Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
shipping doc.exe

Overview

General Information

Sample name:shipping doc.exe
Analysis ID:1496591
MD5:ac09eb920712db66910ef959bebb8fd0
SHA1:11fc5cca33cef45a601c5df6be4f3e7e73ad51a4
SHA256:2d3fb537499bf57a40ffd8def80f6685de2e297bb449dec013d2fe29340cb10b
Tags:exe
Infos:

Detection

AgentTesla, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • shipping doc.exe (PID: 5684 cmdline: "C:\Users\user\Desktop\shipping doc.exe" MD5: AC09EB920712DB66910EF959BEBB8FD0)
    • RegSvcs.exe (PID: 1104 cmdline: "C:\Users\user\Desktop\shipping doc.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • shipping doc.exe (PID: 2380 cmdline: "C:\Users\user\Desktop\shipping doc.exe" MD5: AC09EB920712DB66910EF959BEBB8FD0)
      • RegSvcs.exe (PID: 3336 cmdline: "C:\Users\user\Desktop\shipping doc.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • shipping doc.exe (PID: 1460 cmdline: "C:\Users\user\Desktop\shipping doc.exe" MD5: AC09EB920712DB66910EF959BEBB8FD0)
        • RegSvcs.exe (PID: 2536 cmdline: "C:\Users\user\Desktop\shipping doc.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.thelamalab.com", "Username": "billing@thelamalab.com", "Password": "Thel@malab@20!9"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.1873906355.0000000000F00000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
    • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
    • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
    • 0x700:$s3: 83 EC 38 53 B0 6D 88 44 24 2B 88 44 24 2F B0 1C 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
    • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
    • 0x1e9d0:$s5: delete[]
    • 0x1de88:$s6: constructor or from DllMain.
    00000005.00000002.3089748754.0000000005170000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000005.00000002.3089748754.0000000005170000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.3089748754.0000000005170000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000005.00000002.3089748754.0000000005170000.00000004.08000000.00040000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
          • 0x40349:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
          • 0x403bb:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
          • 0x40445:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
          • 0x404d7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
          • 0x40541:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
          • 0x405b3:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
          • 0x40649:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
          • 0x406d9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
          Click to see the 19 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x700:$s3: 83 EC 38 53 B0 6D 88 44 24 2B 88 44 24 2F B0 1C 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1e9d0:$s5: delete[]
          • 0x1de88:$s6: constructor or from DllMain.
          4.2.shipping doc.exe.f00000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x700:$s3: 83 EC 38 53 B0 6D 88 44 24 2B 88 44 24 2F B0 1C 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1e9d0:$s5: delete[]
          • 0x1de88:$s6: constructor or from DllMain.
          5.2.RegSvcs.exe.3ab2f90.3.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            5.2.RegSvcs.exe.3ab2f90.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.RegSvcs.exe.3ab2f90.3.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                Click to see the 64 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Outbound SMTP Connections
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 162.251.80.30, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 2536, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49735

                Suricata Signatures

                Timestamp:2024-08-21T14:36:22.905117+0200
                SID:2855245
                Severity:1
                Source Port:49735
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-08-21T14:36:22.905117+0200
                SID:2855542
                Severity:1
                Source Port:49735
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-08-21T14:36:16.456932+0200
                SID:2030171
                Severity:1
                Source Port:49735
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:2024-08-21T14:36:16.456932+0200
                SID:2839723
                Severity:1
                Source Port:49735
                Destination Port:587
                Protocol:TCP
                Classtype:Malware Command and Control Activity Detected
                Timestamp:2024-08-21T14:36:16.456932+0200
                SID:2840032
                Severity:1
                Source Port:49735
                Destination Port:587
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 5.2.RegSvcs.exe.273fe8e.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.thelamalab.com", "Username": "billing@thelamalab.com", "Password": "Thel@malab@20!9"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: shipping doc.exeJoe Sandbox ML: detected
                Source: shipping doc.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: _.pdb source: RegSvcs.exe, 00000005.00000002.3089748754.0000000005170000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3087827951.00000000026FE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3089267189.0000000003A61000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: shipping doc.exe, 00000000.00000003.1846469141.0000000004070000.00000004.00001000.00020000.00000000.sdmp, shipping doc.exe, 00000000.00000003.1846360246.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, shipping doc.exe, 00000002.00000003.1860988771.0000000003770000.00000004.00001000.00020000.00000000.sdmp, shipping doc.exe, 00000002.00000003.1861251824.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, shipping doc.exe, 00000004.00000003.1872811575.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, shipping doc.exe, 00000004.00000003.1871767589.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: shipping doc.exe, 00000000.00000003.1846469141.0000000004070000.00000004.00001000.00020000.00000000.sdmp, shipping doc.exe, 00000000.00000003.1846360246.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, shipping doc.exe, 00000002.00000003.1860988771.0000000003770000.00000004.00001000.00020000.00000000.sdmp, shipping doc.exe, 00000002.00000003.1861251824.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, shipping doc.exe, 00000004.00000003.1872811575.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, shipping doc.exe, 00000004.00000003.1871767589.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0103DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0103DBBE
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0104698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0104698F
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_010468EE FindFirstFileW,FindClose,0_2_010468EE
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0103D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0103D076
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0103D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0103D3A9
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0104979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0104979D
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01049642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_01049642
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01049B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_01049B2B
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01045C97 FindFirstFileW,FindNextFileW,FindClose,0_2_01045C97

