EB45710F004118FA14AB2E0CB74AD00CB64
                      Function 0008AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 0008AF89
                      • GetDriveTypeW.KERNEL32(?,000AFAC0,?,\\.\,000AF910), ref: 0008B066
                      • SetErrorMode.KERNEL32(00000000,000AFAC0,?,\\.\,000AF910), ref: 0008B1C4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ErrorMode$DriveType
                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                      • API String ID: 2907320926-4222207086
                      • Opcode ID: ace2fe440a295516c6f3408d8fce500b5d266a5cbd0e98552b11060a208ed02d
                      • Instruction ID: ac1eb617138c5f295237129d1c23124c0c27db149e7f394af476a17a4c4fe346
                      • Opcode Fuzzy Hash: ace2fe440a295516c6f3408d8fce500b5d266a5cbd0e98552b11060a208ed02d
                      • Instruction Fuzzy Hash: 0151A130788305ABCF20FB50CDA69BD77B0BB16351BA04016E58AAF392CB759D41DB62
                      Function 00026A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: __wcsnicmp
                      • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                      • API String ID: 1038674560-86951937
                      • Opcode ID: 223d1bbf2d555b579d62761b66bfb24b7b9e6284121605288138140d124cf838
                      • Instruction ID: 8c61cea39673c5c2fd79af7d44b1de5f80b301dc8bc8e111b9b6a8e05edf39d4
                      • Opcode Fuzzy Hash: 223d1bbf2d555b579d62761b66bfb24b7b9e6284121605288138140d124cf838
                      • Instruction Fuzzy Hash: 95814CB0640265BACB25AF60DC82FFF77A8AF15301F044035FD45AA1C3EB61DB99C666
                      Function 000AAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetSysColor.USER32(00000012), ref: 000AAB99
                      • SetTextColor.GDI32(?,?), ref: 000AAB9D
                      • GetSysColorBrush.USER32(0000000F), ref: 000AABB3
                      • GetSysColor.USER32(0000000F), ref: 000AABBE
                      • CreateSolidBrush.GDI32(?), ref: 000AABC3
                      • GetSysColor.USER32(00000011), ref: 000AABDB
                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 000AABE9
                      • SelectObject.GDI32(?,00000000), ref: 000AABFA
                      • SetBkColor.GDI32(?,00000000), ref: 000AAC03
                      • SelectObject.GDI32(?,?), ref: 000AAC10
                      • InflateRect.USER32(?,000000FF,000000FF), ref: 000AAC2F
                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 000AAC46
                      • GetWindowLongW.USER32(00000000,000000F0), ref: 000AAC5B
                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 000AACA7
                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 000AACCE
                      • InflateRect.USER32(?,000000FD,000000FD), ref: 000AACEC
                      • DrawFocusRect.USER32(?,?), ref: 000AACF7
                      • GetSysColor.USER32(00000011), ref: 000AAD05
                      • SetTextColor.GDI32(?,00000000), ref: 000AAD0D
                      • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 000AAD21
                      • SelectObject.GDI32(?,000AA869), ref: 000AAD38
                      • DeleteObject.GDI32(?), ref: 000AAD43
                      • SelectObject.GDI32(?,?), ref: 000AAD49
                      • DeleteObject.GDI32(?), ref: 000AAD4E
                      • SetTextColor.GDI32(?,?), ref: 000AAD54
                      • SetBkColor.GDI32(?,?), ref: 000AAD5E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                      • String ID:
                      • API String ID: 1996641542-0
                      • Opcode ID: 1eb9faa200c390ade5afb23fda04d07f095061a26fd295316544cbde13a958d8
                      • Instruction ID: f562e5fc15b44cec67857e01e69fd756360b6d29d0e54364f595a06769548ffb
                      • Opcode Fuzzy Hash: 1eb9faa200c390ade5afb23fda04d07f095061a26fd295316544cbde13a958d8
                      • Instruction Fuzzy Hash: C1615E71900619EFEB119FE4DC48EEE7BB9EB0A320F104225F915AB2E1D7759D40DB90
                      Function 000A8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 000A8D34
                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000A8D45
                      • CharNextW.USER32(0000014E), ref: 000A8D74
                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 000A8DB5
                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 000A8DCB
                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000A8DDC
                      • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 000A8DF9
                      • SetWindowTextW.USER32(?,0000014E), ref: 000A8E45
                      • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 000A8E5B
                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 000A8E8C
                      • _memset.LIBCMT ref: 000A8EB1
                      • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 000A8EFA
                      • _memset.LIBCMT ref: 000A8F59
                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 000A8F83
                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 000A8FDB
                      • SendMessageW.USER32(?,0000133D,?,?), ref: 000A9088
                      • InvalidateRect.USER32(?,00000000,00000001), ref: 000A90AA
                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 000A90F4
                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 000A9121
                      • DrawMenuBar.USER32(?), ref: 000A9130
                      • SetWindowTextW.USER32(?,0000014E), ref: 000A9158
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                      • String ID: 0
                      • API String ID: 1073566785-4108050209
                      • Opcode ID: 90e1d82cdc06a66a7c47942108a17e518c6b864138d5e73ed530b99a06c78ea2
                      • Instruction ID: 363b36afc10a8012dc18c66b0e63c0149ede8271a9d4e6f6b1b84659064ae6dc
                      • Opcode Fuzzy Hash: 90e1d82cdc06a66a7c47942108a17e518c6b864138d5e73ed530b99a06c78ea2
                      • Instruction Fuzzy Hash: 54E17070900219AFDF20DFE1CC88EEE7BB9EF06750F148165F915AA291DB748A85DF60
                      Function 000A4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetCursorPos.USER32(?), ref: 000A4C51
                      • GetDesktopWindow.USER32 ref: 000A4C66
                      • GetWindowRect.USER32(00000000), ref: 000A4C6D
                      • GetWindowLongW.USER32(?,000000F0), ref: 000A4CCF
                      • DestroyWindow.USER32(?), ref: 000A4CFB
                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 000A4D24
                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000A4D42
                      • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 000A4D68
                      • SendMessageW.USER32(?,00000421,?,?), ref: 000A4D7D
                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 000A4D90
                      • IsWindowVisible.USER32(?), ref: 000A4DB0
                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 000A4DCB
                      • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 000A4DDF
                      • GetWindowRect.USER32(?,?), ref: 000A4DF7
                      • MonitorFromPoint.USER32(?,?,00000002), ref: 000A4E1D
                      • GetMonitorInfoW.USER32(00000000,?), ref: 000A4E37
                      • CopyRect.USER32(?,?), ref: 000A4E4E
                      • SendMessageW.USER32(?,00000412,00000000), ref: 000A4EB9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                      • String ID: ($0$tooltips_class32
                      • API String ID: 698492251-4156429822
                      • Opcode ID: 06420279adce1bb92e17b5ad9a9a6647a209a6cdd6dea164ab4cbe228df36ab8
                      • Instruction ID: 2627da897fbe4089a327474559901a184336615195a947ea4786819fc21756d9
                      • Opcode Fuzzy Hash: 06420279adce1bb92e17b5ad9a9a6647a209a6cdd6dea164ab4cbe228df36ab8
                      • Instruction Fuzzy Hash: B5B18D75604351AFDB44DFA4D848B6ABBE4FF85310F00891CF5999B2A2D7B5EC04CB91
                      Function 000227D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000228BC
                      • GetSystemMetrics.USER32(00000007), ref: 000228C4
                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 000228EF
                      • GetSystemMetrics.USER32(00000008), ref: 000228F7
                      • GetSystemMetrics.USER32(00000004), ref: 0002291C
                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00022939
                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00022949
                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0002297C
                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00022990
                      • GetClientRect.USER32(00000000,000000FF), ref: 000229AE
                      • GetStockObject.GDI32(00000011), ref: 000229CA
                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 000229D5
                        • Part of subcall function 00022344: GetCursorPos.USER32(?), ref: 00022357
                        • Part of subcall function 00022344: ScreenToClient.USER32(000E67B0,?), ref: 00022374
                        • Part of subcall function 00022344: GetAsyncKeyState.USER32(00000001), ref: 00022399
                        • Part of subcall function 00022344: GetAsyncKeyState.USER32(00000002), ref: 000223A7
                      • SetTimer.USER32(00000000,00000000,00000028,00021256), ref: 000229FC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                      • String ID: AutoIt v3 GUI
                      • API String ID: 1458621304-248962490
                      • Opcode ID: 244746997ea22244e52ade8ef539e9c413cd7c7e2f0f9a353cdcfaa7ddb52a4c
                      • Instruction ID: e11e9d5adff84dd328f9f74fb7f3ad2292280eac6c0370c998da3234dc449978
                      • Opcode Fuzzy Hash: 244746997ea22244e52ade8ef539e9c413cd7c7e2f0f9a353cdcfaa7ddb52a4c
                      • Instruction Fuzzy Hash: 42B17071A0021AEFEB14DFA8EC85BAE7BB4FB08711F104229FA15A7290DB74D941CB50
                      Function 000A4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?), ref: 000A40F6
                      • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 000A41B6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: BuffCharMessageSendUpper
                      • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                      • API String ID: 3974292440-719923060
                      • Opcode ID: 0d11c1dfed3c039e2504960b129bcd90b0805741183c4932706f68b610d01e0d
                      • Instruction ID: 67b05e96bb872e65b71f3d441a937ca921125b062011d520fce051f05fe9f485
                      • Opcode Fuzzy Hash: 0d11c1dfed3c039e2504960b129bcd90b0805741183c4932706f68b610d01e0d
                      • Instruction Fuzzy Hash: ACA1BC34614311DBCB14EF60C842AAEB3E5AF85314F14896DB89AAB393DB74ED09CB51
                      Function 000952F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                      Download Yara Rule
                      APIs
                      • LoadCursorW.USER32(00000000,00007F89), ref: 00095309
                      • LoadCursorW.USER32(00000000,00007F8A), ref: 00095314
                      • LoadCursorW.USER32(00000000,00007F00), ref: 0009531F
                      • LoadCursorW.USER32(00000000,00007F03), ref: 0009532A
                      • LoadCursorW.USER32(00000000,00007F8B), ref: 00095335
                      • LoadCursorW.USER32(00000000,00007F01), ref: 00095340
                      • LoadCursorW.USER32(00000000,00007F81), ref: 0009534B
                      • LoadCursorW.USER32(00000000,00007F88), ref: 00095356
                      • LoadCursorW.USER32(00000000,00007F80), ref: 00095361
                      • LoadCursorW.USER32(00000000,00007F86), ref: 0009536C
                      • LoadCursorW.USER32(00000000,00007F83), ref: 00095377
                      • LoadCursorW.USER32(00000000,00007F85), ref: 00095382
                      • LoadCursorW.USER32(00000000,00007F82), ref: 0009538D
                      • LoadCursorW.USER32(00000000,00007F84), ref: 00095398
                      • LoadCursorW.USER32(00000000,00007F04), ref: 000953A3
                      • LoadCursorW.USER32(00000000,00007F02), ref: 000953AE
                      • GetCursorInfo.USER32(?), ref: 000953BE
                      • GetLastError.KERNEL32(00000001,00000000), ref: 000953E9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Cursor$Load$ErrorInfoLast
                      • String ID:
                      • API String ID: 3215588206-0
                      • Opcode ID: 97bd6693ca5a25280fdad8dfd9fb97ca17c73804906cc9064fdfbaba6d17519a
                      • Instruction ID: 56a2e2d4c009e96954616a4ad18e01b603b0a3aa482763d5afde265559b40195
                      • Opcode Fuzzy Hash: 97bd6693ca5a25280fdad8dfd9fb97ca17c73804906cc9064fdfbaba6d17519a
                      • Instruction Fuzzy Hash: 66417370E083196ADF509FBA8C4986EFFF8EF51B10F10452FA519E7291DAB89500CF51
                      Function 0007AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetClassNameW.USER32(?,?,00000100), ref: 0007AAA5
                      • __swprintf.LIBCMT ref: 0007AB46
                      • _wcscmp.LIBCMT ref: 0007AB59
                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0007ABAE
                      • _wcscmp.LIBCMT ref: 0007ABEA
                      • GetClassNameW.USER32(?,?,00000400), ref: 0007AC21
                      • GetDlgCtrlID.USER32(?), ref: 0007AC73
                      • GetWindowRect.USER32(?,?), ref: 0007ACA9
                      • GetParent.USER32(?), ref: 0007ACC7
                      • ScreenToClient.USER32(00000000), ref: 0007ACCE
                      • GetClassNameW.USER32(?,?,00000100), ref: 0007AD48
                      • _wcscmp.LIBCMT ref: 0007AD5C
                      • GetWindowTextW.USER32(?,?,00000400), ref: 0007AD82
                      • _wcscmp.LIBCMT ref: 0007AD96
                        • Part of subcall function 0004386C: _iswctype.LIBCMT ref: 00043874
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                      • String ID: %s%u
                      • API String ID: 3744389584-679674701
                      • Opcode ID: 8db46bb3878784f6e72db9b44c150596519c6593c2bb07d40c49399c9877a6c6
                      • Instruction ID: b9ed06e2ebd4f30c9c870b7480449782f0749346d66e0223575b7a7049849202
                      • Opcode Fuzzy Hash: 8db46bb3878784f6e72db9b44c150596519c6593c2bb07d40c49399c9877a6c6
                      • Instruction Fuzzy Hash: DFA1F071B04606AFD724DF60C884BEEB7E8FF85315F008529F99E82151DB38E945CB96
                      Function 0007B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                      Download Yara Rule
                      APIs
                      • GetClassNameW.USER32(00000008,?,00000400), ref: 0007B3DB
                      • _wcscmp.LIBCMT ref: 0007B3EC
                      • GetWindowTextW.USER32(00000001,?,00000400), ref: 0007B414
                      • CharUpperBuffW.USER32(?,00000000), ref: 0007B431
                      • _wcscmp.LIBCMT ref: 0007B44F
                      • _wcsstr.LIBCMT ref: 0007B460
                      • GetClassNameW.USER32(00000018,?,00000400), ref: 0007B498
                      • _wcscmp.LIBCMT ref: 0007B4A8
                      • GetWindowTextW.USER32(00000002,?,00000400), ref: 0007B4CF
                      • GetClassNameW.USER32(00000018,?,00000400), ref: 0007B518
                      • _wcscmp.LIBCMT ref: 0007B528
                      • GetClassNameW.USER32(00000010,?,00000400), ref: 0007B550
                      • GetWindowRect.USER32(00000004,?), ref: 0007B5B9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                      • String ID: @$ThumbnailClass
                      • API String ID: 1788623398-1539354611
                      • Opcode ID: de2a6732c7a9386d5a1aade01eb1623d8d6d81174177bda0fb6ccb19c0abaab4
                      • Instruction ID: f08ec036b5cc439c1e3230c47848758f50220cfc6a561f77f5601959d10e536d
                      • Opcode Fuzzy Hash: de2a6732c7a9386d5a1aade01eb1623d8d6d81174177bda0fb6ccb19c0abaab4
                      • Instruction Fuzzy Hash: 5F81AF7140830A9FDB54DF14C885FAA7BE8EF44314F08C569FD899A092DB38DE49CB65
                      Function 0007B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: __wcsnicmp
                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                      • API String ID: 1038674560-1810252412
                      • Opcode ID: 7cf5214f6f4a68872309f66ba7428cc2cbaa5dc71f6a7d3246a16b273239cfb1
                      • Instruction ID: 5c86f6bbb72855a63da11d174ab1e9a366efabc5bc1f5fd17759cda9b0d80f40
                      • Opcode Fuzzy Hash: 7cf5214f6f4a68872309f66ba7428cc2cbaa5dc71f6a7d3246a16b273239cfb1
                      • Instruction Fuzzy Hash: C431F030A49315A6DB14FA60DD43FEE77B89F20750F20402AF909B51E3EF65AF05C669
                      Function 0007C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • LoadIconW.USER32(00000063), ref: 0007C4D4
                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0007C4E6
                      • SetWindowTextW.USER32(?,?), ref: 0007C4FD
                      • GetDlgItem.USER32(?,000003EA), ref: 0007C512
                      • SetWindowTextW.USER32(00000000,?), ref: 0007C518
                      • GetDlgItem.USER32(?,000003E9), ref: 0007C528
                      • SetWindowTextW.USER32(00000000,?), ref: 0007C52E
                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0007C54F
                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0007C569
                      • GetWindowRect.USER32(?,?), ref: 0007C572
                      • SetWindowTextW.USER32(?,?), ref: 0007C5DD
                      • GetDesktopWindow.USER32 ref: 0007C5E3
                      • GetWindowRect.USER32(00000000), ref: 0007C5EA
                      • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0007C636
                      • GetClientRect.USER32(?,?), ref: 0007C643
                      • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0007C668
                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0007C693
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                      • String ID:
                      • API String ID: 3869813825-0
                      • Opcode ID: 33b3de1d16d43a607bd82c08ccebd738e2aacee0ea136d82c3734a6e319c6791
                      • Instruction ID: 84d64b94fbed1835c5671d3685536482a8c43fd7211d53c3462a7373b2dc78d4
                      • Opcode Fuzzy Hash: 33b3de1d16d43a607bd82c08ccebd738e2aacee0ea136d82c3734a6e319c6791
                      • Instruction Fuzzy Hash: 49513F71900B0AAFEB209FA8DD85F6EBBF5FF04705F00452CE686A25A0D779E944CB54
                      Function 000AA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 000AA4C8
                      • DestroyWindow.USER32(?,?), ref: 000AA542
                        • Part of subcall function 00027D2C: _memmove.LIBCMT ref: 00027D66
                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 000AA5BC
                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 000AA5DE
                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000AA5F1
                      • DestroyWindow.USER32(00000000), ref: 000AA613
                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00020000,00000000), ref: 000AA64A
                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 000AA663
                      • GetDesktopWindow.USER32 ref: 000AA67C
                      • GetWindowRect.USER32(00000000), ref: 000AA683
                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 000AA69B
                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 000AA6B3
                        • Part of subcall function 000225DB: GetWindowLongW.USER32(?,000000EB), ref: 000225EC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                      • String ID: 0$tooltips_class32
                      • API String ID: 1297703922-3619404913
                      • Opcode ID: d3504bba0d2ab624ce71b5597b0810a13f1da7700e1e49aa71bb4324cac69a46
                      • Instruction ID: 09402e10381059f44603e29a26fa0127927d4b36bf6a36e77583a02e4e4b4a55
                      • Opcode Fuzzy Hash: d3504bba0d2ab624ce71b5597b0810a13f1da7700e1e49aa71bb4324cac69a46
                      • Instruction Fuzzy Hash: 4371BE70240245AFE720CF68DC45F6A77E5FB9A700F08452DF9859B2A1DB75E901CF62
                      Function 000AC8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00022612: GetWindowLongW.USER32(?,000000EB), ref: 00022623
                      • DragQueryPoint.SHELL32(?,?), ref: 000AC917
                        • Part of subcall function 000AADF1: ClientToScreen.USER32(?,?), ref: 000AAE1A
                        • Part of subcall function 000AADF1: GetWindowRect.USER32(?,?), ref: 000AAE90
                        • Part of subcall function 000AADF1: PtInRect.USER32(?,?,000AC304), ref: 000AAEA0
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 000AC980
                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 000AC98B
                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 000AC9AE
                      • _wcscat.LIBCMT ref: 000AC9DE
                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 000AC9F5
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 000ACA0E
                      • SendMessageW.USER32(?,000000B1,?,?), ref: 000ACA25
                      • SendMessageW.USER32(?,000000B1,?,?), ref: 000ACA47
                      • DragFinish.SHELL32(?), ref: 000ACA4E
                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 000ACB41
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                      • API String ID: 169749273-3440237614
                      • Opcode ID: 028840f76c059f273b026b332d2302462cc651323205b0b180606a38726feca2
                      • Instruction ID: 8e98dcf53476ea983894b9d009bf6dacddaac286f5c6d6211c105d3187e826ba
                      • Opcode Fuzzy Hash: 028840f76c059f273b026b332d2302462cc651323205b0b180606a38726feca2
                      • Instruction Fuzzy Hash: 9E619F71108301AFD711DFA0DC85DAFBBE8EF89750F04092EF595961A2DB709A09CBA2
                      Function 000A4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?), ref: 000A46AB
                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 000A46F6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: BuffCharMessageSendUpper
                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                      • API String ID: 3974292440-4258414348
                      • Opcode ID: 7c7848499a8449b86bb84c3a3c1266b6dd4fb8fdb8733ef0668076fbf8983b20
                      • Instruction ID: 657f969552849b8064a224c38e0e97769c2d4c987afc66111ff66b84727f1696
                      • Opcode Fuzzy Hash: 7c7848499a8449b86bb84c3a3c1266b6dd4fb8fdb8733ef0668076fbf8983b20
                      • Instruction Fuzzy Hash: 7591BF786047119FCB14EF54D441AAEB7E1AF85310F00886DF8966B3A3CB75ED4ACB86
                      Function 000ABAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 000ABB6E
                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,000A6D80,?), ref: 000ABBCA
                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000ABC03
                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 000ABC46
                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 000ABC7D
                      • FreeLibrary.KERNEL32(?), ref: 000ABC89
                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 000ABC99
                      • DestroyIcon.USER32(?), ref: 000ABCA8
                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 000ABCC5
                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 000ABCD1
                        • Part of subcall function 0004313D: __wcsicmp_l.LIBCMT ref: 000431C6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                      • String ID: .dll$.exe$.icl
                      • API String ID: 1212759294-1154884017
                      • Opcode ID: f3d587733db523549341494509353ca40a0274dbe7798e27f40b4b36e3deeda4
                      • Instruction ID: 951fb11b016f05636080624ad83e9989dff6e337a61dc4e7cbc3727b6c69dcb0
                      • Opcode Fuzzy Hash: f3d587733db523549341494509353ca40a0274dbe7798e27f40b4b36e3deeda4
                      • Instruction Fuzzy Hash: D061DF71600619BAEB24DFA4CC41FFE77A8EF09721F104219F915D61D2DBB4A990DBA0
                      Function 0008A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00029997: __itow.LIBCMT ref: 000299C2
                        • Part of subcall function 00029997: __swprintf.LIBCMT ref: 00029A0C
                      • CharLowerBuffW.USER32(?,?), ref: 0008A636
                      • GetDriveTypeW.KERNEL32 ref: 0008A683
                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0008A6CB
                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0008A702
                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0008A730
                        • Part of subcall function 00027D2C: _memmove.LIBCMT ref: 00027D66
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                      • API String ID: 2698844021-4113822522
                      • Opcode ID: bc7d36c18d4696b1210440d2d4761446fa04d6aaab85f430d9fd09cd971d2c13
                      • Instruction ID: 4f311d29e46be7be052f4b4cc0254bd21320ab67218a1d2dc4cee1b60bbb68f3
                      • Opcode Fuzzy Hash: bc7d36c18d4696b1210440d2d4761446fa04d6aaab85f430d9fd09cd971d2c13
                      • Instruction Fuzzy Hash: F9515E716083159FD700EF20D8819AAB7F4FF85718F14496DF89957252DB31EE09CB52
                      Function 0008A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0008A47A
                      • __swprintf.LIBCMT ref: 0008A49C
                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 0008A4D9
                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0008A4FE
                      • _memset.LIBCMT ref: 0008A51D
                      • _wcsncpy.LIBCMT ref: 0008A559
                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0008A58E
                      • CloseHandle.KERNEL32(00000000), ref: 0008A599
                      • RemoveDirectoryW.KERNEL32(?), ref: 0008A5A2
                      • CloseHandle.KERNEL32(00000000), ref: 0008A5AC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                      • String ID: :$\$\??\%s
                      • API String ID: 2733774712-3457252023
                      • Opcode ID: 2dfa2d66d838c5a7a990784ae6c7124701c06e216cb633dc4f2a39c751b000a3
                      • Instruction ID: 76bbddb9af226b9e73a24892c340e1f751afa5c115df7ba475bc13e24288921c
                      • Opcode Fuzzy Hash: 2dfa2d66d838c5a7a990784ae6c7124701c06e216cb633dc4f2a39c751b000a3
                      • Instruction Fuzzy Hash: D031A2B260011AABEB209FA0DC48FFB73BCEF8A701F1041B6FA48D2150E77497448B25
                      Function 0005AB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                      • String ID:
                      • API String ID: 884005220-0
                      • Opcode ID: b715c4b16dc4e7c9cd22eac47efc5989703b17e7751d67a6ce78b30c0bea3ee7
                      • Instruction ID: 2d3c2fdd722e31e39a048f36cfcbb655d7926bc6b035c43b660547761a025b92
                      • Opcode Fuzzy Hash: b715c4b16dc4e7c9cd22eac47efc5989703b17e7751d67a6ce78b30c0bea3ee7
                      • Instruction Fuzzy Hash: C461C9B1A00205EFFB205F24D8417AF7BE5EF12723F144769EC019B192DB799944C7A6
                      Function 0008DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                      Download Yara Rule
                      APIs
                      • __wsplitpath.LIBCMT ref: 0008DC7B
                      • _wcscat.LIBCMT ref: 0008DC93
                      • _wcscat.LIBCMT ref: 0008DCA5
                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0008DCBA
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0008DCCE
                      • GetFileAttributesW.KERNEL32(?), ref: 0008DCE6
                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 0008DD00
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0008DD12
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                      • String ID: *.*
                      • API String ID: 34673085-438819550
                      • Opcode ID: b190622eee4b48f37519aef505fb83a13d3534599679136de5741813732e812e
                      • Instruction ID: 3812d5a9a2a58dc91a922241a7d01d1eab92d047c77949ffd320c8f83dd0f6aa
                      • Opcode Fuzzy Hash: b190622eee4b48f37519aef505fb83a13d3534599679136de5741813732e812e
                      • Instruction Fuzzy Hash: A4814C71504341DBDB64EF64C8459AEB7E8BB89310F19892BF8C9CB291EB34DD44CB52
                      Function 000AC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00022612: GetWindowLongW.USER32(?,000000EB), ref: 00022623