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.4:49735 -> 162.251.80.30:587
                Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49735 -> 162.251.80.30:587
                Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.4:49735 -> 162.251.80.30:587
                Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.4:49735 -> 162.251.80.30:587
                Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.4:49735 -> 162.251.80.30:587
                Source: global trafficTCP traffic: 192.168.2.4:49735 -> 162.251.80.30:587
                Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                Source: global trafficTCP traffic: 192.168.2.4:49735 -> 162.251.80.30:587
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0104CF1A InternetQueryDataAvailable,InternetReadFile,GetLastError,SetEvent,SetEvent,0_2_0104CF1A
                Source: global trafficDNS traffic detected: DNS query: mail.thelamalab.com
                Source: RegSvcs.exe, 00000005.00000002.3088288855.0000000002AB7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.thelamalab.com
                Source: RegSvcs.exe, 00000005.00000002.3089748754.0000000005170000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3087827951.00000000026FE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3089848386.00000000051C0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3089267189.0000000003A61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to log keystrokes (.Net Source)
                Source: 5.2.RegSvcs.exe.51c0000.8.raw.unpack, abAX9N.cs.Net Code: K8VU1S
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0104EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0104EAFF
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0104ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0104ED6A
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0104EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0104EAFF
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0103AB9C GetKeyState,GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0103AB9C
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01069576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_01069576