                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 000AC4EC
                      • GetFocus.USER32 ref: 000AC4FC
                      • GetDlgCtrlID.USER32(00000000), ref: 000AC507
                      • _memset.LIBCMT ref: 000AC632
                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 000AC65D
                      • GetMenuItemCount.USER32(?), ref: 000AC67D
                      • GetMenuItemID.USER32(?,00000000), ref: 000AC690
                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 000AC6C4
                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 000AC70C
                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 000AC744
                      • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 000AC779
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                      • String ID: 0
                      • API String ID: 1296962147-4108050209
                      • Opcode ID: 055644bf7de32b82964abe731989be46bf2ffe7d8c533ee75188efc8a9094215
                      • Instruction ID: 6efc564351d145154e9e6d6054d57f06f5bd661e757add818b72d3c7501cf586
                      • Opcode Fuzzy Hash: 055644bf7de32b82964abe731989be46bf2ffe7d8c533ee75188efc8a9094215
                      • Instruction Fuzzy Hash: 7C81AD70608301AFE720CFA4D984EAFBBE8FB8A354F01452DF99597291D731D945CBA2
                      Function 000783F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0007874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00078766
                        • Part of subcall function 0007874A: GetLastError.KERNEL32(?,0007822A,?,?,?), ref: 00078770
                        • Part of subcall function 0007874A: GetProcessHeap.KERNEL32(00000008,?,?,0007822A,?,?,?), ref: 0007877F
                        • Part of subcall function 0007874A: HeapAlloc.KERNEL32(00000000,?,0007822A,?,?,?), ref: 00078786
                        • Part of subcall function 0007874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0007879D
                        • Part of subcall function 000787E7: GetProcessHeap.KERNEL32(00000008,00078240,00000000,00000000,?,00078240,?), ref: 000787F3
                        • Part of subcall function 000787E7: HeapAlloc.KERNEL32(00000000,?,00078240,?), ref: 000787FA
                        • Part of subcall function 000787E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00078240,?), ref: 0007880B
                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00078458
                      • _memset.LIBCMT ref: 0007846D
                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0007848C
                      • GetLengthSid.ADVAPI32(?), ref: 0007849D
                      • GetAce.ADVAPI32(?,00000000,?), ref: 000784DA
                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 000784F6
                      • GetLengthSid.ADVAPI32(?), ref: 00078513
                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00078522
                      • HeapAlloc.KERNEL32(00000000), ref: 00078529
                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0007854A
                      • CopySid.ADVAPI32(00000000), ref: 00078551
                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00078582
                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 000785A8
                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 000785BC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                      • String ID:
                      • API String ID: 3996160137-0
                      • Opcode ID: 5c6760b80ef37035af3c97c39f61fb95fb41415f2b61700bcb5482ee8dac7272
                      • Instruction ID: e072a7dc4f1cb87662eea1c8e3a8942bee609025f54ec7ef49213d526044dd66
                      • Opcode Fuzzy Hash: 5c6760b80ef37035af3c97c39f61fb95fb41415f2b61700bcb5482ee8dac7272
                      • Instruction Fuzzy Hash: B0615871D4060AABDF10DFA0DC48EEEBBB9FF05300F14C169E919A6291DB389A04CF64
                      Function 0009762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32(00000000), ref: 000976A2
                      • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 000976AE
                      • CreateCompatibleDC.GDI32(?), ref: 000976BA
                      • SelectObject.GDI32(00000000,?), ref: 000976C7
                      • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0009771B
                      • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00097757
                      • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0009777B
                      • SelectObject.GDI32(00000006,?), ref: 00097783
                      • DeleteObject.GDI32(?), ref: 0009778C
                      • DeleteDC.GDI32(00000006), ref: 00097793
                      • ReleaseDC.USER32(00000000,?), ref: 0009779E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                      • String ID: (
                      • API String ID: 2598888154-3887548279
                      • Opcode ID: eaeda27c4e8666a12bd03e1cad4e511b4922aea17df855aee8e8365fabdb52c9
                      • Instruction ID: 63f795637867e7a851212694b22bbe3068cd8667544681cc2150727e98ae3072
                      • Opcode Fuzzy Hash: eaeda27c4e8666a12bd03e1cad4e511b4922aea17df855aee8e8365fabdb52c9
                      • Instruction Fuzzy Hash: B0515A76904609EFDB25CFA8CC85EAEBBB9EF49310F14852DF949A7211D735A840CB60
                      Function 0008A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                      Download Yara Rule
                      APIs
                      • LoadStringW.USER32(00000066,?,00000FFF,000AFB78), ref: 0008A0FC
                        • Part of subcall function 00027F41: _memmove.LIBCMT ref: 00027F82
                      • LoadStringW.USER32(?,?,00000FFF,?), ref: 0008A11E
                      • __swprintf.LIBCMT ref: 0008A177
                      • __swprintf.LIBCMT ref: 0008A190
                      • _wprintf.LIBCMT ref: 0008A246
                      • _wprintf.LIBCMT ref: 0008A264
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: LoadString__swprintf_wprintf$_memmove
                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                      • API String ID: 311963372-2391861430
                      • Opcode ID: ed1fe87f98b1e23eb07801a8c04facdaca4448f3c6f1576e72ce865ce69c9c39
                      • Instruction ID: 5e4cf9fea3140d6981361e17857c2d8b2832352cb31fb8cb1f1afca0d92959f6
                      • Opcode Fuzzy Hash: ed1fe87f98b1e23eb07801a8c04facdaca4448f3c6f1576e72ce865ce69c9c39
                      • Instruction Fuzzy Hash: FB51B171900219AADF15FBE0DD86EEEB778AF09300F100166F509761A2EB352F48DB61
                      Function 00026BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00040B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00026C6C,?,00008000), ref: 00040BB7
                        • Part of subcall function 000248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000248A1,?,?,000237C0,?), ref: 000248CE
                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00026D0D
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00026E5A
                        • Part of subcall function 000259CD: _wcscpy.LIBCMT ref: 00025A05
                        • Part of subcall function 0004387D: _iswctype.LIBCMT ref: 00043885
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                      • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                      • API String ID: 537147316-1018226102
                      • Opcode ID: 2df30d9588e31f84e9bc575914ca68cf395f0e4bf5bb6778f3bd57045361a048
                      • Instruction ID: 6c5dd86409c62b9fe7633bfc1f57bdc8264e7a473d65cca2e7aa850ebd1e13ad
                      • Opcode Fuzzy Hash: 2df30d9588e31f84e9bc575914ca68cf395f0e4bf5bb6778f3bd57045361a048
                      • Instruction Fuzzy Hash: F002A1711083919FCB24EF24D8819AFBBE5BF85314F04492DF8C9972A2DB31DA49CB46
                      Function 000245DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 000245F9
                      • GetMenuItemCount.USER32(000E6890), ref: 0005D7CD
                      • GetMenuItemCount.USER32(000E6890), ref: 0005D87D
                      • GetCursorPos.USER32(?), ref: 0005D8C1
                      • SetForegroundWindow.USER32(00000000), ref: 0005D8CA
                      • TrackPopupMenuEx.USER32(000E6890,00000000,?,00000000,00000000,00000000), ref: 0005D8DD
                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0005D8E9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                      • String ID:
                      • API String ID: 2751501086-0
                      • Opcode ID: 8c0901ca41fcf77ea6d7c64f76d046445d2b1828cfe19c665fceca0a71c6245a
                      • Instruction ID: 15023bfb40b12adbaa0db600f0cec436adbc41b2c405a10ebed19d8a4cf2f1ef
                      • Opcode Fuzzy Hash: 8c0901ca41fcf77ea6d7c64f76d046445d2b1828cfe19c665fceca0a71c6245a
                      • Instruction Fuzzy Hash: 5E71053060561ABAFB309F64DC89FAABFA4FF05355F200217F914661D1DBB15814DB91
                      Function 000A10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?,?,?,?,?,?,000A0038,?,?), ref: 000A10BC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: BuffCharUpper
                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                      • API String ID: 3964851224-909552448
                      • Opcode ID: bcac27f178873a39a37ccf985fb8c33de45db931eebdd8b9ceb61af6fa4d95af
                      • Instruction ID: 57f176657c022e167966ed0220e453b8888d706d32d78f566daa5bd921d51c09
                      • Opcode Fuzzy Hash: bcac27f178873a39a37ccf985fb8c33de45db931eebdd8b9ceb61af6fa4d95af
                      • Instruction Fuzzy Hash: 0E41477054025ADBCF20EFD0E891AEE3764AF16340F504569FD916B292DB34AD2ACBA0
                      Function 00085569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00027D2C: _memmove.LIBCMT ref: 00027D66
                        • Part of subcall function 00027A84: _memmove.LIBCMT ref: 00027B0D
                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 000855D2
                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 000855E8
                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 000855F9
                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0008560B
                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0008561C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: SendString$_memmove
                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                      • API String ID: 2279737902-1007645807
                      • Opcode ID: 19f091a84127973a4134a447bbacb59d72d44c6c2aa3115af4dce235232095a4
                      • Instruction ID: 09f585bb325f97c9feb4d630c8faaf5d31cd226890a9e05388e399062c45e4b8
                      • Opcode Fuzzy Hash: 19f091a84127973a4134a447bbacb59d72d44c6c2aa3115af4dce235232095a4
                      • Instruction Fuzzy Hash: EB11C420A9066979D720B661DC4ADFF7B7DFF96B00F40042AB545A70D2EEA00E05C6B2
                      Function 000848F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                      • String ID: 0.0.0.0
                      • API String ID: 208665112-3771769585
                      • Opcode ID: b2ad6bd528915e44e52f647a3e76a4c1da2df9557803aedffed4fee87153bcf5
                      • Instruction ID: 5bdefe54e220f3650d3bdfa79e07e5383fa8660202cc025b780b1a995f40fde5
                      • Opcode Fuzzy Hash: b2ad6bd528915e44e52f647a3e76a4c1da2df9557803aedffed4fee87153bcf5
                      • Instruction Fuzzy Hash: B0110571904116ABDB30FB64EC06EEF77ACEF01720F0001B6F48896052EFB49A818765
                      Function 00085217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • timeGetTime.WINMM ref: 0008521C
                        • Part of subcall function 00040719: timeGetTime.WINMM(?,75C0B400,00030FF9), ref: 0004071D
                      • Sleep.KERNEL32(0000000A), ref: 00085248
                      • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0008526C
                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0008528E
                      • SetActiveWindow.USER32 ref: 000852AD
                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 000852BB
                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 000852DA
                      • Sleep.KERNEL32(000000FA), ref: 000852E5
                      • IsWindow.USER32 ref: 000852F1
                      • EndDialog.USER32(00000000), ref: 00085302
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                      • String ID: BUTTON
                      • API String ID: 1194449130-3405671355
                      • Opcode ID: a30ecae5d53d42181bae134f115cbe4316fca279011132b83555987546d2e13c
                      • Instruction ID: 63e6c26294751d1e1a0f89c2a9d289cba6773d768166d1fc761c6753265f47e1
                      • Opcode Fuzzy Hash: a30ecae5d53d42181bae134f115cbe4316fca279011132b83555987546d2e13c
                      • Instruction Fuzzy Hash: 1A21CF71205F45AFF7007BB0ECC8B3A3BA9FB56B87B440028F145A91B1DBA99D018B21
                      Function 0008D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00029997: __itow.LIBCMT ref: 000299C2
                        • Part of subcall function 00029997: __swprintf.LIBCMT ref: 00029A0C
                      • CoInitialize.OLE32(00000000), ref: 0008D855
                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0008D8E8
                      • SHGetDesktopFolder.SHELL32(?), ref: 0008D8FC
                      • CoCreateInstance.OLE32(000B2D7C,00000000,00000001,000DA89C,?), ref: 0008D948
                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0008D9B7
                      • CoTaskMemFree.OLE32(?,?), ref: 0008DA0F
                      • _memset.LIBCMT ref: 0008DA4C
                      • SHBrowseForFolderW.SHELL32(?), ref: 0008DA88
                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0008DAAB
                      • CoTaskMemFree.OLE32(00000000), ref: 0008DAB2
                      • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0008DAE9
                      • CoUninitialize.OLE32(00000001,00000000), ref: 0008DAEB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                      • String ID:
                      • API String ID: 1246142700-0
                      • Opcode ID: 4269b8cd1a1a913627bfa78f52140255394f053adb33a2c1bb06e27256afaabb
                      • Instruction ID: 1cf929c8f505d86a91ca2e913d61d5fd9c114a7f5ca870bec3976c0eccd678c3
                      • Opcode Fuzzy Hash: 4269b8cd1a1a913627bfa78f52140255394f053adb33a2c1bb06e27256afaabb
                      • Instruction Fuzzy Hash: BCB10975A00119AFDB04EFA4C888DAEBBF9FF49310B148569F94AEB251DB30AD41CB50
                      Function 0008052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?), ref: 000805A7
                      • SetKeyboardState.USER32(?), ref: 00080612
                      • GetAsyncKeyState.USER32(000000A0), ref: 00080632
                      • GetKeyState.USER32(000000A0), ref: 00080649
                      • GetAsyncKeyState.USER32(000000A1), ref: 00080678
                      • GetKeyState.USER32(000000A1), ref: 00080689
                      • GetAsyncKeyState.USER32(00000011), ref: 000806B5
                      • GetKeyState.USER32(00000011), ref: 000806C3
                      • GetAsyncKeyState.USER32(00000012), ref: 000806EC
                      • GetKeyState.USER32(00000012), ref: 000806FA
                      • GetAsyncKeyState.USER32(0000005B), ref: 00080723
                      • GetKeyState.USER32(0000005B), ref: 00080731
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: State$Async$Keyboard
                      • String ID:
                      • API String ID: 541375521-0
                      • Opcode ID: 26efe4285debbdf49ef9ee242acd2dd64c11e45062a781a55cd1aef6d355aaec
                      • Instruction ID: ca1c0bf7797dfbf6da8bdfcd1f919245cd7d198612bc67375a9e41db3d37bb01
                      • Opcode Fuzzy Hash: 26efe4285debbdf49ef9ee242acd2dd64c11e45062a781a55cd1aef6d355aaec
                      • Instruction Fuzzy Hash: 7451BB70A04B8419FBB5FBB088557EBBFF4AF11380F088599D5C2561C3EA649B4CCB61
                      Function 0007C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,00000001), ref: 0007C746
                      • GetWindowRect.USER32(00000000,?), ref: 0007C758
                      • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0007C7B6
                      • GetDlgItem.USER32(?,00000002), ref: 0007C7C1
                      • GetWindowRect.USER32(00000000,?), ref: 0007C7D3
                      • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0007C827
                      • GetDlgItem.USER32(?,000003E9), ref: 0007C835
                      • GetWindowRect.USER32(00000000,?), ref: 0007C846
                      • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0007C889
                      • GetDlgItem.USER32(?,000003EA), ref: 0007C897
                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0007C8B4
                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0007C8C1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Window$ItemMoveRect$Invalidate
                      • String ID:
                      • API String ID: 3096461208-0
                      • Opcode ID: 6b8922353f0d8f855916892e2d87fc932c2c7af81a2f60954fe3818d758a6a13
                      • Instruction ID: 57ea33fa8d04342c8b443ed01f237534e4e2f72104635e03bc50d3ea4501bb81
                      • Opcode Fuzzy Hash: 6b8922353f0d8f855916892e2d87fc932c2c7af81a2f60954fe3818d758a6a13
                      • Instruction Fuzzy Hash: C2512271B00605ABEB18CFA9DD85E7DBBB5EB89310F14812DF519D7290DB749D00CB54
                      Function 0002201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00021B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00022036,?,00000000,?,?,?,?,000216CB,00000000,?), ref: 00021B9A
                      • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 000220D3
                      • KillTimer.USER32(-00000001,?,?,?,?,000216CB,00000000,?,?,00021AE2,?,?), ref: 0002216E
                      • DestroyAcceleratorTable.USER32(00000000), ref: 0005BEF6
                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000216CB,00000000,?,?,00021AE2,?,?), ref: 0005BF27
                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000216CB,00000000,?,?,00021AE2,?,?), ref: 0005BF3E
                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,000216CB,00000000,?,?,00021AE2,?,?), ref: 0005BF5A
                      • DeleteObject.GDI32(00000000), ref: 0005BF6C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                      • String ID:
                      • API String ID: 641708696-0
                      • Opcode ID: 4d7614ae3d7b482c9ae29a06a509549e9591609ec8f9f1540b92c5575569e75b
                      • Instruction ID: bd00a85b9f01495a77294b5a7b5a65ac69beaf289752ca7957963abba4ddfc0f
                      • Opcode Fuzzy Hash: 4d7614ae3d7b482c9ae29a06a509549e9591609ec8f9f1540b92c5575569e75b
                      • Instruction Fuzzy Hash: 2861C030104661EFEB359F54ED88B2A77F1FF61712F104528E5825A571CB7AA891DF40
                      Function 000221A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 000225DB: GetWindowLongW.USER32(?,000000EB), ref: 000225EC
                      • GetSysColor.USER32(0000000F), ref: 000221D3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ColorLongWindow
                      • String ID:
                      • API String ID: 259745315-0
                      • Opcode ID: 26c8c3a34f48b5fbafc9a3e2a6378ada983654d7c855f8fe57c324f4df8a1494
                      • Instruction ID: 69e99349198c31990ca7e54afad387ec6bb8fd434bd4b67ba02d5992f62a76f2
                      • Opcode Fuzzy Hash: 26c8c3a34f48b5fbafc9a3e2a6378ada983654d7c855f8fe57c324f4df8a1494
                      • Instruction Fuzzy Hash: C9419131100A50FEEB255FA8EC88BB93BA5EB07331F144365FD659A1E2C7368C46DB21
                      Function 0008AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                      Download Yara Rule
                      APIs
                      • CharLowerBuffW.USER32(?,?,000AF910), ref: 0008AB76
                      • GetDriveTypeW.KERNEL32(00000061,000DA620,00000061), ref: 0008AC40
                      • _wcscpy.LIBCMT ref: 0008AC6A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: BuffCharDriveLowerType_wcscpy
                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                      • API String ID: 2820617543-1000479233
                      • Opcode ID: a4abd8a34f3f86b8d46b6c22fa086f5e088e00514b6db532f7a2b7ad16d649de
                      • Instruction ID: 6804e3f413bd0f2604e1f713239e6efc2365cce7ec1a5c406d86c7dd17951730
                      • Opcode Fuzzy Hash: a4abd8a34f3f86b8d46b6c22fa086f5e088e00514b6db532f7a2b7ad16d649de
                      • Instruction Fuzzy Hash: 95517B306083119BD720EF14D891AAEB7E5FF86300F54482EF5D6976A3EB319949CB53
                      Function 00029997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: __i64tow__itow__swprintf
                      • String ID: %.15g$0x%p$False$True
                      • API String ID: 421087845-2263619337
                      • Opcode ID: 4549dc2609491dd7de2710dd8969dced3b82729a0366830ee11ab4644be531ff
                      • Instruction ID: 4471d6a8ef294b4a1cc244731bb2517de9c501e7ceb083b09d468527891a6b53
                      • Opcode Fuzzy Hash: 4549dc2609491dd7de2710dd8969dced3b82729a0366830ee11ab4644be531ff
                      • Instruction Fuzzy Hash: 97410671604616ABDB34EB38EC42EBB73E8EF48310F20447FE549D7282EA3199458B11
                      Function 000A73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 000A73D9
                      • CreateMenu.USER32 ref: 000A73F4
                      • SetMenu.USER32(?,00000000), ref: 000A7403
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000A7490
                      • IsMenu.USER32(?), ref: 000A74A6
                      • CreatePopupMenu.USER32 ref: 000A74B0
                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 000A74DD
                      • DrawMenuBar.USER32 ref: 000A74E5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                      • String ID: 0$F
                      • API String ID: 176399719-3044882817
                      • Opcode ID: 70d617a3bf54c8e2e96cba610a4778eb31a9b27f5d326474892d1937fac2181d
                      • Instruction ID: 821af40560cddd45ca41b547d6c51f435a2dee82bacd756af8a85c9f2865c21e
                      • Opcode Fuzzy Hash: 70d617a3bf54c8e2e96cba610a4778eb31a9b27f5d326474892d1937fac2181d
                      • Instruction Fuzzy Hash: 31415B74A00605EFDB20DFA4DD84AAABBF5FF4A340F144128FA59A7360D735A910CB50
                      Function 000A772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                      Download Yara Rule
                      APIs
                      • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 000A77CD
                      • CreateCompatibleDC.GDI32(00000000), ref: 000A77D4
                      • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 000A77E7
                      • SelectObject.GDI32(00000000,00000000), ref: 000A77EF
                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 000A77FA
                      • DeleteDC.GDI32(00000000), ref: 000A7803
                      • GetWindowLongW.USER32(?,000000EC), ref: 000A780D
                      • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 000A7821
                      • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 000A782D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                      • String ID: static
                      • API String ID: 2559357485-2160076837
                      • Opcode ID: b8a2e7c23d992b12cc92de11c80fe1b0ea213488d0b2953840feb1bb7a2556ba
                      • Instruction ID: 78fcd4c65df5dd302a16431ba885eccc9ecb55ed579f937e3d38f1faf26beeb7
                      • Opcode Fuzzy Hash: b8a2e7c23d992b12cc92de11c80fe1b0ea213488d0b2953840feb1bb7a2556ba
                      • Instruction Fuzzy Hash: 03318F32104115ABEF115FE4DC08FEB3BA9FF0A760F114224FA59A60A1CB39D811DBA4
                      Function 00047040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 0004707B
                        • Part of subcall function 00048D68: __getptd_noexit.LIBCMT ref: 00048D68
                      • __gmtime64_s.LIBCMT ref: 00047114
                      • __gmtime64_s.LIBCMT ref: 0004714A
                      • __gmtime64_s.LIBCMT ref: 00047167
                      • __allrem.LIBCMT ref: 000471BD
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000471D9
                      • __allrem.LIBCMT ref: 000471F0
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0004720E
                      • __allrem.LIBCMT ref: 00047225
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00047243
                      • __invoke_watson.LIBCMT ref: 000472B4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                      • String ID:
                      • API String ID: 384356119-0
                      • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                      • Instruction ID: ecdfa2bf63e58e07d486f1c4d72b86d3f75f67bc46fba109d39f05fe6e1f69db
                      • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                      • Instruction Fuzzy Hash: 117128F1A05717EBD7149E79CC41B9BB7E8AF10364F14423AF918E7282E770E9448794
                      Function 00082A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00082A31
                      • GetMenuItemInfoW.USER32(000E6890,000000FF,00000000,00000030), ref: 00082A92
                      • SetMenuItemInfoW.USER32(000E6890,00000004,00000000,00000030), ref: 00082AC8
                      • Sleep.KERNEL32(000001F4), ref: 00082ADA
                      • GetMenuItemCount.USER32(?), ref: 00082B1E
                      • GetMenuItemID.USER32(?,00000000), ref: 00082B3A
                      • GetMenuItemID.USER32(?,-00000001), ref: 00082B64
                      • GetMenuItemID.USER32(?,?), ref: 00082BA9
                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00082BEF
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00082C03
                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00082C24
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                      • String ID:
                      • API String ID: 4176008265-0
                      • Opcode ID: 4f03ef94c34cdf1bcd4c746c755d81220883d947cd97204923bd4aa3dd32274d
                      • Instruction ID: 27ecc27f24cb4b7dd8290e9b6c57410548faca408e8862f6303b1d16f14bc688
                      • Opcode Fuzzy Hash: 4f03ef94c34cdf1bcd4c746c755d81220883d947cd97204923bd4aa3dd32274d
                      • Instruction Fuzzy Hash: 0661C1B090164AAFEB21EFA4DC88DBE7BB8FF01304F144469E981A7251D735AD45DB21
                      Function 000A7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 000A7214
                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 000A7217
                      • GetWindowLongW.USER32(?,000000F0), ref: 000A723B
                      • _memset.LIBCMT ref: 000A724C
                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 000A725E
                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 000A72D6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessageSend$LongWindow_memset
                      • String ID:
                      • API String ID: 830647256-0
                      • Opcode ID: 93b583e76150559b88bc97d5adbe953703ea4049111c6e467c7ffa8815d8c2fe
                      • Instruction ID: ff7efc8862b293b3ba707dd7b4ae2d0f973792dcff975ac6d50aae62e17aff24
                      • Opcode Fuzzy Hash: 93b583e76150559b88bc97d5adbe953703ea4049111c6e467c7ffa8815d8c2fe
                      • Instruction Fuzzy Hash: D5616E75A00248AFDB10DFA4CC81EEE77F8EF0A710F144159FA14AB2A1D775AE45DB60
                      Function 0007710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                      Download Yara Rule
                      APIs
                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00077135
                      • SafeArrayAllocData.OLEAUT32(?), ref: 0007718E
                      • VariantInit.OLEAUT32(?), ref: 000771A0
                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 000771C0
                      • VariantCopy.OLEAUT32(?,?), ref: 00077213
                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00077227
                      • VariantClear.OLEAUT32(?), ref: 0007723C
                      • SafeArrayDestroyData.OLEAUT32(?), ref: 00077249
                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00077252
                      • VariantClear.OLEAUT32(?), ref: 00077264
                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0007726F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                      • String ID:
                      • API String ID: 2706829360-0
                      • Opcode ID: 44a1851d1309c54e1de4965222ad7350027b739b0036faa99b9e96939c6135a5
                      • Instruction ID: 433744af0450c9cda1d60b08132d52f608d7f8a5ba355454c51875234d50b8d0
                      • Opcode Fuzzy Hash: 44a1851d1309c54e1de4965222ad7350027b739b0036faa99b9e96939c6135a5
                      • Instruction Fuzzy Hash: 23415435E042199FDF04DFA8D8449EEBBB8FF08354F00C065F959A7262DB34A945CB94
                      Function 000986D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00029997: __itow.LIBCMT ref: 000299C2
                        • Part of subcall function 00029997: __swprintf.LIBCMT ref: 00029A0C
                      • CoInitialize.OLE32 ref: 00098718
                      • CoUninitialize.OLE32 ref: 00098723
                      • CoCreateInstance.OLE32(?,00000000,00000017,000B2BEC,?), ref: 00098783
                      • IIDFromString.OLE32(?,?), ref: 000987F6
                      • VariantInit.OLEAUT32(?), ref: 00098890
                      • VariantClear.OLEAUT32(?), ref: 000988F1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                      • API String ID: 834269672-1287834457
                      • Opcode ID: 0a149f730a08e7698798e4abc491513b36009d787386948e5c12011e5e2baef1
                      • Instruction ID: 56ac4bd59408ca22a0f398900281be3f77dee9358ede3a7154be99d549b8bab0
                      • Opcode Fuzzy Hash: 0a149f730a08e7698798e4abc491513b36009d787386948e5c12011e5e2baef1
                      • Instruction Fuzzy Hash: 7D618C706087119FDB10DF64C848A6BB7E4AF4A714F10881DF9859B391CF74ED44DBA2
                      Function 00095A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                      Download Yara Rule
                      APIs
                      • WSAStartup.WSOCK32(00000101,?), ref: 00095AA6
                      • inet_addr.WSOCK32(?,?,?), ref: 00095AEB
                      • gethostbyname.WSOCK32(?), ref: 00095AF7
                      • IcmpCreateFile.IPHLPAPI ref: 00095B05
                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00095B75
                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00095B8B
                      • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00095C00
                      • WSACleanup.WSOCK32 ref: 00095C06
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                      • String ID: Ping
                      • API String ID: 1028309954-2246546115
                      • Opcode ID: 737ed7eef189e647e4892312b9ed62ddc403244f047b70b073ace08a039b4a55
                      • Instruction ID: 196d97d7ff6435169047116abe26db0dbb2b5d478664a52697e5018c7d451f49
                      • Opcode Fuzzy Hash: 737ed7eef189e647e4892312b9ed62ddc403244f047b70b073ace08a039b4a55
                      • Instruction Fuzzy Hash: C051C231604B019FDB21EF25DC45B6EB7E0EF48311F148929F996DB2A1DB34E800DB46
                      Function 0008B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 0008B73B
                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0008B7B1
                      • GetLastError.KERNEL32 ref: 0008B7BB
                      • SetErrorMode.KERNEL32(00000000,READY), ref: 0008B828
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Error$Mode$DiskFreeLastSpace
                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                      • API String ID: 4194297153-14809454
                      • Opcode ID: 6b61bad0d39e852a763c5cbd4b0c4f678115005732fa194bb73600b7092536c2
                      • Instruction ID: f709a887523e85b4f2a5192505b784649334fe94675f952c86138c99e6a5512e
                      • Opcode Fuzzy Hash: 6b61bad0d39e852a763c5cbd4b0c4f678115005732fa194bb73600b7092536c2
                      • Instruction Fuzzy Hash: A2318F35A003099FDB10FF68D885AFE7BB8FF45700F14806AE946DB292DB719946CB51
                      Function 00079471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00027F41: _memmove.LIBCMT ref: 00027F82
                        • Part of subcall function 0007B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0007B0E7
                      • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 000794F6
                      • GetDlgCtrlID.USER32 ref: 00079501
                      • GetParent.USER32 ref: 0007951D
                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00079520
                      • GetDlgCtrlID.USER32(?), ref: 00079529
                      • GetParent.USER32(?), ref: 00079545
                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00079548
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                      • String ID: ComboBox$ListBox
                      • API String ID: 1536045017-1403004172
                      • Opcode ID: 32e6d47670e5f0a02a3fe3811ee521c75f7dc5bdeff8c7aec420483ba696d258
                      • Instruction ID: 29a31dd7cbe7d28f2695349f853fd4a1c9fe402c9520db6c78d598848458d0d6
                      • Opcode Fuzzy Hash: 32e6d47670e5f0a02a3fe3811ee521c75f7dc5bdeff8c7aec420483ba696d258
                      • Instruction Fuzzy Hash: BA210670D00204BBDF00ABA0CC85EFEBBB9EF45300F104125B521972E2DB795919DB60
                      Function 0007955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00027F41: _memmove.LIBCMT ref: 00027F82
                        • Part of subcall function 0007B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0007B0E7
                      • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 000795DF
                      • GetDlgCtrlID.USER32 ref: 000795EA
                      • GetParent.USER32 ref: 00079606
                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00079609
                      • GetDlgCtrlID.USER32(?), ref: 00079612
                      • GetParent.USER32(?), ref: 0007962E
                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00079631
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                      • String ID: ComboBox$ListBox
                      • API String ID: 1536045017-1403004172
                      • Opcode ID: d13bf07976e0f461d774b17b144280faf97534f732a5b9c8607f79ea4a657472
                      • Instruction ID: 959a0687bf46ec2f7444af493a97622217b55882a59dd84741a2adcd0594d43e
                      • Opcode Fuzzy Hash: d13bf07976e0f461d774b17b144280faf97534f732a5b9c8607f79ea4a657472
                      • Instruction Fuzzy Hash: 8A21C574E00204BBDF01ABA0CCC5EFEBBB9EF49300F144165FA11972A6DB799919DB64
                      Function 00079645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32 ref: 00079651
                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00079666
                      • _wcscmp.LIBCMT ref: 00079678
                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 000796F3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ClassMessageNameParentSend_wcscmp
                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                      • API String ID: 1704125052-3381328864
                      • Opcode ID: 0e53b15beed7f7d36b201d1eedccbde89acd0726a10088a404621eb398254bd9
                      • Instruction ID: f0a9535edf4abfdec3281d40c00621554120deeb22a180ba1dd14140143c2358
                      • Opcode Fuzzy Hash: 0e53b15beed7f7d36b201d1eedccbde89acd0726a10088a404621eb398254bd9
                      • Instruction Fuzzy Hash: C4112CBA648707BAFA112620EC07DE677DCDB05360F204237FE04E50E6FE655910475C
                      Function 00098BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(?), ref: 00098BEC
                      • CoInitialize.OLE32(00000000), ref: 00098C19
                      • CoUninitialize.OLE32 ref: 00098C23
                      • GetRunningObjectTable.OLE32(00000000,?), ref: 00098D23
                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 00098E50
                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,000B2C0C), ref: 00098E84
                      • CoGetObject.OLE32(?,00000000,000B2C0C,?), ref: 00098EA7
                      • SetErrorMode.KERNEL32(00000000), ref: 00098EBA
                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00098F3A
                      • VariantClear.OLEAUT32(?), ref: 00098F4A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                      • String ID:
                      • API String ID: 2395222682-0
                      • Opcode ID: 045ced22a7243a792c4e5fb1b1456cd7f4b2eff4dc510a6a46de9a4972f2600d
                      • Instruction ID: aa8372014169c80120c55d5217d6f813be6f8f5f6d67ffb72ab256ccf37d9d31
                      • Opcode Fuzzy Hash: 045ced22a7243a792c4e5fb1b1456cd7f4b2eff4dc510a6a46de9a4972f2600d
                      • Instruction Fuzzy Hash: AAC124B1208305AFDB00DF64C88496BB7E9BF8A348F10896DF58ADB251DB71ED05CB52
                      Function 00084189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                      Download Yara Rule
                      APIs
                      • __swprintf.LIBCMT ref: 0008419D
                      • __swprintf.LIBCMT ref: 000841AA
                        • Part of subcall function 000438D8: __woutput_l.LIBCMT ref: 00043931
                      • FindResourceW.KERNEL32(?,?,0000000E), ref: 000841D4
                      • LoadResource.KERNEL32(?,00000000), ref: 000841E0
                      • LockResource.KERNEL32(00000000), ref: 000841ED
                      • FindResourceW.KERNEL32(?,?,00000003), ref: 0008420D
                      • LoadResource.KERNEL32(?,00000000), ref: 0008421F
                      • SizeofResource.KERNEL32(?,00000000), ref: 0008422E
                      • LockResource.KERNEL32(?), ref: 0008423A
                      • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0008429B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                      • String ID:
                      • API String ID: 1433390588-0
                      • Opcode ID: f447a4da4c4de02593626e52bb55a9a4801fb0443852a81643e7561ee3450381
                      • Instruction ID: 7b58755620d573e0f52f8f631315e0586fd9114ebc4a9dff90fb81f671b11c86
                      • Opcode Fuzzy Hash: f447a4da4c4de02593626e52bb55a9a4801fb0443852a81643e7561ee3450381
                      • Instruction Fuzzy Hash: 0431B0B160561BABEB11AFA0EC88EBF7BACFF09301F004525F945D6150D778DA518BA0
                      Function 000816DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThreadId.KERNEL32 ref: 00081700
                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00080778,?,00000001), ref: 00081714
                      • GetWindowThreadProcessId.USER32(00000000), ref: 0008171B
                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00080778,?,00000001), ref: 0008172A
                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0008173C
                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00080778,?,00000001), ref: 00081755
                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00080778,?,00000001), ref: 00081767
                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00080778,?,00000001), ref: 000817AC
                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00080778,?,00000001), ref: 000817C1
                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00080778,?,00000001), ref: 000817CC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                      • String ID:
                      • API String ID: 2156557900-0
                      • Opcode ID: 23315fd334cf757c057279aa0a710f517f874d7a5ca7698dc683caa4c8ce1752
                      • Instruction ID: 9b32e4dad74dfceeaaec0afd316578dcd8914fb39907ea16eec735854b8eed6f
                      • Opcode Fuzzy Hash: 23315fd334cf757c057279aa0a710f517f874d7a5ca7698dc683caa4c8ce1752
                      • Instruction Fuzzy Hash: 2C318175608604BBFB61AF54DC84FB97BFDBF56B11F104029F848DA2A0D7B89D418B90
                      Function 0002FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                      Download Yara Rule
                      APIs
                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0002FC06
                      • OleUninitialize.OLE32(?,00000000), ref: 0002FCA5
                      • UnregisterHotKey.USER32(?), ref: 0002FDFC
                      • DestroyWindow.USER32(?), ref: 00064A00
                      • FreeLibrary.KERNEL32(?), ref: 00064A65
                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00064A92
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                      • String ID: close all
                      • API String ID: 469580280-3243417748
                      • Opcode ID: 4d7f29bc0e33da04a5e929cc88ffb298a6cd5966fb26eed9f73cabfd10341cbe
                      • Instruction ID: 5079d3f5884517e219c8fefd8b9fa416be930986edb8accb045f54f22c26f025
                      • Opcode Fuzzy Hash: 4d7f29bc0e33da04a5e929cc88ffb298a6cd5966fb26eed9f73cabfd10341cbe
                      • Instruction Fuzzy Hash: 49A18D30701222DFCB69EF50D995AB9F7A5BF04740F1442BDE80AAB262CB30AD16CF55
                      Function 0007A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                      Download Yara Rule
                      APIs
                      • EnumChildWindows.USER32(?,0007AA64), ref: 0007A9A2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ChildEnumWindows
                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                      • API String ID: 3555792229-1603158881
                      • Opcode ID: ce17bdd4119047f897d7d89e7c23ce2701abe85e91e2a9d0e6ae5de26ca12d7d
                      • Instruction ID: bb5c533007341c79e14377c137d2c20c2c789afc47f5c3c5c621d7bef28caf22
                      • Opcode Fuzzy Hash: ce17bdd4119047f897d7d89e7c23ce2701abe85e91e2a9d0e6ae5de26ca12d7d
                      • Instruction Fuzzy Hash: C791A370F04606AADB58DF60C481BEDFBB4BF45304F10C129E98EA7152DF34AA59CBA5
                      Function 00022E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                      Download Yara Rule
                      APIs
                      • SetWindowLongW.USER32(?,000000EB), ref: 00022EAE
                        • Part of subcall function 00021DB3: GetClientRect.USER32(?,?), ref: 00021DDC
                        • Part of subcall function 00021DB3: GetWindowRect.USER32(?,?), ref: 00021E1D
                        • Part of subcall function 00021DB3: ScreenToClient.USER32(?,?), ref: 00021E45
                      • GetDC.USER32 ref: 0005CF82
                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0005CF95
                      • SelectObject.GDI32(00000000,00000000), ref: 0005CFA3
                      • SelectObject.GDI32(00000000,00000000), ref: 0005CFB8
                      • ReleaseDC.USER32(?,00000000), ref: 0005CFC0
                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0005D04B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                      • String ID: U
                      • API String ID: 4009187628-3372436214
                      • Opcode ID: f44d4448350ee49ae4915c9c6b8db4b4e6106d90caeb226034658a1fddafe563
                      • Instruction ID: 676df0689602716c59e8ebc479bc50ef293980b9608f1c83f2c5af752849ecd6
                      • Opcode Fuzzy Hash: f44d4448350ee49ae4915c9c6b8db4b4e6106d90caeb226034658a1fddafe563
                      • Instruction Fuzzy Hash: 6971BF30400205EFDF718FA4D884AFB7BF6FF49361F14426AED555A2A6C7318885EB60
                      Function 000AC27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00022612: GetWindowLongW.USER32(?,000000EB), ref: 00022623
                        • Part of subcall function 00022344: GetCursorPos.USER32(?), ref: 00022357
                        • Part of subcall function 00022344: ScreenToClient.USER32(000E67B0,?), ref: 00022374
                        • Part of subcall function 00022344: GetAsyncKeyState.USER32(00000001), ref: 00022399
                        • Part of subcall function 00022344: GetAsyncKeyState.USER32(00000002), ref: 000223A7
                      • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 000AC2E4
                      • ImageList_EndDrag.COMCTL32 ref: 000AC2EA
                      • ReleaseCapture.USER32 ref: 000AC2F0
                      • SetWindowTextW.USER32(?,00000000), ref: 000AC39A
                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 000AC3AD
                      • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 000AC48F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                      • API String ID: 1924731296-2107944366
                      • Opcode ID: 76c833ecf9865ffc5f4e1e7060bad10bc57943a8f41cd521f9c32dca48025026
                      • Instruction ID: 4b46ee58528d614321d29aa61793d3b404c998a21dff0be4ec63cb8ae235ec18
                      • Opcode Fuzzy Hash: 76c833ecf9865ffc5f4e1e7060bad10bc57943a8f41cd521f9c32dca48025026
                      • Instruction Fuzzy Hash: 1051CF70204301EFEB10EF60DC96FAA7BE5EB89710F00862DF5959B2E2CB759944CB52
                      Function 00098F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,000AF910), ref: 0009903D
                      • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,000AF910), ref: 00099071
                      • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 000991EB
                      • SysFreeString.OLEAUT32(?), ref: 00099215
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Free$FileLibraryModuleNamePathQueryStringType
                      • String ID:
                      • API String ID: 560350794-0
                      • Opcode ID: ee5c5f1f708ff38ba340f1e656beaf7cdeeda244807687bcac9101fbc037d58a
                      • Instruction ID: 94acc45deb408ff7801f5a6ca942ae6d3a5f8e2494986ef24fa8f1770b3be07c
                      • Opcode Fuzzy Hash: ee5c5f1f708ff38ba340f1e656beaf7cdeeda244807687bcac9101fbc037d58a
                      • Instruction Fuzzy Hash: FFF13A71A00109EFDF14DF98C888EAEB7B9FF89315F108059F516AB291DB31AE45DB50
                      Function 0009F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 0009F9C9
                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0009FB5C
                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0009FB80
                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0009FBC0
                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0009FBE2
                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0009FD5E
                      • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0009FD90
                      • CloseHandle.KERNEL32(?), ref: 0009FDBF
                      • CloseHandle.KERNEL32(?), ref: 0009FE36
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                      • String ID:
                      • API String ID: 4090791747-0
                      • Opcode ID: 3c9f3c4821f089dee91f9c587a6f8317c258e2c8d3e5311e616f6d58c1e185aa
                      • Instruction ID: 83ce250db852f4f416b212295afba10f81259c4b6811fbe0ff5061cfce7bd316
                      • Opcode Fuzzy Hash: 3c9f3c4821f089dee91f9c587a6f8317c258e2c8d3e5311e616f6d58c1e185aa
                      • Instruction Fuzzy Hash: 3EE1B271604302DFDB14EF24D891ABABBE1AF85354F14896DF8998B2A2CB31DC44DB52
                      Function 00084F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 000848AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000838D3,?), ref: 000848C7
                        • Part of subcall function 000848AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000838D3,?), ref: 000848E0
                        • Part of subcall function 00084CD3: GetFileAttributesW.KERNEL32(?,00083947), ref: 00084CD4
                      • lstrcmpiW.KERNEL32(?,?), ref: 00084FE2
                      • _wcscmp.LIBCMT ref: 00084FFC
                      • MoveFileW.KERNEL32(?,?), ref: 00085017
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                      • String ID:
                      • API String ID: 793581249-0
                      • Opcode ID: 8a33e3892949a116e4543f5317f9f69d5be4d9cdb40b7a219db8924638859a18
                      • Instruction ID: 8f3d462276dec940a59cbd92e4525d315b024c5dc47150657163c84010ffb019
                      • Opcode Fuzzy Hash: 8a33e3892949a116e4543f5317f9f69d5be4d9cdb40b7a219db8924638859a18
                      • Instruction Fuzzy Hash: F45164B20087859BC764EB90DC859DFB7ECAF85341F40092EB2C9D3152EF74A6888766
                      Function 000A88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                      Download Yara Rule
                      APIs
                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 000A896E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: InvalidateRect
                      • String ID:
                      • API String ID: 634782764-0
                      • Opcode ID: 5a4faea4b1fde509ff24f78879bc2b933e22e4cc23590bb603c5b879590e41fb
                      • Instruction ID: d2a424ca2de0f65c241b3ac7797157ab3dc6afa1dcf191772b15c698e7c10ce3
                      • Opcode Fuzzy Hash: 5a4faea4b1fde509ff24f78879bc2b933e22e4cc23590bb603c5b879590e41fb
                      • Instruction Fuzzy Hash: 3B51A130600209BFEF349FA4DC89BAE7BA5BB17350F648112F511E61E1DF75A980CB82
                      Function 00022B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0005C547
                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0005C569
                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0005C581
                      • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0005C59F
                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0005C5C0
                      • DestroyIcon.USER32(00000000), ref: 0005C5CF
                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0005C5EC
                      • DestroyIcon.USER32(?), ref: 0005C5FB
                        • Part of subcall function 000AA71E: DeleteObject.GDI32(00000000), ref: 000AA757
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                      • String ID:
                      • API String ID: 2819616528-0
                      • Opcode ID: 71281ee855a5002cee2c68761458590bc979a463af9403695e364da4f7161228
                      • Instruction ID: e585ce6831dd5c20dbf426ba9150104f1252c1039592892876ccd4436420fa50
                      • Opcode Fuzzy Hash: 71281ee855a5002cee2c68761458590bc979a463af9403695e364da4f7161228
                      • Instruction Fuzzy Hash: AE515870600709AFEB20DFA4EC45FAA37F5EB59751F100528F942A72A0DB75ED90DB50
                      Function 00079B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0007AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 0007AE77
                        • Part of subcall function 0007AE57: GetCurrentThreadId.KERNEL32 ref: 0007AE7E
                        • Part of subcall function 0007AE57: AttachThreadInput.USER32(00000000,?,00079B65,?,00000001), ref: 0007AE85
                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00079B70
                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00079B8D
                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00079B90
                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00079B99
                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00079BB7
                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00079BBA
                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00079BC3
                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00079BDA
                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00079BDD
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                      • String ID:
                      • API String ID: 2014098862-0
                      • Opcode ID: dcdd59f51560e334daa59d75c5e9fd556cdec185ecdfafa42b498dce4ae31a55
                      • Instruction ID: b380532c5a361d95adad9f14804dbc8dd440e8fcd3dbca50bbb09e8588fb97ba
                      • Opcode Fuzzy Hash: dcdd59f51560e334daa59d75c5e9fd556cdec185ecdfafa42b498dce4ae31a55
                      • Instruction Fuzzy Hash: 39110471A50A18BEF6106FA0DC89FBA3F2DEB4D755F104425F248AB0A1CAF75C10DEA4
                      Function 00078E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00078A84,00000B00,?,?), ref: 00078E0C
                      • HeapAlloc.KERNEL32(00000000,?,00078A84,00000B00,?,?), ref: 00078E13
                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00078A84,00000B00,?,?), ref: 00078E28
                      • GetCurrentProcess.KERNEL32(?,00000000,?,00078A84,00000B00,?,?), ref: 00078E30
                      • DuplicateHandle.KERNEL32(00000000,?,00078A84,00000B00,?,?), ref: 00078E33
                      • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00078A84,00000B00,?,?), ref: 00078E43
                      • GetCurrentProcess.KERNEL32(00078A84,00000000,?,00078A84,00000B00,?,?), ref: 00078E4B
                      • DuplicateHandle.KERNEL32(00000000,?,00078A84,00000B00,?,?), ref: 00078E4E
                      • CreateThread.KERNEL32(00000000,00000000,00078E74,00000000,00000000,00000000), ref: 00078E68
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                      • String ID:
                      • API String ID: 1957940570-0
                      • Opcode ID: d6a446af8176334b51d60c9f3eae54f40080b6d9651e511a4c9d82b1fae6ece8
                      • Instruction ID: 5b63c9a5bd77e1a78b3050121e5b6fd9dba8666ef1bd58746f354583e4a566b5
                      • Opcode Fuzzy Hash: d6a446af8176334b51d60c9f3eae54f40080b6d9651e511a4c9d82b1fae6ece8
                      • Instruction Fuzzy Hash: 4301BBB5640709FFF760ABA5DC4DF6B3BACEB89711F008421FA05DB1A1DA749800CB20
                      Function 00099428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Variant$ClearInit$_memset
                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                      • API String ID: 2862541840-625585964
                      • Opcode ID: 0bcd769d57674db59f1ef37c08c176d5ddafdf598577a166131f2de8005e8fbd
                      • Instruction ID: 55fd085b2a5e074689e9b5f555710096bb1b0407accf57f56e8ca8556f8e4f34
                      • Opcode Fuzzy Hash: 0bcd769d57674db59f1ef37c08c176d5ddafdf598577a166131f2de8005e8fbd
                      • Instruction Fuzzy Hash: E191AD71A00219ABDF24DFA9C848FAFBBB8EF85710F10815EF515AB281D7709905CFA0
                      Function 00099A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00077652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0007758C,80070057,?,?,?,0007799D), ref: 0007766F
                        • Part of subcall function 00077652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0007758C,80070057,?,?), ref: 0007768A
                        • Part of subcall function 00077652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0007758C,80070057,?,?), ref: 00077698
                        • Part of subcall function 00077652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0007758C,80070057,?), ref: 000776A8
                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00099B1B
                      • _memset.LIBCMT ref: 00099B28
                      • _memset.LIBCMT ref: 00099C6B
                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00099C97
                      • CoTaskMemFree.OLE32(?), ref: 00099CA2
                      Strings
                      • NULL Pointer assignment, xrefs: 00099CF0
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                      • String ID: NULL Pointer assignment
                      • API String ID: 1300414916-2785691316
                      • Opcode ID: dafeb4730b77dc6d9b12f86dbabd9c064e11bff967542349eee3d4e29abee209
                      • Instruction ID: 5cb7c247c8a2574f51c16fe5c717162bfc4bf56a7a2b13cebb7e7f9f896f4fea
                      • Opcode Fuzzy Hash: dafeb4730b77dc6d9b12f86dbabd9c064e11bff967542349eee3d4e29abee209
                      • Instruction Fuzzy Hash: 13911A71D01229ABDF20DFA5DC85ADEBBB9BF08710F20415AF519A7281DB715A44CFA0
                      Function 000A6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 000A7093
                      • SendMessageW.USER32(?,00001036,00000000,?), ref: 000A70A7
                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 000A70C1
                      • _wcscat.LIBCMT ref: 000A711C
                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 000A7133
                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 000A7161
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessageSend$Window_wcscat
                      • String ID: SysListView32
                      • API String ID: 307300125-78025650
                      • Opcode ID: c237cd667c6e71ad7cad1c930eef3d8d816e14cc1a0d83597755c748d7b65122
                      • Instruction ID: 739800b65a919152685bb58b7bd0178eba72034f3e3c0e990b707557061d9f15
                      • Opcode Fuzzy Hash: c237cd667c6e71ad7cad1c930eef3d8d816e14cc1a0d83597755c748d7b65122
                      • Instruction Fuzzy Hash: B1418271A04309EFEB219FA4CC85FEE77E8EF09350F10452AF588A7192D6759D848B60
                      Function 0009EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00083E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00083EB6
                        • Part of subcall function 00083E91: Process32FirstW.KERNEL32(00000000,?), ref: 00083EC4