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 4.2.shipping doc.exe.f00000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 5.2.RegSvcs.exe.3ab2f90.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 5.2.RegSvcs.exe.3a65570.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.shipping doc.exe.9e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 5.2.RegSvcs.exe.51c0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 5.2.RegSvcs.exe.273fe8e.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 5.2.RegSvcs.exe.273efa6.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 5.2.RegSvcs.exe.273fe8e.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 5.2.RegSvcs.exe.273efa6.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 5.2.RegSvcs.exe.3a65570.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 5.2.RegSvcs.exe.5170ee8.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 5.2.RegSvcs.exe.5170ee8.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 5.2.RegSvcs.exe.3a66458.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 5.2.RegSvcs.exe.3ab2f90.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 5.2.RegSvcs.exe.3a66458.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 0.2.shipping doc.exe.1610000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 5.2.RegSvcs.exe.51c0000.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 5.2.RegSvcs.exe.5170000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 5.2.RegSvcs.exe.5170000.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 00000004.00000002.1873906355.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000005.00000002.3089748754.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 00000005.00000002.3089848386.00000000051C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 00000000.00000002.1849484585.0000000001610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000005.00000002.3087011399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000002.00000002.1862188106.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Binary is likely a compiled AutoIt script file
                Source: shipping doc.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: shipping doc.exe, 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_51a02c3a-e
                Source: shipping doc.exe, 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_76ccbe63-8
                Source: shipping doc.exe, 00000002.00000002.1862666211.0000000001092000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_51dec8d9-7
                Source: shipping doc.exe, 00000002.00000002.1862666211.0000000001092000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_7f4ed56e-7
                Source: shipping doc.exe, 00000004.00000000.1861655306.0000000001092000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7571a3f7-b
                Source: shipping doc.exe, 00000004.00000000.1861655306.0000000001092000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_043ad760-d
                Source: shipping doc.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_791c8ce3-7
                Source: shipping doc.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_ea44758f-a
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0103D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0103D5EB
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01031201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_01031201
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0103E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0103E8F6
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FD80600_2_00FD8060
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_010420460_2_01042046
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_010382980_2_01038298
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0100E4FF0_2_0100E4FF
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0100676B0_2_0100676B
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_010648730_2_01064873
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FDCAF00_2_00FDCAF0
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FFCAA00_2_00FFCAA0
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FECC390_2_00FECC39
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01006DD90_2_01006DD9
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FD91C00_2_00FD91C0
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FEB1190_2_00FEB119
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FF13940_2_00FF1394
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FF17060_2_00FF1706
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FF781B0_2_00FF781B
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FF19B00_2_00FF19B0
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FE997D0_2_00FE997D
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FD79200_2_00FD7920
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FF7A4A0_2_00FF7A4A
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FF7CA70_2_00FF7CA7
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FF1C770_2_00FF1C77
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0105BE440_2_0105BE44
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FF1F320_2_00FF1F32
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01009EEE0_2_01009EEE
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_016035F00_2_016035F0
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 2_2_009D35F02_2_009D35F0
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 4_2_00EF35F04_2_00EF35F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00408C605_2_00408C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0040DC115_2_0040DC11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00407C3F5_2_00407C3F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00418CCC5_2_00418CCC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00406CA05_2_00406CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004028B05_2_004028B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041A4BE5_2_0041A4BE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00408C605_2_00408C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004182445_2_00418244
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004016505_2_00401650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402F205_2_00402F20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004193C45_2_004193C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004187885_2_00418788
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402F895_2_00402F89
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402B905_2_00402B90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004073A05_2_004073A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0254CBE85_2_0254CBE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0254D8005_2_0254D800
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_025412CA5_2_025412CA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0254CF305_2_0254CF30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_025410305_2_02541030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0606ADC85_2_0606ADC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_060683585_2_06068358
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_060650185_2_06065018
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0606E5F05_2_0606E5F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_060600065_2_06060006
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_060600405_2_06060040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_060A95F85_2_060A95F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_060A43485_2_060A4348
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_060A06385_2_060A0638
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_060A7B985_2_060A7B98
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: String function: 00FF0A30 appears 46 times
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: String function: 00FEF9F2 appears 31 times
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0040E1D8 appears 43 times
                Source: shipping doc.exe, 00000000.00000003.1846081511.000000000419D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs shipping doc.exe
                Source: shipping doc.exe, 00000000.00000003.1845950205.0000000003FF3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs shipping doc.exe
                Source: shipping doc.exe, 00000000.00000002.1849484585.0000000001610000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename9d02a015-5a5b-4340-adbb-c530e02a0bc4.exe4 vs shipping doc.exe
                Source: shipping doc.exe, 00000002.00000003.1860988771.000000000389D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs shipping doc.exe
                Source: shipping doc.exe, 00000002.00000003.1861251824.00000000036F3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs shipping doc.exe
                Source: shipping doc.exe, 00000002.00000002.1862188106.00000000009E0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename9d02a015-5a5b-4340-adbb-c530e02a0bc4.exe4 vs shipping doc.exe
                Source: shipping doc.exe, 00000004.00000002.1873906355.0000000000F00000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename9d02a015-5a5b-4340-adbb-c530e02a0bc4.exe4 vs shipping doc.exe
                Source: shipping doc.exe, 00000004.00000003.1873191472.0000000003E33000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs shipping doc.exe
                Source: shipping doc.exe, 00000004.00000003.1871767589.0000000003FDD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs shipping doc.exe