                        • Part of subcall function 00083E91: CloseHandle.KERNEL32(00000000), ref: 00083F8E
                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0009ECB8
                      • GetLastError.KERNEL32 ref: 0009ECCB
                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0009ECFA
                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 0009ED77
                      • GetLastError.KERNEL32(00000000), ref: 0009ED82
                      • CloseHandle.KERNEL32(00000000), ref: 0009EDB7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                      • String ID: SeDebugPrivilege
                      • API String ID: 2533919879-2896544425
                      • Opcode ID: 37e2781bc32477b7d2b0bad13c7c8f9431745b2cc594e3a54f6dd46ddb077bc8
                      • Instruction ID: 08c3a62a4c53532fd9846911b851a0a1e51692f127065bf18331632581b44e87
                      • Opcode Fuzzy Hash: 37e2781bc32477b7d2b0bad13c7c8f9431745b2cc594e3a54f6dd46ddb077bc8
                      • Instruction Fuzzy Hash: 3141CE71A002019FDB25EF24CC95FBDB7A4AF81714F088459F8469B2C3DB79AC04CB96
                      Function 00083226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadIconW.USER32(00000000,00007F03), ref: 000832C5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: IconLoad
                      • String ID: blank$info$question$stop$warning
                      • API String ID: 2457776203-404129466
                      • Opcode ID: 465a9151f168f99a3ffdf7bcd65d0e1488e50a66504e513edc5b31d699ee0b82
                      • Instruction ID: 26e00b1c3fc46f1e73f1a8b036a18d7cd43601bb7e513f204851383ed72a26e5
                      • Opcode Fuzzy Hash: 465a9151f168f99a3ffdf7bcd65d0e1488e50a66504e513edc5b31d699ee0b82
                      • Instruction Fuzzy Hash: 84112731308346BAA7116B55DC43DAEB3DCFF5AB70F20002AF940AA2C2E6655B4147B9
                      Function 00084534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0008454E
                      • LoadStringW.USER32(00000000), ref: 00084555
                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0008456B
                      • LoadStringW.USER32(00000000), ref: 00084572
                      • _wprintf.LIBCMT ref: 00084598
                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 000845B6
                      Strings
                      • %s (%d) : ==> %s: %s %s, xrefs: 00084593
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: HandleLoadModuleString$Message_wprintf
                      • String ID: %s (%d) : ==> %s: %s %s
                      • API String ID: 3648134473-3128320259
                      • Opcode ID: 9d222b38a44101b480540e7c811cdb81765afc9ef366f172c48d00dad65beb92
                      • Instruction ID: 26d3010dad9bd8a38f7899f0df9ba29d0e5dbb57b93e9fe1297884d5f4b8529f
                      • Opcode Fuzzy Hash: 9d222b38a44101b480540e7c811cdb81765afc9ef366f172c48d00dad65beb92
                      • Instruction Fuzzy Hash: 150162F2900209BFE760E7E0DD89EFB776CE709311F0005A5BB45D2052EA789E858B74
                      Function 000AD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00022612: GetWindowLongW.USER32(?,000000EB), ref: 00022623
                      • GetSystemMetrics.USER32(0000000F), ref: 000AD78A
                      • GetSystemMetrics.USER32(0000000F), ref: 000AD7AA
                      • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 000AD9E5
                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 000ADA03
                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 000ADA24
                      • ShowWindow.USER32(00000003,00000000), ref: 000ADA43
                      • InvalidateRect.USER32(?,00000000,00000001), ref: 000ADA68
                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 000ADA8B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                      • String ID:
                      • API String ID: 1211466189-0
                      • Opcode ID: 876048b1c42ef53fdf8ee7df2e391407c05e48987b86283730e85031a0e295e3
                      • Instruction ID: f3a407a37e4d4351a730d65912f190ff1b75d21bdbf77379e3d28a2aa5a7702d
                      • Opcode Fuzzy Hash: 876048b1c42ef53fdf8ee7df2e391407c05e48987b86283730e85031a0e295e3
                      • Instruction Fuzzy Hash: D2B17A71600216EFDF54CFA8C9C57BE7BF1BF06701F08816AEC4A9A695DB34A950CB90
                      Function 00022A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                      Download Yara Rule
                      APIs
                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0005C417,00000004,00000000,00000000,00000000), ref: 00022ACF
                      • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0005C417,00000004,00000000,00000000,00000000,000000FF), ref: 00022B17
                      • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0005C417,00000004,00000000,00000000,00000000), ref: 0005C46A
                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0005C417,00000004,00000000,00000000,00000000), ref: 0005C4D6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ShowWindow
                      • String ID:
                      • API String ID: 1268545403-0
                      • Opcode ID: 40c30cbe7b0a08422061e9534addbb8271a8bb28b61230f5e6b7be048ad88306
                      • Instruction ID: 0cd93b26cb207bf22ad0ca2e7cd2f241f623c5944b9e116f706756d76c943c6b
                      • Opcode Fuzzy Hash: 40c30cbe7b0a08422061e9534addbb8271a8bb28b61230f5e6b7be048ad88306
                      • Instruction Fuzzy Hash: 37412B30208790BFE7758FA8FC98F7F7BD2AB46300F19892DE44746961C6799885D712
                      Function 00087368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                      Download Yara Rule
                      APIs
                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 0008737F
                        • Part of subcall function 00040FF6: std::exception::exception.LIBCMT ref: 0004102C
                        • Part of subcall function 00040FF6: __CxxThrowException@8.LIBCMT ref: 00041041
                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 000873B6
                      • EnterCriticalSection.KERNEL32(?), ref: 000873D2
                      • _memmove.LIBCMT ref: 00087420
                      • _memmove.LIBCMT ref: 0008743D
                      • LeaveCriticalSection.KERNEL32(?), ref: 0008744C
                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00087461
                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00087480
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                      • String ID:
                      • API String ID: 256516436-0
                      • Opcode ID: e8677b57fd08625facb8a134cc2d97bd118cd07c6aac25f3e553b4e87534f339
                      • Instruction ID: e3b887b19b277415326a400a2cbb11558e855d4ceb8e5665b260d018aff43328
                      • Opcode Fuzzy Hash: e8677b57fd08625facb8a134cc2d97bd118cd07c6aac25f3e553b4e87534f339
                      • Instruction Fuzzy Hash: 45319E71904206EBDF10EFA4DC85AAE7BB8FF45310B2440B5FD04AB246DB74DA54CBA4
                      Function 000A6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteObject.GDI32(00000000), ref: 000A645A
                      • GetDC.USER32(00000000), ref: 000A6462
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 000A646D
                      • ReleaseDC.USER32(00000000,00000000), ref: 000A6479
                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 000A64B5
                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 000A64C6
                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,000A9299,?,?,000000FF,00000000,?,000000FF,?), ref: 000A6500
                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 000A6520
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                      • String ID:
                      • API String ID: 3864802216-0
                      • Opcode ID: 6c7e9cc34e443ca07441b2bf5ff4eee7fc8807bcf99c817f9ca5179576ec6a6c
                      • Instruction ID: a811c035ad496a9f56e3220e482a60c58bedeb9e78f265ac27ad815b3e502ef9
                      • Opcode Fuzzy Hash: 6c7e9cc34e443ca07441b2bf5ff4eee7fc8807bcf99c817f9ca5179576ec6a6c
                      • Instruction Fuzzy Hash: 4B317F72601614BFEB118FA0CC4AFFB3FA9EF0A761F084065FE089A191D6799C41CB64
                      Function 0007C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _memcmp
                      • String ID:
                      • API String ID: 2931989736-0
                      • Opcode ID: 275d9d0ded6c1723acb4a8bf8af52b63f01492e2ec06043afb3737c01284be6b
                      • Instruction ID: fe773ff415cd5b5e678ce9290dca0ee9030e83e32a89a6735a97a1ce48688503
                      • Opcode Fuzzy Hash: 275d9d0ded6c1723acb4a8bf8af52b63f01492e2ec06043afb3737c01284be6b
                      • Instruction Fuzzy Hash: DA2195B1E00205B7F664A5219D42FFF279CAF61394B458038FE0D9A287F769ED1182ED
                      Function 0008ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00029997: __itow.LIBCMT ref: 000299C2
                        • Part of subcall function 00029997: __swprintf.LIBCMT ref: 00029A0C
                        • Part of subcall function 0003FEC6: _wcscpy.LIBCMT ref: 0003FEE9
                      • _wcstok.LIBCMT ref: 0008EEFF
                      • _wcscpy.LIBCMT ref: 0008EF8E
                      • _memset.LIBCMT ref: 0008EFC1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                      • String ID: X
                      • API String ID: 774024439-3081909835
                      • Opcode ID: d70232715b8635254667214f43cdbb76ec498a672187737f4c9f09137942628e
                      • Instruction ID: bb9b56d0a1efc702215fb29181f8cee9ec7f2b8279ec9ef8f416949e0091f658
                      • Opcode Fuzzy Hash: d70232715b8635254667214f43cdbb76ec498a672187737f4c9f09137942628e
                      • Instruction Fuzzy Hash: A5C19D715083519FCB24EF24D885AAAB7E4BF84310F14492DF8999B2A3DB70ED45CB82
                      Function 00021424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 555e289b25466fce52dc6aeda9f6803ff56dbaa726a3fab37e177f206d068c55
                      • Instruction ID: beac7d5f365a12311c7a23d698f12f62b58042a2ce5b2ad817c9ad231cd4dff9
                      • Opcode Fuzzy Hash: 555e289b25466fce52dc6aeda9f6803ff56dbaa726a3fab37e177f206d068c55
                      • Instruction Fuzzy Hash: 05718A30900529EFDB14DF98DC89EFEBBB9FF86314F108159F915AA251C734AA51CBA0
                      Function 00096E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1e2a2b6694a2d8c669393c0d53d13d50ff25fadbd8f56cb18c3443587a28a45f
                      • Instruction ID: 8a0c6d83e7302392536825880e90d79914baf712dcfd92d9a60fb21826e5956f
                      • Opcode Fuzzy Hash: 1e2a2b6694a2d8c669393c0d53d13d50ff25fadbd8f56cb18c3443587a28a45f
                      • Instruction Fuzzy Hash: C861E172508310ABDB20EB24DC86EAFB7E9AFC4714F14891DF54A97293DB719D04CB92
                      Function 000AB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                      Download Yara Rule
                      APIs
                      • IsWindow.USER32(00C37C00), ref: 000AB6A5
                      • IsWindowEnabled.USER32(00C37C00), ref: 000AB6B1
                      • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 000AB795
                      • SendMessageW.USER32(00C37C00,000000B0,?,?), ref: 000AB7CC
                      • IsDlgButtonChecked.USER32(?,?), ref: 000AB809
                      • GetWindowLongW.USER32(00C37C00,000000EC), ref: 000AB82B
                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 000AB843
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                      • String ID:
                      • API String ID: 4072528602-0
                      • Opcode ID: 9266a3f9c9495dd9ff3ff866b0a3d5cd15be1ecf027b25edcf29c1a08fe05f89
                      • Instruction ID: 8546fdc8a6ffcded27b0d1a3fd22386433e317f08c2655793da842df7d7e96c3
                      • Opcode Fuzzy Hash: 9266a3f9c9495dd9ff3ff866b0a3d5cd15be1ecf027b25edcf29c1a08fe05f89
                      • Instruction Fuzzy Hash: B071AD34604204AFEB609FE4C8A4FBE7BF9FF5B340F144069E945A7262CB76A941CB50
                      Function 0009F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 0009F75C
                      • _memset.LIBCMT ref: 0009F825
                      • ShellExecuteExW.SHELL32(?), ref: 0009F86A
                        • Part of subcall function 00029997: __itow.LIBCMT ref: 000299C2
                        • Part of subcall function 00029997: __swprintf.LIBCMT ref: 00029A0C
                        • Part of subcall function 0003FEC6: _wcscpy.LIBCMT ref: 0003FEE9
                      • GetProcessId.KERNEL32(00000000), ref: 0009F8E1
                      • CloseHandle.KERNEL32(00000000), ref: 0009F910
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                      • String ID: @
                      • API String ID: 3522835683-2766056989
                      • Opcode ID: 9565cbd128390214693e913b12e39d9d040f7331b76a5308e6298d73c040e66d
                      • Instruction ID: 68ba5b0354f33eef43f8f51b7f8439c09e798e778fac48adb848a3055aece15c
                      • Opcode Fuzzy Hash: 9565cbd128390214693e913b12e39d9d040f7331b76a5308e6298d73c040e66d
                      • Instruction Fuzzy Hash: D5619D75A0062ADFCF14EF94D4859AEBBF4FF48310F148469E84AAB352CB31AD40CB90
                      Function 0008145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32(?), ref: 0008149C
                      • GetKeyboardState.USER32(?), ref: 000814B1
                      • SetKeyboardState.USER32(?), ref: 00081512
                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 00081540
                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 0008155F
                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 000815A5
                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 000815C8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessagePost$KeyboardState$Parent
                      • String ID:
                      • API String ID: 87235514-0
                      • Opcode ID: fbb03ba71472f444ce31a486ff4325635c2b2385d2774868967fc2c75035740d
                      • Instruction ID: 27c36da7fa422995680e7ee36d4a3cfd1ec9c2d1df70d91b2ecd415bcdc3a9a2
                      • Opcode Fuzzy Hash: fbb03ba71472f444ce31a486ff4325635c2b2385d2774868967fc2c75035740d
                      • Instruction Fuzzy Hash: 3451F0B0A08BD57EFB3262348C45BFA7EED7F46304F088589E1D5868C3D298AC96D750
                      Function 00081276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32(00000000), ref: 000812B5
                      • GetKeyboardState.USER32(?), ref: 000812CA
                      • SetKeyboardState.USER32(?), ref: 0008132B
                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00081357
                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00081374
                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 000813B8
                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 000813D9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessagePost$KeyboardState$Parent
                      • String ID:
                      • API String ID: 87235514-0
                      • Opcode ID: 273162ca3bb3da2b8212c5dc1a72b12f02673b132e386e0d01fcc2e11811d75d
                      • Instruction ID: 3d67ab266f8a859f83821abb2c36f03eaceb1b52214a3988d3e0cb85f404870c
                      • Opcode Fuzzy Hash: 273162ca3bb3da2b8212c5dc1a72b12f02673b132e386e0d01fcc2e11811d75d
                      • Instruction Fuzzy Hash: 6B51D1B09086D53DFB32A6248C45BFABFED7F06300F088589E1D4968C2D395AD9AD760
                      Function 0008589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _wcsncpy$LocalTime
                      • String ID:
                      • API String ID: 2945705084-0
                      • Opcode ID: f9b7a2cd9fd79f01ea63d02ade53a2c8ee177fe82c8acaf6add1e78a67478f57
                      • Instruction ID: 2f17a02e1ece89c5536bc553b147c3466d82ceb01a57b9f6f22dc707e9fda794
                      • Opcode Fuzzy Hash: f9b7a2cd9fd79f01ea63d02ade53a2c8ee177fe82c8acaf6add1e78a67478f57
                      • Instruction Fuzzy Hash: C941A4A5C2051876CB50FBB5CC8AACFB3A8AF04311F509562F958E3122F734E714C7AA
                      Function 000838AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 000848AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,000838D3,?), ref: 000848C7
                        • Part of subcall function 000848AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,000838D3,?), ref: 000848E0
                      • lstrcmpiW.KERNEL32(?,?), ref: 000838F3
                      • _wcscmp.LIBCMT ref: 0008390F
                      • MoveFileW.KERNEL32(?,?), ref: 00083927
                      • _wcscat.LIBCMT ref: 0008396F
                      • SHFileOperationW.SHELL32(?), ref: 000839DB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                      • String ID: \*.*
                      • API String ID: 1377345388-1173974218
                      • Opcode ID: 91c0f16101d5a7abe36f61fea69bcc5367ea5abbec451f914d9689f05fb08cc6
                      • Instruction ID: 79eef9de601c2391e4dc8817ecaf6781c5c8332d58ecad42e0192d30d18ecca1
                      • Opcode Fuzzy Hash: 91c0f16101d5a7abe36f61fea69bcc5367ea5abbec451f914d9689f05fb08cc6
                      • Instruction Fuzzy Hash: 094159B25083459AD791EF64C481AEFB7E8BF89740F40192EF4CAC3252EA74D688C752
                      Function 000A7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 000A7519
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 000A75C0
                      • IsMenu.USER32(?), ref: 000A75D8
                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 000A7620
                      • DrawMenuBar.USER32 ref: 000A7633
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Menu$Item$DrawInfoInsert_memset
                      • String ID: 0
                      • API String ID: 3866635326-4108050209
                      • Opcode ID: b34ddd72392dad58e23a6839af1cb4c7155248c35df10df462fde01696e4ec49
                      • Instruction ID: a0cea84cdd2eb25ccd201c90344c109b1d5289ece5db88002c595678ce37c524
                      • Opcode Fuzzy Hash: b34ddd72392dad58e23a6839af1cb4c7155248c35df10df462fde01696e4ec49
                      • Instruction Fuzzy Hash: 05413D75A04A09EFDB20DFA4D884EAABBF5FF06350F048129E9599B250D735ED50CF90
                      Function 000A122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 000A125C
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000A1286
                      • FreeLibrary.KERNEL32(00000000), ref: 000A133D
                        • Part of subcall function 000A122D: RegCloseKey.ADVAPI32(?), ref: 000A12A3
                        • Part of subcall function 000A122D: FreeLibrary.KERNEL32(?), ref: 000A12F5
                        • Part of subcall function 000A122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 000A1318
                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 000A12E0
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: EnumFreeLibrary$CloseDeleteOpen
                      • String ID:
                      • API String ID: 395352322-0
                      • Opcode ID: 5c773e244e24d604f1d07bfc5977a7397c10c9c84295a08f0b277af87da8b865
                      • Instruction ID: bd82355272ef8813ccf8c7f3ac8aa818ee52295aefef136c7447902ce5bb8edd
                      • Opcode Fuzzy Hash: 5c773e244e24d604f1d07bfc5977a7397c10c9c84295a08f0b277af87da8b865
                      • Instruction Fuzzy Hash: 123108B1901119BFEB159FD0DC89EFEB7BCEF0A340F00016AE552E2151EA749F859BA4
                      Function 000A653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 000A655B
                      • GetWindowLongW.USER32(00C37C00,000000F0), ref: 000A658E
                      • GetWindowLongW.USER32(00C37C00,000000F0), ref: 000A65C3
                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 000A65F5
                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 000A661F
                      • GetWindowLongW.USER32(00000000,000000F0), ref: 000A6630
                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 000A664A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: LongWindow$MessageSend
                      • String ID:
                      • API String ID: 2178440468-0
                      • Opcode ID: d27d73a2904fc9f890d08aa34c550aa829eeacf693898e4b6a2cdf9d4655cbe2
                      • Instruction ID: 3eb687aa697624d0c157db520c13ec70f1532eeab1a6990388fbe21d5f14756b
                      • Opcode Fuzzy Hash: d27d73a2904fc9f890d08aa34c550aa829eeacf693898e4b6a2cdf9d4655cbe2
                      • Instruction Fuzzy Hash: 3D310330A04551AFEB20CFA8EC88F6537F1FB5A790F190268F5119F2B6CB66A840DB41
                      Function 00096486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 000980A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 000980CB
                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 000964D9
                      • WSAGetLastError.WSOCK32(00000000), ref: 000964E8
                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00096521
                      • connect.WSOCK32(00000000,?,00000010), ref: 0009652A
                      • WSAGetLastError.WSOCK32 ref: 00096534
                      • closesocket.WSOCK32(00000000), ref: 0009655D
                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00096576
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                      • String ID:
                      • API String ID: 910771015-0
                      • Opcode ID: d2de125417ffd7d72c01c33fc47a09c06d3fe18ac876c75c35eb561915c88522
                      • Instruction ID: 8323fe2f7c516b290e15b4bb4c7369d0aa77e864e39b75ce381847d2d2e4da55
                      • Opcode Fuzzy Hash: d2de125417ffd7d72c01c33fc47a09c06d3fe18ac876c75c35eb561915c88522
                      • Instruction Fuzzy Hash: 9B31B331600618AFEF109F64DC85BBE7BECEB45724F008029FD4997291DB79AD04DBA1
                      Function 0007E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0007E0FA
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0007E120
                      • SysAllocString.OLEAUT32(00000000), ref: 0007E123
                      • SysAllocString.OLEAUT32 ref: 0007E144
                      • SysFreeString.OLEAUT32 ref: 0007E14D
                      • StringFromGUID2.OLE32(?,?,00000028), ref: 0007E167
                      • SysAllocString.OLEAUT32(?), ref: 0007E175
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                      • String ID:
                      • API String ID: 3761583154-0
                      • Opcode ID: aa0cf60712ca19ac3003377e923713a1de07797b24153402b0fdbac6586a3012
                      • Instruction ID: a044a6da09807988782657365d52fadd1ad48cf7843156005776aba6d9c30dfb
                      • Opcode Fuzzy Hash: aa0cf60712ca19ac3003377e923713a1de07797b24153402b0fdbac6586a3012
                      • Instruction Fuzzy Hash: 05219531601109AFEB10AFA8DC89CBB77ECEB0D760B408175F918CB260DA789C418B68
                      Function 0007FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: __wcsnicmp
                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                      • API String ID: 1038674560-2734436370
                      • Opcode ID: 42700123fb5334dceb74e666dbbf3242bcf6a5cee8b9beb573815f905086cfba
                      • Instruction ID: 7be38f8027b21f8365ca0cbfb0225ac4c00eafee243c7488ffec98200bb955fb
                      • Opcode Fuzzy Hash: 42700123fb5334dceb74e666dbbf3242bcf6a5cee8b9beb573815f905086cfba
                      • Instruction Fuzzy Hash: 002167B2A04116E6D235E624DE12EFB73D8EF11300F10C035F98987182EB98AD91D29D
                      Function 000A783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00021D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00021D73
                        • Part of subcall function 00021D35: GetStockObject.GDI32(00000011), ref: 00021D87
                        • Part of subcall function 00021D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00021D91
                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 000A78A1
                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 000A78AE
                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 000A78B9
                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 000A78C8
                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 000A78D4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessageSend$CreateObjectStockWindow
                      • String ID: Msctls_Progress32
                      • API String ID: 1025951953-3636473452
                      • Opcode ID: 65af08eda26de6b5a20259ba3e2e1ee43dd0e352baafaf42cfe23d949a945f03
                      • Instruction ID: e093bb460876b585a9fe5df7f1a0c95c41c9f9461a8025c0ac583b324ae72d02
                      • Opcode Fuzzy Hash: 65af08eda26de6b5a20259ba3e2e1ee43dd0e352baafaf42cfe23d949a945f03
                      • Instruction Fuzzy Hash: 5E11B6B1154219BFEF159FA0CC85EE77F5DEF09798F014115F608A6091CB769C21DBA0
                      Function 000441C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00044292,?), ref: 000441E3
                      • GetProcAddress.KERNEL32(00000000), ref: 000441EA
                      • EncodePointer.KERNEL32(00000000), ref: 000441F6
                      • DecodePointer.KERNEL32(00000001,00044292,?), ref: 00044213
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                      • String ID: RoInitialize$combase.dll
                      • API String ID: 3489934621-340411864
                      • Opcode ID: e20dd1806871a8ed1a7044ccd56ca75a4e7eb6bb60bf1b1e7cc3f322c75debbd
                      • Instruction ID: 6863783a2ecdc21c2547e0b2fed7d69ed4eac735f8ece00c66e2e093730e66f0
                      • Opcode Fuzzy Hash: e20dd1806871a8ed1a7044ccd56ca75a4e7eb6bb60bf1b1e7cc3f322c75debbd
                      • Instruction Fuzzy Hash: F5E01AB0A90741AEFF606BB0EC89B643AA4B762B43F504874F511ED0A0DBBD40959F04
                      Function 0004429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,000441B8), ref: 000442B8
                      • GetProcAddress.KERNEL32(00000000), ref: 000442BF
                      • EncodePointer.KERNEL32(00000000), ref: 000442CA
                      • DecodePointer.KERNEL32(000441B8), ref: 000442E5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                      • String ID: RoUninitialize$combase.dll
                      • API String ID: 3489934621-2819208100
                      • Opcode ID: b7933da295cad2c61fe0a030ceaf55baba76d7adde5093dca83da252e3a75f56
                      • Instruction ID: f3ea98a6990614fb6cf7c87d062abb5dd37cc3270e9e00f40e40b02da9141f31
                      • Opcode Fuzzy Hash: b7933da295cad2c61fe0a030ceaf55baba76d7adde5093dca83da252e3a75f56
                      • Instruction Fuzzy Hash: FDE0B6B8681742AFFF50ABA1ED4DB553AA4B725B42F504478F501E90A0CBBC4540DB18
                      Function 0008675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _memmove$__itow__swprintf
                      • String ID:
                      • API String ID: 3253778849-0
                      • Opcode ID: ab4eb5b95743a44d51d7fadd3155ba3afd48b97ef46ff4ca0970a978f0b83e01
                      • Instruction ID: 3f3f140d465d9b42690b97ac081fe044f57d0278a1a446d9f6fe9f2e3efe887f
                      • Opcode Fuzzy Hash: ab4eb5b95743a44d51d7fadd3155ba3afd48b97ef46ff4ca0970a978f0b83e01
                      • Instruction Fuzzy Hash: 6361AD3050066A9BDF12FF24DC82EFE37A8BF04308F054529F9995B293DB359945CB90
                      Function 000A046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00027F41: _memmove.LIBCMT ref: 00027F82
                        • Part of subcall function 000A10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000A0038,?,?), ref: 000A10BC
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000A0548
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000A0588
                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 000A05AB
                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 000A05D4
                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 000A0617
                      • RegCloseKey.ADVAPI32(00000000), ref: 000A0624
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                      • String ID:
                      • API String ID: 4046560759-0
                      • Opcode ID: 7a1f69f0a46b7474ba556c8affa838c8d60e4409c5df0460734324628b18a68a
                      • Instruction ID: cb1495ba9f5367020e98f1eb29367bbb54643744e10912decc2b4e13271ae4ea
                      • Opcode Fuzzy Hash: 7a1f69f0a46b7474ba556c8affa838c8d60e4409c5df0460734324628b18a68a
                      • Instruction Fuzzy Hash: 04515B31508205AFDB14EFA4D885EAFBBE8FF89314F04492DF585972A2DB31E904CB52
                      Function 000A5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenu.USER32(?), ref: 000A5A82
                      • GetMenuItemCount.USER32(00000000), ref: 000A5AB9
                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 000A5AE1
                      • GetMenuItemID.USER32(?,?), ref: 000A5B50
                      • GetSubMenu.USER32(?,?), ref: 000A5B5E
                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 000A5BAF
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Menu$Item$CountMessagePostString
                      • String ID:
                      • API String ID: 650687236-0
                      • Opcode ID: df9f5e2d42938727aa5a4b48561c9d214aba96e0b914df7f3936cc1d341c1aed
                      • Instruction ID: bcc3c432cdeda5ec7e3c66251572fdec7b49cf57c421627e937ddb359f26bcb2
                      • Opcode Fuzzy Hash: df9f5e2d42938727aa5a4b48561c9d214aba96e0b914df7f3936cc1d341c1aed
                      • Instruction Fuzzy Hash: 0D517D71A00A25EFDB11EFA4C845AEEB7B4FF49321F104469F942B7252CB74AE418B91
                      Function 0007F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(?), ref: 0007F3F7
                      • VariantClear.OLEAUT32(00000013), ref: 0007F469
                      • VariantClear.OLEAUT32(00000000), ref: 0007F4C4
                      • _memmove.LIBCMT ref: 0007F4EE
                      • VariantClear.OLEAUT32(?), ref: 0007F53B
                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0007F569
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Variant$Clear$ChangeInitType_memmove
                      • String ID:
                      • API String ID: 1101466143-0
                      • Opcode ID: a39360ada93654efdaf15f8321e9b9bd25710b168661a47f81cd26146c266a2d
                      • Instruction ID: 164f93baa07317dd10a8a723e300e3682b1bdefab1e9613edc2125d8e559c311
                      • Opcode Fuzzy Hash: a39360ada93654efdaf15f8321e9b9bd25710b168661a47f81cd26146c266a2d
                      • Instruction Fuzzy Hash: 585168B5A0020AEFDB10DF58D884AAAB7F8FF4C354B158169EA59DB300D734E951CBA0
                      Function 000826F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00082747
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00082792
                      • IsMenu.USER32(00000000), ref: 000827B2
                      • CreatePopupMenu.USER32 ref: 000827E6
                      • GetMenuItemCount.USER32(000000FF), ref: 00082844
                      • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00082875
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                      • String ID:
                      • API String ID: 3311875123-0
                      • Opcode ID: 3b2877ba501a9965886d7e40c2aa4657cba96237442870f8b34e76d18ef85766
                      • Instruction ID: 0a338ff4f6c720291180ad4dcdb4d959b65b1978eefb60da6809972ce99bfcc7
                      • Opcode Fuzzy Hash: 3b2877ba501a9965886d7e40c2aa4657cba96237442870f8b34e76d18ef85766
                      • Instruction Fuzzy Hash: E951D670A02306EFDF24EF68D888BAEBBF5FF55314F104169E8919B291DB709944CB51
                      Function 00021765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00022612: GetWindowLongW.USER32(?,000000EB), ref: 00022623
                      • BeginPaint.USER32(?,?,?,?,?,?), ref: 0002179A
                      • GetWindowRect.USER32(?,?), ref: 000217FE
                      • ScreenToClient.USER32(?,?), ref: 0002181B
                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0002182C
                      • EndPaint.USER32(?,?), ref: 00021876
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: PaintWindow$BeginClientLongRectScreenViewport
                      • String ID:
                      • API String ID: 1827037458-0
                      • Opcode ID: cf6a176c1451563ff7ebb61b9653124d5fea723ab9dc2f320e4ea027a5d5a3c0
                      • Instruction ID: 5a21444e24dd80503348ffd3db7199c9359c4f9c080dba9ef7e27186c7866159
                      • Opcode Fuzzy Hash: cf6a176c1451563ff7ebb61b9653124d5fea723ab9dc2f320e4ea027a5d5a3c0
                      • Instruction Fuzzy Hash: C641C230104351AFD710DF64ECC4FBA7BF9EB66724F140629F9948B1A2CB35A805DB62
                      Function 000AB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                      Download Yara Rule
                      APIs
                      • ShowWindow.USER32(000E67B0,00000000,00C37C00,?,?,000E67B0,?,000AB862,?,?), ref: 000AB9CC
                      • EnableWindow.USER32(00000000,00000000), ref: 000AB9F0
                      • ShowWindow.USER32(000E67B0,00000000,00C37C00,?,?,000E67B0,?,000AB862,?,?), ref: 000ABA50
                      • ShowWindow.USER32(00000000,00000004,?,000AB862,?,?), ref: 000ABA62
                      • EnableWindow.USER32(00000000,00000001), ref: 000ABA86
                      • SendMessageW.USER32(?,0000130C,?,00000000), ref: 000ABAA9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Window$Show$Enable$MessageSend
                      • String ID:
                      • API String ID: 642888154-0
                      • Opcode ID: 522e26c5d57ffa8569c3485f6354ecb90967ff70c4ce1fb741356f9ab36e7540
                      • Instruction ID: dea2b18ed863bda34aaf10c94bd4e0516f956d294ddbedc74febc50d6e2a7c51
                      • Opcode Fuzzy Hash: 522e26c5d57ffa8569c3485f6354ecb90967ff70c4ce1fb741356f9ab36e7540
                      • Instruction Fuzzy Hash: 61416031600641AFDB62CFA8C489BA57BE0FF17310F1842B9FA488F6A3C731A845CB51
                      Function 000973B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32(?,?,?,?,?,?,00095134,?,?,00000000,00000001), ref: 000973BF
                        • Part of subcall function 00093C94: GetWindowRect.USER32(?,?), ref: 00093CA7
                      • GetDesktopWindow.USER32 ref: 000973E9
                      • GetWindowRect.USER32(00000000), ref: 000973F0
                      • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00097422
                        • Part of subcall function 000854E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0008555E
                      • GetCursorPos.USER32(?), ref: 0009744E
                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 000974AC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                      • String ID:
                      • API String ID: 4137160315-0
                      • Opcode ID: b8738af3795ee8fb1d0e3c75ed5a386bc40b71f485dae1be9f3f43737e324c53
                      • Instruction ID: 81f04b1d1d3d7d018b26900f4b5a7b5b7a2c2c3f24e8160c8c791b6644b9e548
                      • Opcode Fuzzy Hash: b8738af3795ee8fb1d0e3c75ed5a386bc40b71f485dae1be9f3f43737e324c53
                      • Instruction Fuzzy Hash: E531E472508706ABDB24DF54DC49FABBBE9FF89314F000929F58997192C774E908CB92
                      Function 00078D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 000785F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00078608
                        • Part of subcall function 000785F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00078612
                        • Part of subcall function 000785F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00078621
                        • Part of subcall function 000785F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00078628
                        • Part of subcall function 000785F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0007863E
                      • GetLengthSid.ADVAPI32(?,00000000,00078977), ref: 00078DAC
                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00078DB8
                      • HeapAlloc.KERNEL32(00000000), ref: 00078DBF
                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 00078DD8
                      • GetProcessHeap.KERNEL32(00000000,00000000,00078977), ref: 00078DEC
                      • HeapFree.KERNEL32(00000000), ref: 00078DF3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                      • String ID:
                      • API String ID: 3008561057-0
                      • Opcode ID: 9042eb8d4c0262a82b9b0dbbdc72742faffa893d7e83399dbf2399a192a3038b
                      • Instruction ID: 45608748dffa440a5e28a896d6c59d08ddaad5ac8cde85e8fe60995e57290efb
                      • Opcode Fuzzy Hash: 9042eb8d4c0262a82b9b0dbbdc72742faffa893d7e83399dbf2399a192a3038b
                      • Instruction Fuzzy Hash: 5011B131A40A05FFEB649FA4CC0DBBE77A9EF55315F10C029E84997250CB399D00CB64
                      Function 00078AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00078B2A
                      • OpenProcessToken.ADVAPI32(00000000), ref: 00078B31
                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00078B40
                      • CloseHandle.KERNEL32(00000004), ref: 00078B4B
                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00078B7A
                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00078B8E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                      • String ID:
                      • API String ID: 1413079979-0
                      • Opcode ID: 87a58d2219f29ab9ff872487b8c87463e0500987c418fa4a1c3120fcdbabdbdf
                      • Instruction ID: 18af26c5af8cbe15899dfad825db706fe0f412e4bb7ecda2e4b0a4619f849194
                      • Opcode Fuzzy Hash: 87a58d2219f29ab9ff872487b8c87463e0500987c418fa4a1c3120fcdbabdbdf
                      • Instruction Fuzzy Hash: 24112CB294120EABEF118FA4DD49FEE7BA9EF49304F048065FE04A6160C7799D609B60
                      Function 000AC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 000212F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0002134D
                        • Part of subcall function 000212F3: SelectObject.GDI32(?,00000000), ref: 0002135C
                        • Part of subcall function 000212F3: BeginPath.GDI32(?), ref: 00021373
                        • Part of subcall function 000212F3: SelectObject.GDI32(?,00000000), ref: 0002139C
                      • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 000AC1C4
                      • LineTo.GDI32(00000000,00000003,?), ref: 000AC1D8
                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 000AC1E6
                      • LineTo.GDI32(00000000,00000000,?), ref: 000AC1F6
                      • EndPath.GDI32(00000000), ref: 000AC206
                      • StrokePath.GDI32(00000000), ref: 000AC216
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                      • String ID:
                      • API String ID: 43455801-0
                      • Opcode ID: 52cf0e08f9da8897199e93227676b293c89b390dbb9708c5300e29297ca97e2a
                      • Instruction ID: 193af28e8e7ceb01ddc22726e3d80049a9f7e836ccad9ea147f72e920e7a2c92
                      • Opcode Fuzzy Hash: 52cf0e08f9da8897199e93227676b293c89b390dbb9708c5300e29297ca97e2a
                      • Instruction Fuzzy Hash: 3C115B7600014DBFEF119FD0EC88FEA3FACEB09390F048121BA085A161C7769D95DBA0
                      Function 000403A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 000403D3
                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 000403DB
                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 000403E6
                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 000403F1
                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 000403F9
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00040401
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Virtual
                      • String ID:
                      • API String ID: 4278518827-0
                      • Opcode ID: a3dd68cb347b08e3eecc882c7db1fbf60681390a3c537b6c272eb1412aaa4d51
                      • Instruction ID: 8b3120cef0d595622393c5a407dbba301d618176fb8a84b00c962eafbe39f4ba
                      • Opcode Fuzzy Hash: a3dd68cb347b08e3eecc882c7db1fbf60681390a3c537b6c272eb1412aaa4d51
                      • Instruction Fuzzy Hash: 26016CB0901B5A7DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5
                      Function 0008568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0008569B
                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 000856B1
                      • GetWindowThreadProcessId.USER32(?,?), ref: 000856C0
                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000856CF
                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000856D9
                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 000856E0
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                      • String ID:
                      • API String ID: 839392675-0
                      • Opcode ID: ac5f52cd29119e5f1f42dc6cf7b965761aec7786c612585cf8a05fa085f5cf44
                      • Instruction ID: a27124a495f414069891648d791b7478859ba12e66ee3fc049ae5855c733f125
                      • Opcode Fuzzy Hash: ac5f52cd29119e5f1f42dc6cf7b965761aec7786c612585cf8a05fa085f5cf44
                      • Instruction Fuzzy Hash: 92F01D3224195ABBE7215BE2DC0EEBB7A7CEBC7B11F000169FA04D105096A51A0186B5
                      Function 000874D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • InterlockedExchange.KERNEL32(?,?), ref: 000874E5
                      • EnterCriticalSection.KERNEL32(?,?,00031044,?,?), ref: 000874F6
                      • TerminateThread.KERNEL32(00000000,000001F6,?,00031044,?,?), ref: 00087503
                      • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00031044,?,?), ref: 00087510
                        • Part of subcall function 00086ED7: CloseHandle.KERNEL32(00000000,?,0008751D,?,00031044,?,?), ref: 00086EE1
                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00087523
                      • LeaveCriticalSection.KERNEL32(?,?,00031044,?,?), ref: 0008752A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                      • String ID:
                      • API String ID: 3495660284-0
                      • Opcode ID: 3361136b0b8984b37d718b4eb995742bc6095102d80ce8c96a60db01973490a0
                      • Instruction ID: 2d1fa755e2fb19fe052ff1847fef5c03ca18d2d582a6659874eb6306722301ae
                      • Opcode Fuzzy Hash: 3361136b0b8984b37d718b4eb995742bc6095102d80ce8c96a60db01973490a0
                      • Instruction Fuzzy Hash: 40F05E3A140A13EBEB612BA4FC8CAFB776AFF46302B100531F242910B5DBB95801CB50
                      Function 00078E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00078E7F
                      • UnloadUserProfile.USERENV(?,?), ref: 00078E8B
                      • CloseHandle.KERNEL32(?), ref: 00078E94
                      • CloseHandle.KERNEL32(?), ref: 00078E9C
                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00078EA5
                      • HeapFree.KERNEL32(00000000), ref: 00078EAC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                      • String ID:
                      • API String ID: 146765662-0
                      • Opcode ID: 7813bd57702af6500194af6e85f693904436c2f7b6635021c663f5c3917fab50
                      • Instruction ID: 9bce13c2dfee74042a0bc12fb3025c666e75b57f81c858b2de37678767bbda8f
                      • Opcode Fuzzy Hash: 7813bd57702af6500194af6e85f693904436c2f7b6635021c663f5c3917fab50
                      • Instruction Fuzzy Hash: 98E05276104906FFEB012FE5EC0C96ABB69FB8A762B508631F219C1470CB3A9461DB50
                      Function 00098902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(?), ref: 00098928
                      • CharUpperBuffW.USER32(?,?), ref: 00098A37
                      • VariantClear.OLEAUT32(?), ref: 00098BAF
                        • Part of subcall function 00087804: VariantInit.OLEAUT32(00000000), ref: 00087844
                        • Part of subcall function 00087804: VariantCopy.OLEAUT32(00000000,?), ref: 0008784D
                        • Part of subcall function 00087804: VariantClear.OLEAUT32(00000000), ref: 00087859
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Variant$ClearInit$BuffCharCopyUpper
                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                      • API String ID: 4237274167-1221869570
                      • Opcode ID: 67573b25ff8ea7f82f6b7d30be6379b176fea6bec2ac24a8499c8c18899797a1
                      • Instruction ID: 11849ebe5973ca1b1bb7432b6d09ee4eee9076cf40ec4896d7eea4253468274d
                      • Opcode Fuzzy Hash: 67573b25ff8ea7f82f6b7d30be6379b176fea6bec2ac24a8499c8c18899797a1
                      • Instruction Fuzzy Hash: 139162716083019FCB10DF24C48599BBBE4EF8A714F18896EF89A8B362DB31D945DB52
                      Function 00082F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0003FEC6: _wcscpy.LIBCMT ref: 0003FEE9
                      • _memset.LIBCMT ref: 00083077
                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 000830A6
                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00083159
                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00083187
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ItemMenu$Info$Default_memset_wcscpy
                      • String ID: 0
                      • API String ID: 4152858687-4108050209
                      • Opcode ID: 0e7ad70a6424994bf0641553c1069c3ceb91ac505039e66e83dcdfa30f12f809
                      • Instruction ID: 1b7e7793edb7f4f35b263506129687a43780fbcc1ba873698fce5e09f747117a
                      • Opcode Fuzzy Hash: 0e7ad70a6424994bf0641553c1069c3ceb91ac505039e66e83dcdfa30f12f809
                      • Instruction Fuzzy Hash: 1051D0716083009ADB65BF28D849AABBBE4FF95F60F040A2DF8C5D3191DB74CE448B56
                      Function 0007DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0007DAC5
                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0007DAFB
                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0007DB0C
                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0007DB8E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ErrorMode$AddressCreateInstanceProc
                      • String ID: DllGetClassObject
                      • API String ID: 753597075-1075368562
                      • Opcode ID: fd588ed5b26c538b1973a5c813cc8106c0d6f39c566384995ecacfa4bd547e13
                      • Instruction ID: 3923c4ece0d066a36acd6de3990fd2d9eadba6bcc81205a7a9a2a8a825a981eb
                      • Opcode Fuzzy Hash: fd588ed5b26c538b1973a5c813cc8106c0d6f39c566384995ecacfa4bd547e13
                      • Instruction Fuzzy Hash: 41418371A00205EFDB15CF54C884A9A7BF9EF44350F15C1ABAD099F206D7B9DD40DBA4
                      Function 00082C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00082CAF
                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00082CCB
                      • DeleteMenu.USER32(?,00000007,00000000), ref: 00082D11
                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,000E6890,00000000), ref: 00082D5A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Menu$Delete$InfoItem_memset
                      • String ID: 0
                      • API String ID: 1173514356-4108050209
                      • Opcode ID: acb8fdddb7055a547abc8d827245e93334d52d85eafc87d57912764f2a3c537c
                      • Instruction ID: 9df464f3250b5ecf4177124bfa70bfcd2724a1e2eb687a35874f04b15afb3121
                      • Opcode Fuzzy Hash: acb8fdddb7055a547abc8d827245e93334d52d85eafc87d57912764f2a3c537c
                      • Instruction Fuzzy Hash: EB4186701053029FD724EF24D845B5BBBE4FF85320F144A6DF9A597292D770E905CB92
                      Function 0009DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                      Download Yara Rule
                      APIs
                      • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0009DAD9
                        • Part of subcall function 000279AB: _memmove.LIBCMT ref: 000279F9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: BuffCharLower_memmove
                      • String ID: cdecl$none$stdcall$winapi
                      • API String ID: 3425801089-567219261
                      • Opcode ID: 10e797c51f1c8953d221c372aabd05cebf6b36368b9ecbbd378afcb8d5a9672f
                      • Instruction ID: 9a9256b812646ac81a7a2dd6a71921e7198ea28673e4b5989e084370c4496869
                      • Opcode Fuzzy Hash: 10e797c51f1c8953d221c372aabd05cebf6b36368b9ecbbd378afcb8d5a9672f
                      • Instruction Fuzzy Hash: 4C31A27190461AEFCF10EF94CC819EEB7B4FF05310B10866AE865A77D2DB31A905CB90
                      Function 00079372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00027F41: _memmove.LIBCMT ref: 00027F82
                        • Part of subcall function 0007B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0007B0E7
                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 000793F6
                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00079409
                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00079439
                        • Part of subcall function 00027D2C: _memmove.LIBCMT ref: 00027D66
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessageSend$_memmove$ClassName
                      • String ID: ComboBox$ListBox
                      • API String ID: 365058703-1403004172
                      • Opcode ID: db738f5de9d3bb6b2c8d3f3fba46d3514f355be58c0843cfe1015701dd15d160
                      • Instruction ID: 915cd27767bc28ee4ac8fe1937f94dbb3a312d54ef4fac4dd6119e6f839981dd
                      • Opcode Fuzzy Hash: db738f5de9d3bb6b2c8d3f3fba46d3514f355be58c0843cfe1015701dd15d160
                      • Instruction Fuzzy Hash: 3F21D671D04104BBDB14ABB4DC86DFFB7BCDF06350B148129F929A72E2DB394A0A9664
                      Function 00091B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00091B40
                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00091B66
                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00091B96
                      • InternetCloseHandle.WININET(00000000), ref: 00091BDD
                        • Part of subcall function 00092777: GetLastError.KERNEL32(?,?,00091B0B,00000000,00000000,00000001), ref: 0009278C
                        • Part of subcall function 00092777: SetEvent.KERNEL32(?,?,00091B0B,00000000,00000000,00000001), ref: 000927A1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                      • String ID:
                      • API String ID: 3113390036-3916222277
                      • Opcode ID: ba71a0da039ad2816a9816c26b7e84abbb74fcde01da62d87fdf6b278f81a004
                      • Instruction ID: 1b82899759137a5c57b7165eb6074c8574d0f09400ef20a7982ba006ca8df760
                      • Opcode Fuzzy Hash: ba71a0da039ad2816a9816c26b7e84abbb74fcde01da62d87fdf6b278f81a004
                      • Instruction Fuzzy Hash: 4C21CFB1604209BFEF219FA49CC5EFF76EDEB49744F10012AF445A2240EB349D04A7A1
                      Function 000A6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00021D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00021D73
                        • Part of subcall function 00021D35: GetStockObject.GDI32(00000011), ref: 00021D87
                        • Part of subcall function 00021D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00021D91
                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 000A66D0
                      • LoadLibraryW.KERNEL32(?), ref: 000A66D7
                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 000A66EC
                      • DestroyWindow.USER32(?), ref: 000A66F4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                      • String ID: SysAnimate32
                      • API String ID: 4146253029-1011021900
                      • Opcode ID: 2f96dc355b2e4b5e651a1b4e6a8c30cffed23443332bd29ff9894d1bfdff4931
                      • Instruction ID: 1d3a2e59b2f02b187002f12f5fdc22197b94c781966e0c4bb7d473102187cd32
                      • Opcode Fuzzy Hash: 2f96dc355b2e4b5e651a1b4e6a8c30cffed23443332bd29ff9894d1bfdff4931
                      • Instruction Fuzzy Hash: 10219D71200206ABEF104FA4EC80EBB77FDEB5A368F184629F950961A0DB72CC519760
                      Function 0008703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                      Download Yara Rule
                      APIs
                      • GetStdHandle.KERNEL32(0000000C), ref: 0008705E
                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00087091
                      • GetStdHandle.KERNEL32(0000000C), ref: 000870A3
                      • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 000870DD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CreateHandle$FilePipe
                      • String ID: nul
                      • API String ID: 4209266947-2873401336
                      • Opcode ID: 1ef778f67ba6a5be1e718b2e744d656b8db50f8981c08533bdba626be847b23f
                      • Instruction ID: db1d374722c129a862c2c9af2a52f709db072fefb722a2284d147b7da7c2f312
                      • Opcode Fuzzy Hash: 1ef778f67ba6a5be1e718b2e744d656b8db50f8981c08533bdba626be847b23f
                      • Instruction Fuzzy Hash: CC217F74604309EBDB20AF68D805A9A77E8BF95720F304A29F9E4D72D5D771E850CB60
                      Function 0008710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                      Download Yara Rule
                      APIs
                      • GetStdHandle.KERNEL32(000000F6), ref: 0008712B
                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0008715D
                      • GetStdHandle.KERNEL32(000000F6), ref: 0008716E
                      • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 000871A8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CreateHandle$FilePipe
                      • String ID: nul
                      • API String ID: 4209266947-2873401336
                      • Opcode ID: e43dfccb097613adf5dac42a4e3476428f4db7e1ad798371d171e28666b9c500
                      • Instruction ID: 15d333aaa8b96edd0583296a8ecc39a77f2d5dbe3f481618427ba7dbd859855c
                      • Opcode Fuzzy Hash: e43dfccb097613adf5dac42a4e3476428f4db7e1ad798371d171e28666b9c500
                      • Instruction Fuzzy Hash: A5219D75608206ABDF20AF6C9C08AAAB7E8BF55720F300A19F9E4D72D4D770D841CB61
                      Function 0008AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 0008AEBF
                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0008AF13
                      • __swprintf.LIBCMT ref: 0008AF2C
                      • SetErrorMode.KERNEL32(00000000,00000001,00000000,000AF910), ref: 0008AF6A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ErrorMode$InformationVolume__swprintf
                      • String ID: %lu
                      • API String ID: 3164766367-685833217
                      • Opcode ID: d3c37b40cf18148431ee75bc3ac8475bb89a8489225034fb7d7e963ac1569608
                      • Instruction ID: 57da4a7ab39a6e1d68f377acc92e372a9f409bc9fcea3f5714c1626b53223d89
                      • Opcode Fuzzy Hash: d3c37b40cf18148431ee75bc3ac8475bb89a8489225034fb7d7e963ac1569608
                      • Instruction Fuzzy Hash: 21215630A00209AFDB10EF94DD85DEE77B8FF49704B104069F909DB252DB31EA45CB61
                      Function 0007A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00027D2C: _memmove.LIBCMT ref: 00027D66
                        • Part of subcall function 0007A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0007A399
                        • Part of subcall function 0007A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0007A3AC
                        • Part of subcall function 0007A37C: GetCurrentThreadId.KERNEL32 ref: 0007A3B3
                        • Part of subcall function 0007A37C: AttachThreadInput.USER32(00000000), ref: 0007A3BA
                      • GetFocus.USER32 ref: 0007A554
                        • Part of subcall function 0007A3C5: GetParent.USER32(?), ref: 0007A3D3
                      • GetClassNameW.USER32(?,?,00000100), ref: 0007A59D
                      • EnumChildWindows.USER32(?,0007A615), ref: 0007A5C5
                      • __swprintf.LIBCMT ref: 0007A5DF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                      • String ID: %s%d
                      • API String ID: 1941087503-1110647743
                      • Opcode ID: c2ae0bb77f638b8e5283f2bbf7bef743ca1bbe352c035e9cadacb4dc04b6627c
                      • Instruction ID: 221572147a5f419ce9c9efeaca406d30f7426ec1fe825d63eb5afa92bdadd4dc
                      • Opcode Fuzzy Hash: c2ae0bb77f638b8e5283f2bbf7bef743ca1bbe352c035e9cadacb4dc04b6627c
                      • Instruction Fuzzy Hash: D6117271A002096BDF117FA4DC85FFE77789F8A710F048075BE0CAA193CA785A458B79
                      Function 00082017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?), ref: 00082048
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: BuffCharUpper
                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                      • API String ID: 3964851224-769500911
                      • Opcode ID: 0f27761af44cb8ff4b456287283ae71e725517df666efb3729115b87491a5620
                      • Instruction ID: 2aceffd4e91e1e7b69d43d4dece55e3374304c763a9d76b18c15fdaebe569982
                      • Opcode Fuzzy Hash: 0f27761af44cb8ff4b456287283ae71e725517df666efb3729115b87491a5620
                      • Instruction Fuzzy Hash: 58113974D0021A8FCF40EFA4D9418EEB7B4BF16304F1084A9D895A7353EB32690ACB50
                      Function 0009EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                      Download Yara Rule
                      APIs
                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0009EF1B
                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0009EF4B
                      • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0009F07E
                      • CloseHandle.KERNEL32(?), ref: 0009F0FF
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Process$CloseCountersHandleInfoMemoryOpen
                      • String ID:
                      • API String ID: 2364364464-0
                      • Opcode ID: 0aa7910aa213eb03136738940bc8d78637e75cfa5734f78a4a27fd0f1fd865f8
                      • Instruction ID: dfb2189f1ba352d03452dbd4551bfa9381a7af09def54e3f448dc4e591d7e02f
                      • Opcode Fuzzy Hash: 0aa7910aa213eb03136738940bc8d78637e75cfa5734f78a4a27fd0f1fd865f8
                      • Instruction Fuzzy Hash: 678184716047119FDB20DF28D846F6AB7E5AF88710F14881DF995DB293DB71AC40CB91
                      Function 000A02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00027F41: _memmove.LIBCMT ref: 00027F82
                        • Part of subcall function 000A10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,000A0038,?,?), ref: 000A10BC
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 000A0388
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 000A03C7
                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 000A040E
                      • RegCloseKey.ADVAPI32(?,?), ref: 000A043A
                      • RegCloseKey.ADVAPI32(00000000), ref: 000A0447
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                      • String ID:
                      • API String ID: 3440857362-0
                      • Opcode ID: 9e9a8bb8c4603800b6bc41f570be833bd19255022c245d50967fbb86cbe52a1a
                      • Instruction ID: 49ce380e48ea8baca35eb581470fb3afda0ab06ac4519a13e85e448b1efeb684
                      • Opcode Fuzzy Hash: 9e9a8bb8c4603800b6bc41f570be833bd19255022c245d50967fbb86cbe52a1a
                      • Instruction Fuzzy Hash: 77513C71208205AFDB14EF94DC81EAEB7E8FF89304F04892DB59597292DB35E904CB52
                      Function 0008E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                      Download Yara Rule
                      APIs
                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0008E88A
                      • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0008E8B3
                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0008E8F2
                        • Part of subcall function 00029997: __itow.LIBCMT ref: 000299C2
                        • Part of subcall function 00029997: __swprintf.LIBCMT ref: 00029A0C
                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0008E917
                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0008E91F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                      • String ID:
                      • API String ID: 1389676194-0
                      • Opcode ID: 9f266ae033e001f871e9281ce32050ecc1ebf04a68417e94b01ce994a5708832
                      • Instruction ID: 739762f3de85cd5586164a4fa28287697abc8bd9c68f45ae2ba49242995ea593
                      • Opcode Fuzzy Hash: 9f266ae033e001f871e9281ce32050ecc1ebf04a68417e94b01ce994a5708832
                      • Instruction Fuzzy Hash: 96512735A00215EFDB01EF64D981AAEBBF5FF09310F1480A9E849AB362CB71ED51CB51
                      Function 000AA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4963f0aef947fba0e3770322552900ada7657e4cdfcde08d5993196c65193870
                      • Instruction ID: d51ff90b9a52e260da9fb04d0402a15b60f69804b5b75ba464b16b8758f2d982
                      • Opcode Fuzzy Hash: 4963f0aef947fba0e3770322552900ada7657e4cdfcde08d5993196c65193870
                      • Instruction Fuzzy Hash: BA41F336E00204AFDB20DFA8DC48FB9BBE4EB0B350F140265F956A72E1D774AE41DA51
                      Function 00022344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetCursorPos.USER32(?), ref: 00022357
                      • ScreenToClient.USER32(000E67B0,?), ref: 00022374
                      • GetAsyncKeyState.USER32(00000001), ref: 00022399
                      • GetAsyncKeyState.USER32(00000002), ref: 000223A7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: AsyncState$ClientCursorScreen
                      • String ID:
                      • API String ID: 4210589936-0
                      • Opcode ID: 2ace49735ee07f7ce8264caba162acfec613d5a788755aae12703475962271b8
                      • Instruction ID: e29d828808fa2c81b2597b972d5630713a2b4adf475ad10c72ebedc2d961f193
                      • Opcode Fuzzy Hash: 2ace49735ee07f7ce8264caba162acfec613d5a788755aae12703475962271b8
                      • Instruction Fuzzy Hash: 15418E31504229FFEF15DFA8D844EEEBBB4FB06324F20431AF82896290C7755A94DB91
                      Function 00076920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                      Download Yara Rule
                      APIs
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0007695D
                      • TranslateAcceleratorW.USER32(?,?,?), ref: 000769A9
                      • TranslateMessage.USER32(?), ref: 000769D2
                      • DispatchMessageW.USER32(?), ref: 000769DC
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 000769EB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Message$PeekTranslate$AcceleratorDispatch
                      • String ID:
                      • API String ID: 2108273632-0
                      • Opcode ID: acb38b740682823020174fbf0b69b36822ef593f167e191a724062a8dc741426
                      • Instruction ID: 980fd346a4b71672b667a746191d65bb2031821906526073c087134a6d55b172
                      • Opcode Fuzzy Hash: acb38b740682823020174fbf0b69b36822ef593f167e191a724062a8dc741426
                      • Instruction Fuzzy Hash: 71310771D00A82AAEB60CF74EC84BF67BECAB12740F108169E12BD7061D73F9845DB54
                      Function 00078F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetWindowRect.USER32(?,?), ref: 00078F12
                      • PostMessageW.USER32(?,00000201,00000001), ref: 00078FBC
                      • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00078FC4
                      • PostMessageW.USER32(?,00000202,00000000), ref: 00078FD2
                      • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00078FDA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessagePostSleep$RectWindow
                      • String ID:
                      • API String ID: 3382505437-0
                      • Opcode ID: 18e6c597f77dd0417df08f1a4e28f0cba65b1f924ec6fa1a7d805f8d58199680
                      • Instruction ID: 7576ea72f85ddb3483e22a584ea11b26085731f49591d8b95790ac38eee43161
                      • Opcode Fuzzy Hash: 18e6c597f77dd0417df08f1a4e28f0cba65b1f924ec6fa1a7d805f8d58199680
                      • Instruction Fuzzy Hash: 9631C071900219EFDB14CFA8D94CAAE7BB6FB05315F10C229F929E61D0C7B89914DB91
                      Function 0007B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                      Download Yara Rule
                      APIs
                      • IsWindowVisible.USER32(?), ref: 0007B6C7
                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0007B6E4
                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0007B71C
                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0007B742
                      • _wcsstr.LIBCMT ref: 0007B74C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                      • String ID:
                      • API String ID: 3902887630-0
                      • Opcode ID: 1d787610b2b250973ea5ad550c31f22a6f8615ade98a057801df1012e0dfb086
                      • Instruction ID: 59caa297882abe85f37c8f95d52d407af8f22b026d75dad3352439ae48b5b723
                      • Opcode Fuzzy Hash: 1d787610b2b250973ea5ad550c31f22a6f8615ade98a057801df1012e0dfb086
                      • Instruction Fuzzy Hash: 95212971608644BBEB295B799C49F7B7BD8DF49760F008039FD09CA1A1EF69DC40D2A4
                      Function 000AB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00022612: GetWindowLongW.USER32(?,000000EB), ref: 00022623
                      • GetWindowLongW.USER32(?,000000F0), ref: 000AB44C
                      • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 000AB471
                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 000AB489
                      • GetSystemMetrics.USER32(00000004), ref: 000AB4B2
                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00091184,00000000), ref: 000AB4D0
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Window$Long$MetricsSystem
                      • String ID:
                      • API String ID: 2294984445-0
                      • Opcode ID: 89fdfb635f1492d6d311202331fd8e6c62f85cad34ae889843fcde853645c264
                      • Instruction ID: 90653bc41d12d9f0bd8ed95870fec14eee4e859ed723b7328dfb4128f1d905f6
                      • Opcode Fuzzy Hash: 89fdfb635f1492d6d311202331fd8e6c62f85cad34ae889843fcde853645c264
                      • Instruction Fuzzy Hash: C4219131910666AFDB609FB8DC44A6A3BA4FB0B720F104738F926D61E3E7359811DB80
                      Function 000797E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00079802
                        • Part of subcall function 00027D2C: _memmove.LIBCMT ref: 00027D66
                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00079834
                      • __itow.LIBCMT ref: 0007984C
                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00079874
                      • __itow.LIBCMT ref: 00079885
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessageSend$__itow$_memmove
                      • String ID:
                      • API String ID: 2983881199-0
                      • Opcode ID: 7c6d58eb909036b0964ed71c15c6f5db17cd62f55e3a201f6631815329f97580
                      • Instruction ID: fb2c078d1e551836f7cc7b54a7c8747a7353093a9f9bad263c3b6938393da72a
                      • Opcode Fuzzy Hash: 7c6d58eb909036b0964ed71c15c6f5db17cd62f55e3a201f6631815329f97580
                      • Instruction Fuzzy Hash: 1621DD71F00204ABDB509BA59C86EEE7BB8DF4A710F088035FD08DB252DA748D4187D6
                      Function 000212F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                      Download Yara Rule
                      APIs
                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0002134D
                      • SelectObject.GDI32(?,00000000), ref: 0002135C
                      • BeginPath.GDI32(?), ref: 00021373
                      • SelectObject.GDI32(?,00000000), ref: 0002139C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ObjectSelect$BeginCreatePath
                      • String ID:
                      • API String ID: 3225163088-0
                      • Opcode ID: e7c21a781256ddedfb2ecdfd3db0d1f38c8fbf3b23f94a836f9a4eab422e7081
                      • Instruction ID: 86950969cd3c85710b176460f3c68b685a8672e5c8bfad1cb0f632af093084ad
                      • Opcode Fuzzy Hash: e7c21a781256ddedfb2ecdfd3db0d1f38c8fbf3b23f94a836f9a4eab422e7081
                      • Instruction Fuzzy Hash: 44219070800254EFEB10CF65FD447AD3BF9FB20761F244326F814AA1A0DB7A9995CB90
                      Function 0007C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _memcmp
                      • String ID:
                      • API String ID: 2931989736-0
                      • Opcode ID: 2537a51f0519c95dce7d0f5922555dc38ff8961113a17c40069b9dd64a1bc6fb
                      • Instruction ID: 60fd725bc7765af87c3118a96fb9dacd713df91821e4b342abbe72f52934bbfc
                      • Opcode Fuzzy Hash: 2537a51f0519c95dce7d0f5922555dc38ff8961113a17c40069b9dd64a1bc6fb
                      • Instruction Fuzzy Hash: D801B5B1A041057BF214A6209C42FEF77DC9B223A4F848139FE089A283FB54DE1182E8
                      Function 00084D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThreadId.KERNEL32 ref: 00084D5C
                      • __beginthreadex.LIBCMT ref: 00084D7A
                      • MessageBoxW.USER32(?,?,?,?), ref: 00084D8F
                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00084DA5
                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00084DAC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                      • String ID:
                      • API String ID: 3824534824-0
                      • Opcode ID: 368f673e11c59c7291352131181afec6243c2af40a195eb5d544d133cc6afd5a
                      • Instruction ID: e3e734e7edf3d9d6d9f0a7fd126852f322a67bcddb437d0d1dd98e578b9e1569
                      • Opcode Fuzzy Hash: 368f673e11c59c7291352131181afec6243c2af40a195eb5d544d133cc6afd5a
                      • Instruction Fuzzy Hash: 6C1148B2904645BBDB009BA8AC44AEA7FACFB45320F144369FA54D7350D6798D0087A0
                      Function 0007874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00078766
                      • GetLastError.KERNEL32(?,0007822A,?,?,?), ref: 00078770
                      • GetProcessHeap.KERNEL32(00000008,?,?,0007822A,?,?,?), ref: 0007877F
                      • HeapAlloc.KERNEL32(00000000,?,0007822A,?,?,?), ref: 00078786
                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0007879D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                      • String ID:
                      • API String ID: 842720411-0
                      • Opcode ID: 54ba310b12ee571cf47bee2223fca75ff80c382a363b480abe1f4a301b085582
                      • Instruction ID: 3f22a5862c8ebacc0ede8b5f694dbf699a36f69ae3054db3251546d6f0fa8d99
                      • Opcode Fuzzy Hash: 54ba310b12ee571cf47bee2223fca75ff80c382a363b480abe1f4a301b085582
                      • Instruction Fuzzy Hash: 30014F71644605EFEB245FAADC4CD6B7BACEF863557208429F84AC2160DA35CD00CB60
                      Function 000854E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                      Download Yara Rule
                      APIs
                      • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00085502
                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00085510
                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00085518
                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00085522
                      • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0008555E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: PerformanceQuery$CounterSleep$Frequency
                      • String ID:
                      • API String ID: 2833360925-0
                      • Opcode ID: d130076655b1592dbcf1e57cf9ed57a18c72479ead31d468e7b21c1b5df5a857
                      • Instruction ID: 731e223a2a44653c0faeef30d0cc4f126b139027a8bc61b876f553ccc6f2c247
                      • Opcode Fuzzy Hash: d130076655b1592dbcf1e57cf9ed57a18c72479ead31d468e7b21c1b5df5a857
                      • Instruction Fuzzy Hash: C2011B35D00E1ADBDF10EFE9EC59AEDBBB9BB09712F400156E981B2140DB345654CBA1
                      Function 00077652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                      Download Yara Rule
                      APIs
                      • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0007758C,80070057,?,?,?,0007799D), ref: 0007766F
                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0007758C,80070057,?,?), ref: 0007768A
                      • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0007758C,80070057,?,?), ref: 00077698
                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0007758C,80070057,?), ref: 000776A8
                      • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0007758C,80070057,?,?), ref: 000776B4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: From$Prog$FreeStringTasklstrcmpi
                      • String ID:
                      • API String ID: 3897988419-0
                      • Opcode ID: 65a774c2f5b73d748ded9521af6d6667e887a544c75149d1aff98699f92ad665
                      • Instruction ID: 49f15a5ceb02fc429cb61d60df9eb9aaec0e7004037f328948ec74d33e842fae
                      • Opcode Fuzzy Hash: 65a774c2f5b73d748ded9521af6d6667e887a544c75149d1aff98699f92ad665
                      • Instruction Fuzzy Hash: 4001D8B6A00605BBEB105F58DC04BAA7BECEB45791F104124FD0CD6225EB39DD0087A0
                      Function 000785F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00078608
                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00078612
                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00078621
                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00078628
                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0007863E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: HeapInformationToken$AllocErrorLastProcess
                      • String ID:
                      • API String ID: 44706859-0
                      • Opcode ID: ebbf5fa743ef212972cde5b95ecd14def45c38778a82ea125df61f5134e344e5
                      • Instruction ID: 568c6d3543369c5ea4093f42ecba6415cfd3f1a0f208b34cec1b4508f6411b60
                      • Opcode Fuzzy Hash: ebbf5fa743ef212972cde5b95ecd14def45c38778a82ea125df61f5134e344e5
                      • Instruction Fuzzy Hash: 68F04931241605BFEB601FE5DC8DE7B3BACEF8A755B008429F94DC6150CBA99D41DB60
                      Function 00078652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00078669
                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00078673
                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00078682
                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00078689
                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0007869F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: HeapInformationToken$AllocErrorLastProcess
                      • String ID:
                      • API String ID: 44706859-0
                      • Opcode ID: b37aa4adab19be80352b7f9ac069a5bea023869370b5ae33772d04fb05ccdd35
                      • Instruction ID: 4db6166fe44539d6812af597ee17feec5f873bb33b590804429cd507436763fd
                      • Opcode Fuzzy Hash: b37aa4adab19be80352b7f9ac069a5bea023869370b5ae33772d04fb05ccdd35
                      • Instruction Fuzzy Hash: 0BF0AF71240205BFEB211FA4EC8CE773BACEF8A765B108025F909D2250CBA89900DB61
                      Function 0007C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,000003E9), ref: 0007C6BA
                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 0007C6D1
                      • MessageBeep.USER32(00000000), ref: 0007C6E9
                      • KillTimer.USER32(?,0000040A), ref: 0007C705
                      • EndDialog.USER32(?,00000001), ref: 0007C71F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                      • String ID:
                      • API String ID: 3741023627-0
                      • Opcode ID: 855d535ad655c030a048ac59d5ac79dd65841eb06064dfd7d48528dca74bc82a
                      • Instruction ID: 2bc18ed24cc7cc0df609a1fc85a78dfe768609ef70e36547d143a17780b83032
                      • Opcode Fuzzy Hash: 855d535ad655c030a048ac59d5ac79dd65841eb06064dfd7d48528dca74bc82a
                      • Instruction Fuzzy Hash: 82018F30804B05ABFB245B60EC8EFA677B8BB01701F00466DB586A10E1DBE8A9548A84
                      Function 000213B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                      Download Yara Rule
                      APIs
                      • EndPath.GDI32(?), ref: 000213BF
                      • StrokeAndFillPath.GDI32(?,?,0005BAD8,00000000,?), ref: 000213DB
                      • SelectObject.GDI32(?,00000000), ref: 000213EE
                      • DeleteObject.GDI32 ref: 00021401
                      • StrokePath.GDI32(?), ref: 0002141C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Path$ObjectStroke$DeleteFillSelect
                      • String ID:
                      • API String ID: 2625713937-0
                      • Opcode ID: 942d2b898d3820970654787479e898858d18a360429fa3e8ce951bba302723a9
                      • Instruction ID: 6955c2f6876860e2ae2fd2e3d1c2e96e5dc9cd124c94f8cc3322f224ac7b4761
                      • Opcode Fuzzy Hash: 942d2b898d3820970654787479e898858d18a360429fa3e8ce951bba302723a9
                      • Instruction Fuzzy Hash: FBF03C30000749EBEB255F66FE8CBA83FE5AB21766F04C324E469980F1CB3A4995DF10
                      Function 00032E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00040FF6: std::exception::exception.LIBCMT ref: 0004102C
                        • Part of subcall function 00040FF6: __CxxThrowException@8.LIBCMT ref: 00041041
                        • Part of subcall function 00027F41: _memmove.LIBCMT ref: 00027F82
                        • Part of subcall function 00027BB1: _memmove.LIBCMT ref: 00027C0B
                      • __swprintf.LIBCMT ref: 0003302D
                      Strings
                      • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00032EC6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                      • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                      • API String ID: 1943609520-557222456
                      • Opcode ID: 1b1f815197da2ab67325134dc639a527ffc5f29b948055ecceaf7d36b28bcae2
                      • Instruction ID: cc8c3ca29a110c0efea0298a219b8f5f60925881eebcdd4bb47052b38b26ac0f
                      • Opcode Fuzzy Hash: 1b1f815197da2ab67325134dc639a527ffc5f29b948055ecceaf7d36b28bcae2
                      • Instruction Fuzzy Hash: AF917C711083119FC729EF24D895DAEB7E8EF85750F00492DF4469B2A2DB71EE44CB52
                      Function 0008BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 000248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,000248A1,?,?,000237C0,?), ref: 000248CE
                      • CoInitialize.OLE32(00000000), ref: 0008BC26
                      • CoCreateInstance.OLE32(000B2D6C,00000000,00000001,000B2BDC,?), ref: 0008BC3F
                      • CoUninitialize.OLE32 ref: 0008BC5C
                        • Part of subcall function 00029997: __itow.LIBCMT ref: 000299C2
                        • Part of subcall function 00029997: __swprintf.LIBCMT ref: 00029A0C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                      • String ID: .lnk
                      • API String ID: 2126378814-24824748
                      • Opcode ID: 64a7c5efc554f05ffb3804184a89670cfc49587b194d59b1bd0997377c2ed5e9
                      • Instruction ID: 38d1891234f96800710cdd69f20ab496764d75da4a2447c6cc05e2725fa9db74
                      • Opcode Fuzzy Hash: 64a7c5efc554f05ffb3804184a89670cfc49587b194d59b1bd0997377c2ed5e9
                      • Instruction Fuzzy Hash: 92A136756043119FCB10EF14C484DAABBE5FF89314F148998F8999B3A2CB31ED45CB91
                      Function 0004524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                      Download Yara Rule
                      APIs
                      • __startOneArgErrorHandling.LIBCMT ref: 000452DD
                        • Part of subcall function 00050340: __87except.LIBCMT ref: 0005037B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ErrorHandling__87except__start
                      • String ID: pow
                      • API String ID: 2905807303-2276729525
                      • Opcode ID: 049a577aaec52557adb6dba17ced118c83d673d3abc13f581a5323b8b6b5c8c8
                      • Instruction ID: a71538c3931fbc2e70e60beb7fc522918f6cd0ccb739cfb1b8f0cdd2334e50c2
                      • Opcode Fuzzy Hash: 049a577aaec52557adb6dba17ced118c83d673d3abc13f581a5323b8b6b5c8c8
                      • Instruction Fuzzy Hash: 21515BE1A09A0187DB617B14CE413BF2BD49B40753F208D79E895861E7EE788DC89E4A
                      Function 0004023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID:
                      • String ID: #$+
                      • API String ID: 0-2552117581
                      • Opcode ID: 246563f00f42ddce8b97baf1e99905b08c69ac1da4eb5ebca020419c14bcd766
                      • Instruction ID: 19d8b43a7d4788c2359be24804e072102c48519960e58de46fe50fa42d9082e3
                      • Opcode Fuzzy Hash: 246563f00f42ddce8b97baf1e99905b08c69ac1da4eb5ebca020419c14bcd766
                      • Instruction Fuzzy Hash: CB5155758042468FDF75DF28C888AFD7BE4EF1A311F188065EC95AB2A1D7789D42C724
                      Function 000362F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _memset$_memmove
                      • String ID: ERCP
                      • API String ID: 2532777613-1384759551
                      • Opcode ID: 27c940ca2af05b9ed1701bb1bf289fc45c6c9378f92358f112596485cb50858e
                      • Instruction ID: 960d9d5c7b3b30c455340715e011d887a6b0ba9c067d2ce6407e5bc05f32761d
                      • Opcode Fuzzy Hash: 27c940ca2af05b9ed1701bb1bf289fc45c6c9378f92358f112596485cb50858e
                      • Instruction Fuzzy Hash: 8B51A171D00309EBDB25CF65C8817EABBF8EF04714F20856EE64ACB281E7759684CB54
                      Function 000A7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 000A76D0
                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 000A76E4
                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 000A7708
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessageSend$Window
                      • String ID: SysMonthCal32
                      • API String ID: 2326795674-1439706946
                      • Opcode ID: 5409106068a1bf6abfa0756479bd565c300019b6ef0774138e0817c3662be7b3
                      • Instruction ID: 2065cd0dd2c0be0323e60903721fcbed3523dd9b567508ff98a1ac523148d479
                      • Opcode Fuzzy Hash: 5409106068a1bf6abfa0756479bd565c300019b6ef0774138e0817c3662be7b3
                      • Instruction Fuzzy Hash: F721D332504219BBDF11CF94CC46FEA3BA9EF49754F110214FE196B1D1DAB5A8508BA0
                      Function 000A6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 000A6FAA
                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 000A6FBA
                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 000A6FDF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessageSend$MoveWindow
                      • String ID: Listbox
                      • API String ID: 3315199576-2633736733
                      • Opcode ID: b6c3e590d075b8a4b20a4c25663403d3ae855fe7ba449c1a01471ebba2aa6449
                      • Instruction ID: dc315d305d1e85e8359c50b794b58fd65f52606d36031915a7870f8a4edbd532
                      • Opcode Fuzzy Hash: b6c3e590d075b8a4b20a4c25663403d3ae855fe7ba449c1a01471ebba2aa6449
                      • Instruction Fuzzy Hash: 08218332614118BFEF118F94DC85EBB37BAEF8A754F058124F9159B190CA769C518BA0
                      Function 000A797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 000A79E1
                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 000A79F6
                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 000A7A03
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: msctls_trackbar32
                      • API String ID: 3850602802-1010561917
                      • Opcode ID: 6524ac197865721c8140af39bd9978a4254299b83ea6691ea989a6e96d8d2da5
                      • Instruction ID: d955c6bbf81e88fb7ee3aea8237e32ee5b57554486d9e1eadfe64241012008df
                      • Opcode Fuzzy Hash: 6524ac197865721c8140af39bd9978a4254299b83ea6691ea989a6e96d8d2da5
                      • Instruction Fuzzy Hash: B6110A32244208BBEF209FB4CC05FEB77ADEFDA764F024519F655A6091D671D811CB60
                      Function 00024C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00024C2E), ref: 00024CA3
                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00024CB5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: GetNativeSystemInfo$kernel32.dll
                      • API String ID: 2574300362-192647395
                      • Opcode ID: 2d25f4033b67f2bf4f6a7e3d7151395e1260d083ec9849dfd4be177f45935d7e
                      • Instruction ID: de0b2746dd91f2c1f89b75f289b40e45a21947feb7828af37417fc6a5aa91104
                      • Opcode Fuzzy Hash: 2d25f4033b67f2bf4f6a7e3d7151395e1260d083ec9849dfd4be177f45935d7e
                      • Instruction Fuzzy Hash: D1D0C270510723CFD7205FB4D919612B2E4AF02780B208839D882C6150D774C480C620
                      Function 00024D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00024D2E,?,00024F4F,?,000E62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00024D6F
                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00024D81
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                      • API String ID: 2574300362-3689287502
                      • Opcode ID: 922e4130de07f1a744f2cb1aa0f90762871dd30866b424eec38c0fabcbfcab24
                      • Instruction ID: 9f7a6be5837c82ef80dcbe4f513cebb663b625de5f28dec7faf9866ab3cc5750
                      • Opcode Fuzzy Hash: 922e4130de07f1a744f2cb1aa0f90762871dd30866b424eec38c0fabcbfcab24
                      • Instruction Fuzzy Hash: B8D01730510B23CFE7209FB1E85866676E8AF16392B11C93AD486DA290E7B4D880CA60
                      Function 00024D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00024CE1,?), ref: 00024DA2
                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00024DB4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                      • API String ID: 2574300362-1355242751
                      • Opcode ID: 8e21e1868e4795e0b8a454ab4efada68c8b9077a665f4e1d27c60bd202dae27c
                      • Instruction ID: 51597ae060931abc537a37181ec9b5e60246a4184714cd652c23bbf527f88da9
                      • Opcode Fuzzy Hash: 8e21e1868e4795e0b8a454ab4efada68c8b9077a665f4e1d27c60bd202dae27c
                      • Instruction Fuzzy Hash: C8D05B31550723CFD7305FB1D85875676E4EF06355B11C83ED8C5D6150E774D480C660
                      Function 000A1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(advapi32.dll,?,000A12C1), ref: 000A1080
                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 000A1092
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: RegDeleteKeyExW$advapi32.dll
                      • API String ID: 2574300362-4033151799
                      • Opcode ID: 2944d4df9e2db3ca311cf7fe2175c087b1a78126acf1f41f8620ae76fcb69a1a
                      • Instruction ID: 4fc5512507c74fc81c0e504e604f57086501454d7c342f8169f15f897c25e87c
                      • Opcode Fuzzy Hash: 2944d4df9e2db3ca311cf7fe2175c087b1a78126acf1f41f8620ae76fcb69a1a
                      • Instruction Fuzzy Hash: A9D01231510713CFD7205FB5D95896A76E4AF06351F118C3EE4C5DA250D7B4C4C0C650
                      Function 000993F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00099009,?,000AF910), ref: 00099403
                      • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00099415
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: AddressLibraryLoadProc
                      • String ID: GetModuleHandleExW$kernel32.dll
                      • API String ID: 2574300362-199464113
                      • Opcode ID: 250984f4e65aff28c1ae16f486c02e63eb511636644cff64093959d1e8329563
                      • Instruction ID: 000c7f3d8b0ab6157f71622266ab14191463d32d3baa3fa4a89af9ad7f6972e3
                      • Opcode Fuzzy Hash: 250984f4e65aff28c1ae16f486c02e63eb511636644cff64093959d1e8329563
                      • Instruction Fuzzy Hash: E9D0C230514713CFDB305FB4C90851272E4AF22351B00C83ED481C6550D774C4C0C720
                      Function 00061B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: LocalTime__swprintf
                      • String ID: %.3d$WIN_XPe
                      • API String ID: 2070861257-2409531811
                      • Opcode ID: 8eb48f162f729d7e9e5a38488e0cd6eff10121ca9441fb35fc6f00f4666b1b65
                      • Instruction ID: e4b7f23c6195e04961a168c036e9a413858b0d3047091bac72161414758583ea
                      • Opcode Fuzzy Hash: 8eb48f162f729d7e9e5a38488e0cd6eff10121ca9441fb35fc6f00f4666b1b65
                      • Instruction Fuzzy Hash: 20D012B1C08218EADB249AA09C44DFD737DAB09301F181592B50291040F7389B84DB25
                      Function 000776C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ecdc87acb957ea282ef389e238c6f67a10bddce6e45b2b36f382fc3a606c75b4
                      • Instruction ID: 348511653b3dcffa1ef9f9bbe491122d280dae474e7c691ce28e92b138fc9821
                      • Opcode Fuzzy Hash: ecdc87acb957ea282ef389e238c6f67a10bddce6e45b2b36f382fc3a606c75b4
                      • Instruction Fuzzy Hash: BAC17975E04216EFDB14CFA8C884AAEB7F5FF48340B118598E809EB251D734EE81CB94
                      Function 0009E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                      Download Yara Rule
                      APIs
                      • CharLowerBuffW.USER32(?,?), ref: 0009E3D2
                      • CharLowerBuffW.USER32(?,?), ref: 0009E415
                        • Part of subcall function 0009DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0009DAD9
                      • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0009E615
                      • _memmove.LIBCMT ref: 0009E628
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: BuffCharLower$AllocVirtual_memmove
                      • String ID:
                      • API String ID: 3659485706-0
                      • Opcode ID: 0bcd9ae9307f1338e7c25be8c45890966ad43d2931acaf0c3186a9278e68ce53
                      • Instruction ID: 450a33e0c8f93f769431b42a9a4e2171944cedc0151adbff8af0073f12a8092e
                      • Opcode Fuzzy Hash: 0bcd9ae9307f1338e7c25be8c45890966ad43d2931acaf0c3186a9278e68ce53
                      • Instruction Fuzzy Hash: D7C16971A083519FCB54DF28C480A6ABBE4FF88714F14896EF8999B352D731ED45CB82
                      Function 000983A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                      Download Yara Rule
                      APIs
                      • CoInitialize.OLE32(00000000), ref: 000983D8
                      • CoUninitialize.OLE32 ref: 000983E3
                        • Part of subcall function 0007DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0007DAC5
                      • VariantInit.OLEAUT32(?), ref: 000983EE
                      • VariantClear.OLEAUT32(?), ref: 000986BF
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                      • String ID:
                      • API String ID: 780911581-0
                      • Opcode ID: b86a99c2195be1432aed9789d5b81e85f6d0c004ff7cb850baf3fb858509b0ea
                      • Instruction ID: 8f7a8578ede147c74097cb2e4b7c34c61d902c68d70bde4e4839e3d6e9f4b822
                      • Opcode Fuzzy Hash: b86a99c2195be1432aed9789d5b81e85f6d0c004ff7cb850baf3fb858509b0ea
                      • Instruction Fuzzy Hash: 16A15C752047119FDB10DF28C481B6AB7E4BF89324F14885DF99A9B3A2CB31ED44DB86
                      Function 00077A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                      Download Yara Rule
                      APIs
                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,000B2C7C,?), ref: 00077C32
                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,000B2C7C,?), ref: 00077C4A
                      • CLSIDFromProgID.OLE32(?,?,00000000,000AFB80,000000FF,?,00000000,00000800,00000000,?,000B2C7C,?), ref: 00077C6F
                      • _memcmp.LIBCMT ref: 00077C90
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: FromProg$FreeTask_memcmp
                      • String ID:
                      • API String ID: 314563124-0
                      • Opcode ID: e9a3eed2032c4e186223f2d3aef886768173fa3cbf676f47a1781112544810d6
                      • Instruction ID: 290ed981e05904e94ea150e24a09ac29fe54cd7538ca1cd851eac4884721d296
                      • Opcode Fuzzy Hash: e9a3eed2032c4e186223f2d3aef886768173fa3cbf676f47a1781112544810d6
                      • Instruction Fuzzy Hash: C7811B71E00109EFCB04DF94C984EEEB7B9FF89355F208198E509AB250DB75AE06CB61
                      Function 00076DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Variant$AllocClearCopyInitString
                      • String ID:
                      • API String ID: 2808897238-0
                      • Opcode ID: 99d98ed74a4faa34f5eff073dad13b8aa007f6b4a14172ea64ce983504acb791
                      • Instruction ID: c22db953ffa59c5ddb42ccc06b704065c0a99026ce7fa9a3e66586993bdc2399
                      • Opcode Fuzzy Hash: 99d98ed74a4faa34f5eff073dad13b8aa007f6b4a14172ea64ce983504acb791
                      • Instruction Fuzzy Hash: C051FA30A04702DADB30AF75D491A7DB3E5AF08350F60C82FE59FC7292DB7998409B59
                      Function 000A9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowRect.USER32(00C411D0,?), ref: 000A9AD2
                      • ScreenToClient.USER32(00000002,00000002), ref: 000A9B05
                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 000A9B72
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Window$ClientMoveRectScreen
                      • String ID:
                      • API String ID: 3880355969-0
                      • Opcode ID: 91ae5ee244f88cdfcadfb3f931f7cbf85a5bb47d8ec5745199edbc31685c16e8
                      • Instruction ID: 002c4f127eef513ac27af23f5f1dbdc9466af8c7554c6f17a042e4395fdc314f
                      • Opcode Fuzzy Hash: 91ae5ee244f88cdfcadfb3f931f7cbf85a5bb47d8ec5745199edbc31685c16e8
                      • Instruction Fuzzy Hash: 8B515134A00609EFDF50DFA8E9809AE7BF6FF56760F108259F9159B2A0D730AD41CB90
                      Function 00096CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                      Download Yara Rule
                      APIs
                      • socket.WSOCK32(00000002,00000002,00000011), ref: 00096CE4
                      • WSAGetLastError.WSOCK32(00000000), ref: 00096CF4
                        • Part of subcall function 00029997: __itow.LIBCMT ref: 000299C2
                        • Part of subcall function 00029997: __swprintf.LIBCMT ref: 00029A0C
                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00096D58
                      • WSAGetLastError.WSOCK32(00000000), ref: 00096D64
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ErrorLast$__itow__swprintfsocket
                      • String ID:
                      • API String ID: 2214342067-0
                      • Opcode ID: fa083e7c41a09d587c188d852ce7152d5e5093971f224d757c23e08bc6d1a93c
                      • Instruction ID: a491b0df8051a39c60ff1e62ead3bc4a4cba9048061e428e98b3bb05eceb63ee
                      • Opcode Fuzzy Hash: fa083e7c41a09d587c188d852ce7152d5e5093971f224d757c23e08bc6d1a93c
                      • Instruction Fuzzy Hash: C5419374B40610AFEB24AF24EC87F7A77E59B08B10F44C418FA599B2D3DA759D008B91
                      Function 0009672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                      Download Yara Rule
                      APIs
                      • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,000AF910), ref: 000967BA
                      • _strlen.LIBCMT ref: 000967EC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _strlen
                      • String ID:
                      • API String ID: 4218353326-0
                      • Opcode ID: c227b879a612db9077ede1db5edcc0efdbd1f597a70a2a861021a921fc348519
                      • Instruction ID: f0cab101fd00b26ce1ff5a5827a6b95186fd2aa8e17f5c98f1acfa2e564b927a
                      • Opcode Fuzzy Hash: c227b879a612db9077ede1db5edcc0efdbd1f597a70a2a861021a921fc348519
                      • Instruction Fuzzy Hash: 5B41C071A00115ABCF14EBA4DCD5EFEB3A9AF48310F148265F81A9B293DF31AD04DB55
                      Function 0008BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0008BB09
                      • GetLastError.KERNEL32(?,00000000), ref: 0008BB2F
                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0008BB54
                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0008BB80
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CreateHardLink$DeleteErrorFileLast
                      • String ID:
                      • API String ID: 3321077145-0
                      • Opcode ID: 5ce045bf3a083d471f1843dbea58f220ba7a24a1cae3bcd350d77958bdc3185a
                      • Instruction ID: 5fa8cb8169a9fdf52c284686e4d8219404b2e711da6c3832b01e68df383f837d
                      • Opcode Fuzzy Hash: 5ce045bf3a083d471f1843dbea58f220ba7a24a1cae3bcd350d77958bdc3185a
                      • Instruction Fuzzy Hash: 92412B35600A21DFDB10EF18D585A5DBBE1BF49320F198498EC8A9B362CB35FD41CB91
                      Function 000A8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                      Download Yara Rule
                      APIs
                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 000A8B4D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: InvalidateRect
                      • String ID:
                      • API String ID: 634782764-0
                      • Opcode ID: edc4eca88416d7bba32dbe56e50065b65a7510801f09722c6e72a317f2121e8d
                      • Instruction ID: ac8c9c4db01cfb51439df8a7ef686b5ee870dedcb1a3fffa2b81e6fec8fe87d7
                      • Opcode Fuzzy Hash: edc4eca88416d7bba32dbe56e50065b65a7510801f09722c6e72a317f2121e8d
                      • Instruction Fuzzy Hash: 1631D2B4620214BFEB749EE8DC85FAD37A4FB07350F24CA12FA51D62A1DF35A9408761
                      Function 000AADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                      Download Yara Rule
                      APIs
                      • ClientToScreen.USER32(?,?), ref: 000AAE1A
                      • GetWindowRect.USER32(?,?), ref: 000AAE90
                      • PtInRect.USER32(?,?,000AC304), ref: 000AAEA0
                      • MessageBeep.USER32(00000000), ref: 000AAF11
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Rect$BeepClientMessageScreenWindow
                      • String ID:
                      • API String ID: 1352109105-0
                      • Opcode ID: 854994e3193d6ec29216f007aa8927cc7e79270ad8857b008221fc8291cb174d
                      • Instruction ID: 38df67834ffee97ee01247519ca285a71aa5ae433df1e7eca85783cf30c2d587
                      • Opcode Fuzzy Hash: 854994e3193d6ec29216f007aa8927cc7e79270ad8857b008221fc8291cb174d
                      • Instruction Fuzzy Hash: D3418E70700219DFDB21CF98D884AA9BBF5FB4B740F1481A9E4149B291D731A842CF92
                      Function 00080FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00081037
                      • SetKeyboardState.USER32(00000080,?,00000001), ref: 00081053
                      • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 000810B9
                      • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0008110B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: KeyboardState$InputMessagePostSend
                      • String ID:
                      • API String ID: 432972143-0
                      • Opcode ID: 6491b6d43091a765c4b771c7bdf08d9ccefa893360e632e17b2a1fb88e3b5500
                      • Instruction ID: 917790b4b61746b0332bc43e882332786aa7558d22a8785d72e210c884234054
                      • Opcode Fuzzy Hash: 6491b6d43091a765c4b771c7bdf08d9ccefa893360e632e17b2a1fb88e3b5500
                      • Instruction Fuzzy Hash: 73311430E44698AEFB30AA658C09BFDBBEDBF45320F04431AE5C4521D1C3B589C69B91
                      Function 00081121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00081176
                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 00081192
                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 000811F1
                      • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00081243
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: KeyboardState$InputMessagePostSend
                      • String ID:
                      • API String ID: 432972143-0
                      • Opcode ID: 648007844425a600df1e6eeecbc3047d8d96ee486d8acd7ce04e297757578b4e
                      • Instruction ID: 99f2841460787fe2cc1dabbd514d4126a777b83bf618c37553eaaff1ca7f5591
                      • Opcode Fuzzy Hash: 648007844425a600df1e6eeecbc3047d8d96ee486d8acd7ce04e297757578b4e
                      • Instruction Fuzzy Hash: 18312670E406186AFF70AAA58C08BFEBBEEBF49320F04431AF6C5921D1C37889569751
                      Function 00056415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0005644B
                      • __isleadbyte_l.LIBCMT ref: 00056479
                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 000564A7
                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 000564DD
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                      • String ID:
                      • API String ID: 3058430110-0
                      • Opcode ID: e6c56be98ee657ccf27d1ddd9c599f65e88c1a3ba476a61ac1c90adc27f1ce16
                      • Instruction ID: d337b8e9e0171eface3da981219958d090ba323af0bc58770ee3d97ab0ae6c4a
                      • Opcode Fuzzy Hash: e6c56be98ee657ccf27d1ddd9c599f65e88c1a3ba476a61ac1c90adc27f1ce16
                      • Instruction Fuzzy Hash: FE31AF31600246AFDB218F65C845BAB7BE9FF41312F554529EC54872A1EB32D898DF90
                      Function 000A5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32 ref: 000A5189
                        • Part of subcall function 0008387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00083897
                        • Part of subcall function 0008387D: GetCurrentThreadId.KERNEL32 ref: 0008389E
                        • Part of subcall function 0008387D: AttachThreadInput.USER32(00000000,?,000852A7), ref: 000838A5
                      • GetCaretPos.USER32(?), ref: 000A519A
                      • ClientToScreen.USER32(00000000,?), ref: 000A51D5
                      • GetForegroundWindow.USER32 ref: 000A51DB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                      • String ID:
                      • API String ID: 2759813231-0
                      • Opcode ID: eaa813d15685a87f1ac372e292f254d038d5929fd50751d6f45f621314820533
                      • Instruction ID: 1963e5ac043453c9725fde66d263ed9373d367a6f04e49c3e864dc615afd3772
                      • Opcode Fuzzy Hash: eaa813d15685a87f1ac372e292f254d038d5929fd50751d6f45f621314820533
                      • Instruction Fuzzy Hash: 9F310E71D00218AFDB10EFA5D885DEFB7F9EF99300F10406AE915E7242EA759E05CBA1
                      Function 000AC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00022612: GetWindowLongW.USER32(?,000000EB), ref: 00022623
                      • GetCursorPos.USER32(?), ref: 000AC7C2
                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0005BBFB,?,?,?,?,?), ref: 000AC7D7
                      • GetCursorPos.USER32(?), ref: 000AC824
                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0005BBFB,?,?,?), ref: 000AC85E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                      • String ID:
                      • API String ID: 2864067406-0
                      • Opcode ID: 6f5b23b5f1d459090050efd9646c74436ea07c81ad96245da2a6b01db0ee507d
                      • Instruction ID: 26b58f94dfbb5e4a09f6a5e5158bd34993ef66de0a33ac2bcbe4a96255c5a142
                      • Opcode Fuzzy Hash: 6f5b23b5f1d459090050efd9646c74436ea07c81ad96245da2a6b01db0ee507d
                      • Instruction Fuzzy Hash: F7319335500418AFEB25CF98D898EEA7BF6FB0A710F054165F9059B261CB395D50DF60
                      Function 00078B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00078652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00078669
                        • Part of subcall function 00078652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00078673
                        • Part of subcall function 00078652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00078682
                        • Part of subcall function 00078652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00078689
                        • Part of subcall function 00078652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0007869F
                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00078BEB
                      • _memcmp.LIBCMT ref: 00078C0E
                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00078C44
                      • HeapFree.KERNEL32(00000000), ref: 00078C4B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                      • String ID:
                      • API String ID: 1592001646-0
                      • Opcode ID: c665b29e3b630ac3094ef4f5e2f1ca87d70dfa0ef83f85047116f740240c3126
                      • Instruction ID: e00e84d9573ba6bdf5276a511ec0304b4e9b2f0da9b847bff9fa2ba73bd4008f
                      • Opcode Fuzzy Hash: c665b29e3b630ac3094ef4f5e2f1ca87d70dfa0ef83f85047116f740240c3126
                      • Instruction Fuzzy Hash: 8C218B71E81209EBDB10DFA4C949BEEB7F8EF40350F15C059E458A7241DB38AA06CB65
                      Function 00040BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                      Download Yara Rule
                      APIs
                      • __setmode.LIBCMT ref: 00040BF2
                        • Part of subcall function 00025B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00087B20,?,?,00000000), ref: 00025B8C
                        • Part of subcall function 00025B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00087B20,?,?,00000000,?,?), ref: 00025BB0
                      • _fprintf.LIBCMT ref: 00040C29
                      • OutputDebugStringW.KERNEL32(?), ref: 00076331
                        • Part of subcall function 00044CDA: _flsall.LIBCMT ref: 00044CF3
                      • __setmode.LIBCMT ref: 00040C5E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                      • String ID:
                      • API String ID: 521402451-0
                      • Opcode ID: 81dcd412d0677202413b8c7c12c9d692bdb93666fcb88fd8de42f517fe6087e7
                      • Instruction ID: 78e22ff69635485f3b348a40dd605d23b8bc5c2b4dbcc50866f91ade9b0e1567
                      • Opcode Fuzzy Hash: 81dcd412d0677202413b8c7c12c9d692bdb93666fcb88fd8de42f517fe6087e7
                      • Instruction Fuzzy Hash: 181136B2904614BEDB04B3B4AC83AFE7B699F41320F14413AF20467193DF315D82939D
                      Function 00091A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00091A97
                        • Part of subcall function 00091B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00091B40
                        • Part of subcall function 00091B21: InternetCloseHandle.WININET(00000000), ref: 00091BDD
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Internet$CloseConnectHandleOpen
                      • String ID:
                      • API String ID: 1463438336-0
                      • Opcode ID: 112308d022f541c350b2716a65b7fc44924a99feaa913f5133ae1bfb71935b75
                      • Instruction ID: 6d92a9594b17727a2ac3e522c1e8d52524c92ed44a990220826287a16c37b623
                      • Opcode Fuzzy Hash: 112308d022f541c350b2716a65b7fc44924a99feaa913f5133ae1bfb71935b75
                      • Instruction Fuzzy Hash: 10217F35304A02BFEF219FA08C01FFAB7AABB49701F10401AF91196551E7719811A790
                      Function 0007E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0007F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0007E1C4,?,?,?,0007EFB7,00000000,000000EF,00000119,?,?), ref: 0007F5BC
                        • Part of subcall function 0007F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0007F5E2
                        • Part of subcall function 0007F5AD: lstrcmpiW.KERNEL32(00000000,?,0007E1C4,?,?,?,0007EFB7,00000000,000000EF,00000119,?,?), ref: 0007F613
                      • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0007EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0007E1DD
                      • lstrcpyW.KERNEL32(00000000,?), ref: 0007E203
                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,0007EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0007E237
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: lstrcmpilstrcpylstrlen
                      • String ID: cdecl
                      • API String ID: 4031866154-3896280584
                      • Opcode ID: 3f2bd35bc1685245fa2ce86ea76afadfa349029a250d4cf794ecaf5e1e3a11c1
                      • Instruction ID: 7e1fcd466de2c44a3ef2bec229b13161dee68ad27035d5c67683c4034bb9781a
                      • Opcode Fuzzy Hash: 3f2bd35bc1685245fa2ce86ea76afadfa349029a250d4cf794ecaf5e1e3a11c1
                      • Instruction Fuzzy Hash: 7D110336200342EFCB24AF74DC05D7A37A8FF49310B40807AF90ACB251EB759851C7A4
                      Function 00055332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 00055351
                        • Part of subcall function 0004594C: __FF_MSGBANNER.LIBCMT ref: 00045963
                        • Part of subcall function 0004594C: __NMSG_WRITE.LIBCMT ref: 0004596A
                        • Part of subcall function 0004594C: RtlAllocateHeap.NTDLL(00C20000,00000000,00000001,00000000,?,?,?,00041013,?), ref: 0004598F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: AllocateHeap_free
                      • String ID:
                      • API String ID: 614378929-0
                      • Opcode ID: 70713a0ef4a336b8d76d241a2bdc2eac743386e8cb6ff5c406be615d3ca1198c
                      • Instruction ID: d214f89de9db4f155c1bc7cea9babc3107f9b91bfbd16612ffa220d40889667e
                      • Opcode Fuzzy Hash: 70713a0ef4a336b8d76d241a2bdc2eac743386e8cb6ff5c406be615d3ca1198c
                      • Instruction Fuzzy Hash: 10110472905A05AFDB302F70EC556AF37D45F013E3B104439FD48AA092EE748B449354
                      Function 00024531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00024560
                        • Part of subcall function 0002410D: _memset.LIBCMT ref: 0002418D
                        • Part of subcall function 0002410D: _wcscpy.LIBCMT ref: 000241E1
                        • Part of subcall function 0002410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 000241F1
                      • KillTimer.USER32(?,00000001,?,?), ref: 000245B5
                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 000245C4
                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0005D6CE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                      • String ID:
                      • API String ID: 1378193009-0
                      • Opcode ID: 3758d7f3b7421b3b381b75aced355a064427232d9acfdc3a0d3a8bf0f275a1e4
                      • Instruction ID: f7ff979fe59c17fb30bbbfe997e1bc0804aab5aa060b1e20de7e45255ebe6978
                      • Opcode Fuzzy Hash: 3758d7f3b7421b3b381b75aced355a064427232d9acfdc3a0d3a8bf0f275a1e4
                      • Instruction Fuzzy Hash: 7F210A70904B949FFB728B24D845BEBBBEC9F01309F00009FE6DE56142C7B45A898B51
                      Function 000840B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 000840D1
                      • _memset.LIBCMT ref: 000840F2
                      • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00084144
                      • CloseHandle.KERNEL32(00000000), ref: 0008414D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CloseControlCreateDeviceFileHandle_memset
                      • String ID:
                      • API String ID: 1157408455-0
                      • Opcode ID: cf35e82ac1aacc52916d030a7d0531e978d82fc8cd4e90ff202f9fda519b5a66
                      • Instruction ID: 04024cd3e6edc4066a4793eece965007ee90146a5160b093d7f6848c45c0a95d
                      • Opcode Fuzzy Hash: cf35e82ac1aacc52916d030a7d0531e978d82fc8cd4e90ff202f9fda519b5a66
                      • Instruction Fuzzy Hash: AD11AB759012287AE7305BA59C4DFABBBBCEF45760F1046A6F908D7180D6744E808BA4
                      Function 0009667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00025B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00087B20,?,?,00000000), ref: 00025B8C
                        • Part of subcall function 00025B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00087B20,?,?,00000000,?,?), ref: 00025BB0
                      • gethostbyname.WSOCK32(?,?,?), ref: 000966AC
                      • WSAGetLastError.WSOCK32(00000000), ref: 000966B7
                      • _memmove.LIBCMT ref: 000966E4
                      • inet_ntoa.WSOCK32(?), ref: 000966EF
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                      • String ID:
                      • API String ID: 1504782959-0
                      • Opcode ID: cdeca72b9f8dab2b0ae2092289ed2eada6dda9809ebef4c090c953c6ed3332cc
                      • Instruction ID: 50f9b16a737ff689e6857db3faddda578e215b0108e4b6e8f9df2cb83ccb978f
                      • Opcode Fuzzy Hash: cdeca72b9f8dab2b0ae2092289ed2eada6dda9809ebef4c090c953c6ed3332cc
                      • Instruction Fuzzy Hash: 3411B235900509AFCF00FBE4ED86DEEB7B8AF05311B148125F506A72A2DF31AE04DB65
                      Function 00079023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00079043
                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00079055
                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0007906B
                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00079086
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID:
                      • API String ID: 3850602802-0
                      • Opcode ID: 4ab6638ffb3d28b0cb565a02b1ce8cea6e5131574b5a976362fad4948502012b
                      • Instruction ID: 1f424b6517a8c6d2565e617389b61514f8984d2c6a616c11c25f54580ce4ece3
                      • Opcode Fuzzy Hash: 4ab6638ffb3d28b0cb565a02b1ce8cea6e5131574b5a976362fad4948502012b
                      • Instruction Fuzzy Hash: CD114879D00218FFEB10DFA5C885EADBBB8FB48310F2040A5EA04B7290D6726E10DBD4
                      Function 00021290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00022612: GetWindowLongW.USER32(?,000000EB), ref: 00022623
                      • DefDlgProcW.USER32(?,00000020,?), ref: 000212D8
                      • GetClientRect.USER32(?,?), ref: 0005B84B
                      • GetCursorPos.USER32(?), ref: 0005B855
                      • ScreenToClient.USER32(?,?), ref: 0005B860
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Client$CursorLongProcRectScreenWindow
                      • String ID:
                      • API String ID: 4127811313-0
                      • Opcode ID: ee3fa7f9c32ae4af39743f7855d76c09b22e73606086c43cb74c6f3d87f2b57f
                      • Instruction ID: e3eac68ccce4ba12f1d7f3a60af39255b15f0b0f006ee2225911e64d059c2e75
                      • Opcode Fuzzy Hash: ee3fa7f9c32ae4af39743f7855d76c09b22e73606086c43cb74c6f3d87f2b57f
                      • Instruction Fuzzy Hash: 78113A35A0042AEFDB10EFA4E8859FE77B8EB16301F100456F941E7251C734BA658BA5
                      Function 00081652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                      Download Yara Rule
                      APIs
                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,000801FD,?,00081250,?,00008000), ref: 0008166F
                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,000801FD,?,00081250,?,00008000), ref: 00081694
                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,000801FD,?,00081250,?,00008000), ref: 0008169E
                      • Sleep.KERNEL32(?,?,?,?,?,?,?,000801FD,?,00081250,?,00008000), ref: 000816D1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CounterPerformanceQuerySleep
                      • String ID:
                      • API String ID: 2875609808-0
                      • Opcode ID: 4bd96ebf6321e4f01271bfaedb0764a561daa491c3cd1e05181cc9acfec6c511
                      • Instruction ID: d48e6830aa09c0c2bf4c88b1b831f21378329bd491d310dd5b843fda2b9b93cc
                      • Opcode Fuzzy Hash: 4bd96ebf6321e4f01271bfaedb0764a561daa491c3cd1e05181cc9acfec6c511
                      • Instruction Fuzzy Hash: 72115A31D0051DD7CF00AFE5E848AFEBB78FF09711F054055E9C0B6240DB3555628B96
                      Function 00057207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                      • String ID:
                      • API String ID: 3016257755-0
                      • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                      • Instruction ID: ed9a885d3fcd09b7ff3aff88dcb8b58560839dd4ca05dbd6cc1e86299113db44
                      • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                      • Instruction Fuzzy Hash: AE014B3604814ABBCF565E84EC018EE3F62BF69352F588615FE1C58431D236C9B9BB81
                      Function 000AB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowRect.USER32(?,?), ref: 000AB59E
                      • ScreenToClient.USER32(?,?), ref: 000AB5B6
                      • ScreenToClient.USER32(?,?), ref: 000AB5DA
                      • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 000AB5F5
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ClientRectScreen$InvalidateWindow
                      • String ID:
                      • API String ID: 357397906-0
                      • Opcode ID: 866191c62215719c204f46333c83fdc8b2ecbecf72af22345ffdc9f41f8953c9
                      • Instruction ID: 88c846967ec745f052b55f6ebc9ad3ed5421b6bb90f454bb7c3bcee669893e1b
                      • Opcode Fuzzy Hash: 866191c62215719c204f46333c83fdc8b2ecbecf72af22345ffdc9f41f8953c9
                      • Instruction Fuzzy Hash: C01134B5D0060AEFDB41DFA9C484AEEBBF5FB09310F104166E914E2220D735AA558F90
                      Function 000AB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 000AB8FE
                      • _memset.LIBCMT ref: 000AB90D
                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,000E7F20,000E7F64), ref: 000AB93C
                      • CloseHandle.KERNEL32 ref: 000AB94E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _memset$CloseCreateHandleProcess
                      • String ID:
                      • API String ID: 3277943733-0
                      • Opcode ID: 2edb160484f7888957cb2067f6140e7f5d22ce1062bd11b2b16bc36f639def85
                      • Instruction ID: cda01e9ee32e35ed75b4609585cf04e161dc0594c7ffe390d4e844cc5136cc65
                      • Opcode Fuzzy Hash: 2edb160484f7888957cb2067f6140e7f5d22ce1062bd11b2b16bc36f639def85
                      • Instruction Fuzzy Hash: 81F05EF25443807FF71027A1AC49FBB3A9CEB09754F000070FA0CE91A2D7794D0087A8
                      Function 00086E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                      Download Yara Rule
                      APIs
                      • EnterCriticalSection.KERNEL32(?), ref: 00086E88
                        • Part of subcall function 0008794E: _memset.LIBCMT ref: 00087983
                      • _memmove.LIBCMT ref: 00086EAB
                      • _memset.LIBCMT ref: 00086EB8
                      • LeaveCriticalSection.KERNEL32(?), ref: 00086EC8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CriticalSection_memset$EnterLeave_memmove
                      • String ID:
                      • API String ID: 48991266-0
                      • Opcode ID: 9f18d218290d0d8353be0292b2fe7bc7ddb36388407ca02ea0b9bf1284dcf762
                      • Instruction ID: 6f0f63211b93c9934fb05b3b78773558568f06c9267f7cc2901f0c62d525268d
                      • Opcode Fuzzy Hash: 9f18d218290d0d8353be0292b2fe7bc7ddb36388407ca02ea0b9bf1284dcf762
                      • Instruction Fuzzy Hash: F5F0547A100200ABCF416F55DC85B9ABB29EF45320B04C065FE089E22BC735E951CBB4
                      Function 000AC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 000212F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0002134D
                        • Part of subcall function 000212F3: SelectObject.GDI32(?,00000000), ref: 0002135C
                        • Part of subcall function 000212F3: BeginPath.GDI32(?), ref: 00021373
                        • Part of subcall function 000212F3: SelectObject.GDI32(?,00000000), ref: 0002139C
                      • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 000AC030
                      • LineTo.GDI32(00000000,?,?), ref: 000AC03D
                      • EndPath.GDI32(00000000), ref: 000AC04D
                      • StrokePath.GDI32(00000000), ref: 000AC05B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                      • String ID:
                      • API String ID: 1539411459-0
                      • Opcode ID: 022cf4bdcc67cfa5af0e920ce816a3139373866fb71d2b30891ea728f3c08df9
                      • Instruction ID: de7d5bd718f429468eb7f93d4505897fc846eb54bbdb3a63022054bc7553fbc1
                      • Opcode Fuzzy Hash: 022cf4bdcc67cfa5af0e920ce816a3139373866fb71d2b30891ea728f3c08df9
                      • Instruction Fuzzy Hash: 4AF05E3100165AFBEB226F94EC09FDE3F99AF16711F044100FA11650E28BB95565CF95
                      Function 0007A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0007A399
                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0007A3AC
                      • GetCurrentThreadId.KERNEL32 ref: 0007A3B3
                      • AttachThreadInput.USER32(00000000), ref: 0007A3BA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                      • String ID:
                      • API String ID: 2710830443-0
                      • Opcode ID: 528ff556213c13bab0a5cf7d1aebce75d6952b30ddcdf52773dccd4ea80012e5
                      • Instruction ID: ad16c2dcc7cc8a91d4c836b04fd6e5bdc906c47999382ec1885f6d5726725288
                      • Opcode Fuzzy Hash: 528ff556213c13bab0a5cf7d1aebce75d6952b30ddcdf52773dccd4ea80012e5
                      • Instruction Fuzzy Hash: 0AE0C931645629BAEB605FA2DC0DEEB7F5CEF177A2F008025F509D50A0C6798640DBA5
                      Function 00022218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                      Download Yara Rule
                      APIs
                      • GetSysColor.USER32(00000008), ref: 00022231
                      • SetTextColor.GDI32(?,000000FF), ref: 0002223B
                      • SetBkMode.GDI32(?,00000001), ref: 00022250
                      • GetStockObject.GDI32(00000005), ref: 00022258
                      • GetWindowDC.USER32(?,00000000), ref: 0005C0D3
                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0005C0E0
                      • GetPixel.GDI32(00000000,?,00000000), ref: 0005C0F9
                      • GetPixel.GDI32(00000000,00000000,?), ref: 0005C112
                      • GetPixel.GDI32(00000000,?,?), ref: 0005C132
                      • ReleaseDC.USER32(?,00000000), ref: 0005C13D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                      • String ID:
                      • API String ID: 1946975507-0
                      • Opcode ID: 77145f28ea993aa21d9e57ac61335cda509697077b2298c7758439977554ee78
                      • Instruction ID: b0a1893aaf8c9563af334373a4797c9565e22adb9ddcb677528388253e1a4735
                      • Opcode Fuzzy Hash: 77145f28ea993aa21d9e57ac61335cda509697077b2298c7758439977554ee78
                      • Instruction Fuzzy Hash: DBE03932600A45EEEB615FA4FC09BE83B50EB06332F008366FA69480E187764984DB22
                      Function 00078C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThread.KERNEL32 ref: 00078C63
                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,0007882E), ref: 00078C6A
                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0007882E), ref: 00078C77
                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,0007882E), ref: 00078C7E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CurrentOpenProcessThreadToken
                      • String ID:
                      • API String ID: 3974789173-0
                      • Opcode ID: 2b46195a8041ede3d1ad31a2ce1c55121edd0dde5468b8f8af2f2618238a0e55
                      • Instruction ID: e25606d7fbb21896dd816a4f65f449a1b968b4621c88e15ef1f73d4f79b307d6
                      • Opcode Fuzzy Hash: 2b46195a8041ede3d1ad31a2ce1c55121edd0dde5468b8f8af2f2618238a0e55
                      • Instruction Fuzzy Hash: 0DE08636A42212DBE7605FF16D0CFA73BACEF52792F088828B245C9040DA3C8441CB61
                      Function 00062187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                      Download Yara Rule
                      APIs
                      • GetDesktopWindow.USER32 ref: 00062187
                      • GetDC.USER32(00000000), ref: 00062191
                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 000621B1
                      • ReleaseDC.USER32(?), ref: 000621D2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CapsDesktopDeviceReleaseWindow
                      • String ID:
                      • API String ID: 2889604237-0
                      • Opcode ID: 87695534ad3c48d967333a60bed4aa3ca698b9715b4c0b4a7138bc90554ad00a
                      • Instruction ID: 8a27d5703ed2530f5739abe3a22b592be5c11a7881e005a7272a6193253259d5
                      • Opcode Fuzzy Hash: 87695534ad3c48d967333a60bed4aa3ca698b9715b4c0b4a7138bc90554ad00a
                      • Instruction Fuzzy Hash: 1EE01A75800A15EFEB219FA0D808AAD7BF1EB5D351F108425FD5A97220CB3C81419F40
                      Function 0006219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                      Download Yara Rule
                      APIs
                      • GetDesktopWindow.USER32 ref: 0006219B
                      • GetDC.USER32(00000000), ref: 000621A5
                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 000621B1
                      • ReleaseDC.USER32(?), ref: 000621D2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CapsDesktopDeviceReleaseWindow
                      • String ID:
                      • API String ID: 2889604237-0
                      • Opcode ID: 2a31edbd80ed3340a81d9cc9fd0a62d12eb24705e49cd94a069d678497953c4c
                      • Instruction ID: e4403f0afe57cd6259faf786922046db2654162c0e58e3e9ef021ef040e418b7
                      • Opcode Fuzzy Hash: 2a31edbd80ed3340a81d9cc9fd0a62d12eb24705e49cd94a069d678497953c4c
                      • Instruction Fuzzy Hash: F1E012B5C00A16AFEB219FB0D808AADBBF1EB4D311F108029F95AA7220CB3C91419F40
                      Function 0007B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                      Download Yara Rule
                      APIs
                      • OleSetContainedObject.OLE32(?,00000001), ref: 0007B981
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ContainedObject
                      • String ID: AutoIt3GUI$Container
                      • API String ID: 3565006973-3941886329
                      • Opcode ID: 3df621886ab8ddfd384c747e78122a3e347b39afc7328f1a778277e0255f26d8
                      • Instruction ID: 2b0bb8b85158c64c26918c949e1f9f88978f3d6bf59152a6a43498942772f6ce
                      • Opcode Fuzzy Hash: 3df621886ab8ddfd384c747e78122a3e347b39afc7328f1a778277e0255f26d8
                      • Instruction Fuzzy Hash: 03915C70600601AFDB64DF28C884BAABBF9FF48710F14856EF949CB691DB75E840CB65
                      Function 0008B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0003FEC6: _wcscpy.LIBCMT ref: 0003FEE9
                        • Part of subcall function 00029997: __itow.LIBCMT ref: 000299C2
                        • Part of subcall function 00029997: __swprintf.LIBCMT ref: 00029A0C
                      • __wcsnicmp.LIBCMT ref: 0008B298
                      • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0008B361
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                      • String ID: LPT
                      • API String ID: 3222508074-1350329615
                      • Opcode ID: 7e00a33af801d4b7c8c5e6a56d37f36812a7bdce9b060c6cda24abdef78c6e8b
                      • Instruction ID: 25db27f4d2f81920320232e0fd3487a3debc7a95ec7e8ec237fc8a1c9871881d
                      • Opcode Fuzzy Hash: 7e00a33af801d4b7c8c5e6a56d37f36812a7bdce9b060c6cda24abdef78c6e8b
                      • Instruction Fuzzy Hash: EA616375A00215EFDB14EF94C885EEEB7F4BF08310F154569F586AB252DB70AE40CB51
                      Function 00032AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32(00000000), ref: 00032AC8
                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 00032AE1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: GlobalMemorySleepStatus
                      • String ID: @
                      • API String ID: 2783356886-2766056989
                      • Opcode ID: 1eb510191801bc39680273d6f33ec698d9f2fdbda5bfaeceb8dde43d364c9f53
                      • Instruction ID: b655400439529b4e66fdb6fed1d78bb7032626c4453bc583925beed991c1501f
                      • Opcode Fuzzy Hash: 1eb510191801bc39680273d6f33ec698d9f2fdbda5bfaeceb8dde43d364c9f53
                      • Instruction Fuzzy Hash: EC5158714187549BE320AF50EC86BABBBE8FF84310F42485DF6D9411A6DB348929CB66
                      Function 000899BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0002506B: __fread_nolock.LIBCMT ref: 00025089
                      • _wcscmp.LIBCMT ref: 00089AAE
                      • _wcscmp.LIBCMT ref: 00089AC1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: _wcscmp$__fread_nolock
                      • String ID: FILE
                      • API String ID: 4029003684-3121273764
                      • Opcode ID: 11414fe14082b86a62493b416c6d3c1533641cf1d44a01220667cc7644f90359
                      • Instruction ID: 6ae0701533bea39879495ca02bd74451d8652ba05563e211111ad269bd8f07da
                      • Opcode Fuzzy Hash: 11414fe14082b86a62493b416c6d3c1533641cf1d44a01220667cc7644f90359
                      • Instruction Fuzzy Hash: D341B571A00619BADF20AAA4DC85FEFBBBDEF45710F040079B940A7182DA759A0487A5
                      Function 00092882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00092892
                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 000928C8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CrackInternet_memset
                      • String ID: |
                      • API String ID: 1413715105-2343686810
                      • Opcode ID: 5f07a57b4cddd4aacecea59067a0badad5f3fe063843854a4e4c41e26065f518
                      • Instruction ID: 2c0632b05d68fef336fa9dd1fffb376725d1570153361403584e03d2080e9626
                      • Opcode Fuzzy Hash: 5f07a57b4cddd4aacecea59067a0badad5f3fe063843854a4e4c41e26065f518
                      • Instruction Fuzzy Hash: DD310A71801119AFCF11DFA1DC85EEEBFB9FF09310F10406AF815A6166EA315A56DBA0
                      Function 000A6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(?,?,?,?), ref: 000A6D86
                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 000A6DC2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Window$DestroyMove
                      • String ID: static
                      • API String ID: 2139405536-2160076837
                      • Opcode ID: 252ab7a7df18da10a7b60cc83a384fa4061291a333e853f32c151b19c2ebcbdb
                      • Instruction ID: 3255f4bf61731402242b3ee559357c8b78519c2915d7cbad2dffe13c04e1879d
                      • Opcode Fuzzy Hash: 252ab7a7df18da10a7b60cc83a384fa4061291a333e853f32c151b19c2ebcbdb
                      • Instruction Fuzzy Hash: 1F31A171600604AEEB109FB4DC80AFB77B9FF49760F148619F9A597191CA31AC51CB60
                      Function 00082D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00082E00
                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00082E3B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: InfoItemMenu_memset
                      • String ID: 0
                      • API String ID: 2223754486-4108050209
                      • Opcode ID: 1920445aba6078623069edc018133e61d1e6335f15c28c4fc845845e44041713
                      • Instruction ID: e92bd33e03fbfb599179fe659b1891b9ddc676c3cfdd4fe3b3926d4f4d32b481
                      • Opcode Fuzzy Hash: 1920445aba6078623069edc018133e61d1e6335f15c28c4fc845845e44041713
                      • Instruction Fuzzy Hash: C631F571A00309ABEB64AF58D885BEEBBF9FF05340F14003AE9C5A61A1D7709980CB18
                      Function 000A6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 000A69D0
                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 000A69DB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: Combobox
                      • API String ID: 3850602802-2096851135
                      • Opcode ID: 77049d1faeec3a0a63327ee8c293e5bee5af0d88cd596b0fb8c502be5f04e01f
                      • Instruction ID: 4f0ab364bcc1bdce8bd7920f5008ea8f9a28258d6050b830d93e3ec114657898
                      • Opcode Fuzzy Hash: 77049d1faeec3a0a63327ee8c293e5bee5af0d88cd596b0fb8c502be5f04e01f
                      • Instruction Fuzzy Hash: CC110471300208AFEF118F94CC80EFB37BEEB9A3A4F150125F9589B291D6369C5087A0
                      Function 000A6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00021D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00021D73
                        • Part of subcall function 00021D35: GetStockObject.GDI32(00000011), ref: 00021D87
                        • Part of subcall function 00021D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00021D91
                      • GetWindowRect.USER32(00000000,?), ref: 000A6EE0
                      • GetSysColor.USER32(00000012), ref: 000A6EFA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                      • String ID: static
                      • API String ID: 1983116058-2160076837
                      • Opcode ID: 4176b7f6e2a939445854399b9900694f751981b167afae119a76a817f535adeb
                      • Instruction ID: 69d68c7d2fe8722471f210e914462e2e7fef69420bcac60bad819d1820cdcfd2
                      • Opcode Fuzzy Hash: 4176b7f6e2a939445854399b9900694f751981b167afae119a76a817f535adeb
                      • Instruction Fuzzy Hash: 2B21597261020AAFDB04DFE8DC45AFA7BF8FB09314F044629FA55D3250D635E861DB50
                      Function 000A6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetWindowTextLengthW.USER32(00000000), ref: 000A6C11
                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 000A6C20
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: LengthMessageSendTextWindow
                      • String ID: edit
                      • API String ID: 2978978980-2167791130
                      • Opcode ID: 18e983a4dc1ad0a372e6d661731ff82ef6b91ea3625f172e20b8c46e574f588a
                      • Instruction ID: d95ff5491ea6c22117c1640fe516e8664e02a78325108830275147879191eb00
                      • Opcode Fuzzy Hash: 18e983a4dc1ad0a372e6d661731ff82ef6b91ea3625f172e20b8c46e574f588a
                      • Instruction Fuzzy Hash: E2118F71510108ABEB505EA4DC41AFB37B9EB163B8F144724F961D71E0C776DC919B60
                      Function 00082E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                      Download Yara Rule
                      APIs
                      • _memset.LIBCMT ref: 00082F11
                      • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00082F30
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: InfoItemMenu_memset
                      • String ID: 0
                      • API String ID: 2223754486-4108050209
                      • Opcode ID: 54e810a7dbefd61367ca894e1d25ced668e5773e6ad72d30ba1ef69b3029826d
                      • Instruction ID: 2e7ef4e28674e182ffbf9611a551da67f10c0a927908660579df53a17e300b90
                      • Opcode Fuzzy Hash: 54e810a7dbefd61367ca894e1d25ced668e5773e6ad72d30ba1ef69b3029826d
                      • Instruction Fuzzy Hash: 5B11E231D01114ABDB20FB58DC44BAE73F9FB11350F0800B6EA94B72A1DBB0AD04C799
                      Function 000924CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00092520
                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00092549
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Internet$OpenOption
                      • String ID: <local>
                      • API String ID: 942729171-4266983199
                      • Opcode ID: 00d6368e9c1424439c7df8952acc4ff73a31681dd2842b48759946a1c5d7fd7a
                      • Instruction ID: 7b9fc79fd9544ad4d5e14a679a31b2d59055a816dc74a05e5558a386cf6df0a7
                      • Opcode Fuzzy Hash: 00d6368e9c1424439c7df8952acc4ff73a31681dd2842b48759946a1c5d7fd7a
                      • Instruction Fuzzy Hash: 9411C270505A25BADF248F618C99EFBFFA8FF06751F11812AF90586140D270A991EAF0
                      Function 000980A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0009830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,000980C8,?,00000000,?,?), ref: 00098322
                      • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 000980CB
                      • htons.WSOCK32(00000000,?,00000000), ref: 00098108
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ByteCharMultiWidehtonsinet_addr
                      • String ID: 255.255.255.255
                      • API String ID: 2496851823-2422070025
                      • Opcode ID: ac1eb0001bd48f7fb8f4bbf92719a6cf8c496ef5abe7c097d581a59f3c4c9388
                      • Instruction ID: 2f1583ec6062765e9c1054a6e02fa38128fc387163ad7ac5535e36a2da72ccb0
                      • Opcode Fuzzy Hash: ac1eb0001bd48f7fb8f4bbf92719a6cf8c496ef5abe7c097d581a59f3c4c9388
                      • Instruction Fuzzy Hash: 5711CE34604205ABDF20AFA4CC46FFDB368EF46320F10C526EA1697392DA32A811D795
                      Function 000792E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00027F41: _memmove.LIBCMT ref: 00027F82
                        • Part of subcall function 0007B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0007B0E7
                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00079355
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ClassMessageNameSend_memmove
                      • String ID: ComboBox$ListBox
                      • API String ID: 372448540-1403004172
                      • Opcode ID: c84482df553435ec20b10e96e96837130c2137d2cb2b6f536d2983e31ea07f57
                      • Instruction ID: 41d1a075a3f8d639b47f8a9b632c514f7228b04f265e6756006a7fbb0aeb04d1
                      • Opcode Fuzzy Hash: c84482df553435ec20b10e96e96837130c2137d2cb2b6f536d2983e31ea07f57
                      • Instruction Fuzzy Hash: 1B01F171E05228ABCB04EBA0CC928FE77ADBF06320B144629F936672D2DB3559088764
                      Function 000791DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00027F41: _memmove.LIBCMT ref: 00027F82
                        • Part of subcall function 0007B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0007B0E7
                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 0007924D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ClassMessageNameSend_memmove
                      • String ID: ComboBox$ListBox
                      • API String ID: 372448540-1403004172
                      • Opcode ID: af25206332f735121b2a057f7c0c4b0806fccddb1f3358f5e1470c082e0e0034
                      • Instruction ID: bc93114a4fb2f693b150a78ecbf4c50a9c7ad52c8b1277f85e62e2e1ff54dcf5
                      • Opcode Fuzzy Hash: af25206332f735121b2a057f7c0c4b0806fccddb1f3358f5e1470c082e0e0034
                      • Instruction Fuzzy Hash: E201F771E452087BCF14FBA0D992EFF77AC9F05300F144169B91A67293EA285F0C82B5
                      Function 00079264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00027F41: _memmove.LIBCMT ref: 00027F82
                        • Part of subcall function 0007B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0007B0E7
                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 000792D0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ClassMessageNameSend_memmove
                      • String ID: ComboBox$ListBox
                      • API String ID: 372448540-1403004172
                      • Opcode ID: 5cea1a721f381075b5e3a97605cd0ceab079efc60d1c86ff3a3052733b80f639
                      • Instruction ID: c9cdb448d388e5ac3f55773d0bc0aa5e710ef397a81ebae211693879ea2b6ba9
                      • Opcode Fuzzy Hash: 5cea1a721f381075b5e3a97605cd0ceab079efc60d1c86ff3a3052733b80f639
                      • Instruction Fuzzy Hash: EA01A271E4521877CF14FAA0D992EFF77AC9F11300F244125B91A77283DA295E0896BA
                      Function 000851CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: ClassName_wcscmp
                      • String ID: #32770
                      • API String ID: 2292705959-463685578
                      • Opcode ID: f87bb1ab337315e5c47c2a6a3f6040a590f6a7abb8527153f6c7cd09f46cd91c
                      • Instruction ID: e6d593c5c36ac4cf1bfc8ec857782c28af246034a7125e7ce93499be42645ce4
                      • Opcode Fuzzy Hash: f87bb1ab337315e5c47c2a6a3f6040a590f6a7abb8527153f6c7cd09f46cd91c
                      • Instruction Fuzzy Hash: 51E06173A0472D17E320A6999C49FB7F7ECEB41731F000167FD54D7040D560990587E0
                      Function 000781BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                      Download Yara Rule
                      APIs
                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 000781CA
                        • Part of subcall function 00043598: _doexit.LIBCMT ref: 000435A2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: Message_doexit
                      • String ID: AutoIt$Error allocating memory.
                      • API String ID: 1993061046-4017498283
                      • Opcode ID: cfbc1940a8b0583a67e12537ae2528492545e095b132829b47d7629ee0a4b79a
                      • Instruction ID: 3a973a7834f0c63006267ca17825fb8e7bb62bf2952418ff951a4b5186349d1d
                      • Opcode Fuzzy Hash: cfbc1940a8b0583a67e12537ae2528492545e095b132829b47d7629ee0a4b79a
                      • Instruction Fuzzy Hash: 6BD05E723C532832E21432E87C0BFCA7A884F05B52F448036BB08995D3CEE699D242ED
                      Function 0005B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0005B564: _memset.LIBCMT ref: 0005B571
                        • Part of subcall function 00040B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0005B540,?,?,?,0002100A), ref: 00040B89
                      • IsDebuggerPresent.KERNEL32(?,?,?,0002100A), ref: 0005B544
                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0002100A), ref: 0005B553
                      Strings
                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0005B54E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1643917647.0000000000021000.00000020.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                      • Associated: 00000000.00000002.1643904003.0000000000020000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643958107.00000000000D5000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1643993044.00000000000DF000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1644007204.00000000000E8000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_20000_Ship Docs_CI PL HBL COO_.jbxd
                      Similarity
                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                      • API String ID: 3158253471-631824599
                      • Opcode ID: f28e6dc4f2a6381264aa010f9886a2955e3ee9f65b126525381c5bf475b93e76
                      • Instruction ID: 98377b4ed482ab1387c9aaf8731120e5384e90f650f1c88167caad918bb22306
                      • Opcode Fuzzy Hash: f28e6dc4f2a6381264aa010f9886a2955e3ee9f65b126525381c5bf475b93e76
                      • Instruction Fuzzy Hash: 90E092B0200B11CFE725DF68E4047477BE4AF00745F00892CE946DB652E7B9E408CBA1