                Source: shipping doc.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 4.2.shipping doc.exe.f00000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 5.2.RegSvcs.exe.3ab2f90.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 5.2.RegSvcs.exe.3a65570.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.shipping doc.exe.9e0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 5.2.RegSvcs.exe.51c0000.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 5.2.RegSvcs.exe.273fe8e.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 5.2.RegSvcs.exe.273efa6.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 5.2.RegSvcs.exe.273fe8e.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 5.2.RegSvcs.exe.273efa6.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 5.2.RegSvcs.exe.3a65570.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 5.2.RegSvcs.exe.5170ee8.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 5.2.RegSvcs.exe.5170ee8.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 5.2.RegSvcs.exe.3a66458.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 5.2.RegSvcs.exe.3ab2f90.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 5.2.RegSvcs.exe.3a66458.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 0.2.shipping doc.exe.1610000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 5.2.RegSvcs.exe.51c0000.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 5.2.RegSvcs.exe.5170000.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 5.2.RegSvcs.exe.5170000.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 00000004.00000002.1873906355.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000005.00000002.3089748754.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 00000005.00000002.3089848386.00000000051C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 00000000.00000002.1849484585.0000000001610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000005.00000002.3087011399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000002.00000002.1862188106.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 5.2.RegSvcs.exe.273fe8e.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 5.2.RegSvcs.exe.273fe8e.2.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 5.2.RegSvcs.exe.51c0000.8.raw.unpack, RsYAkkzVoy.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.RegSvcs.exe.51c0000.8.raw.unpack, Kqqzixk.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.RegSvcs.exe.51c0000.8.raw.unpack, xROdzGigX.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.RegSvcs.exe.51c0000.8.raw.unpack, ywes.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.RegSvcs.exe.51c0000.8.raw.unpack, iPVW0zV.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                Source: 5.2.RegSvcs.exe.51c0000.8.raw.unpack, 1Pi9sgbHwoV.csCryptographic APIs: 'CreateDecryptor'
                Source: 5.2.RegSvcs.exe.51c0000.8.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.RegSvcs.exe.51c0000.8.raw.unpack, YUgDfWK2g4.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/8@1/1
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_010437B5 GetLastError,FormatMessageW,0_2_010437B5
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_010310BF AdjustTokenPrivileges,CloseHandle,0_2_010310BF
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_010316C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_010316C3
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_010451CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_010451CD
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0105A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0105A67C
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0104648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_0104648E
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FD42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00FD42A2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                Source: C:\Users\user\Desktop\shipping doc.exeFile created: C:\Users\user\AppData\Local\Temp\aut81E1.tmpJump to behavior
                Source: shipping doc.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\shipping doc.exe "C:\Users\user\Desktop\shipping doc.exe"
                Source: C:\Users\user\Desktop\shipping doc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\shipping doc.exe"
                Source: C:\Users\user\Desktop\shipping doc.exeProcess created: C:\Users\user\Desktop\shipping doc.exe "C:\Users\user\Desktop\shipping doc.exe"
                Source: C:\Users\user\Desktop\shipping doc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\shipping doc.exe"
                Source: C:\Users\user\Desktop\shipping doc.exeProcess created: C:\Users\user\Desktop\shipping doc.exe "C:\Users\user\Desktop\shipping doc.exe"
                Source: C:\Users\user\Desktop\shipping doc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\shipping doc.exe"
                Source: C:\Users\user\Desktop\shipping doc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\shipping doc.exe"Jump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeProcess created: C:\Users\user\Desktop\shipping doc.exe "C:\Users\user\Desktop\shipping doc.exe"Jump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\shipping doc.exe"Jump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeProcess created: C:\Users\user\Desktop\shipping doc.exe "C:\Users\user\Desktop\shipping doc.exe"Jump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\shipping doc.exe"Jump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                Source: shipping doc.exeStatic file information: File size 1285120 > 1048576
                Source: shipping doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: shipping doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: shipping doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: shipping doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: shipping doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: shipping doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: shipping doc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: _.pdb source: RegSvcs.exe, 00000005.00000002.3089748754.0000000005170000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3087827951.00000000026FE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3089267189.0000000003A61000.00000004.00000800.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: shipping doc.exe, 00000000.00000003.1846469141.0000000004070000.00000004.00001000.00020000.00000000.sdmp, shipping doc.exe, 00000000.00000003.1846360246.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, shipping doc.exe, 00000002.00000003.1860988771.0000000003770000.00000004.00001000.00020000.00000000.sdmp, shipping doc.exe, 00000002.00000003.1861251824.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, shipping doc.exe, 00000004.00000003.1872811575.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, shipping doc.exe, 00000004.00000003.1871767589.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: shipping doc.exe, 00000000.00000003.1846469141.0000000004070000.00000004.00001000.00020000.00000000.sdmp, shipping doc.exe, 00000000.00000003.1846360246.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, shipping doc.exe, 00000002.00000003.1860988771.0000000003770000.00000004.00001000.00020000.00000000.sdmp, shipping doc.exe, 00000002.00000003.1861251824.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, shipping doc.exe, 00000004.00000003.1872811575.0000000003D10000.00000004.00001000.00020000.00000000.sdmp, shipping doc.exe, 00000004.00000003.1871767589.0000000003EB0000.00000004.00001000.00020000.00000000.sdmp
                Source: shipping doc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: shipping doc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: shipping doc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: shipping doc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: shipping doc.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 5.2.RegSvcs.exe.273fe8e.2.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 5.2.RegSvcs.exe.51c0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 5.2.RegSvcs.exe.3ab2f90.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 5.2.RegSvcs.exe.3a66458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 5.2.RegSvcs.exe.5170ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FD42DE
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FF0A76 push ecx; ret 0_2_00FF0A89
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041C40C push cs; iretd 5_2_0041C4E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00423149 push eax; ret 5_2_00423179
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041C50E push cs; iretd 5_2_0041C4E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004231C8 push eax; ret 5_2_00423179
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0040E21D push ecx; ret 5_2_0040E230
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041C6BE push ebx; ret 5_2_0041C6BF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0040BB97 push dword ptr [ecx-75h]; iretd 5_2_0040BBA3
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_02544754 push esi; retf 5_2_0254475F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_02544FA9 push es; ret 5_2_02544FAF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0606DD20 pushad ; retf 5_2_0606DD21
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_060AA241 push esp; retf 5_2_060AA2A7
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_060AFE10 push es; ret 5_2_060AFE00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_060AFDF0 push es; ret 5_2_060AFE00
                Source: 5.2.RegSvcs.exe.273fe8e.2.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'mtHImo5xm3ZXj', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 5.2.RegSvcs.exe.51c0000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'mtHImo5xm3ZXj', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 5.2.RegSvcs.exe.3ab2f90.3.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'mtHImo5xm3ZXj', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 5.2.RegSvcs.exe.3a66458.5.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'mtHImo5xm3ZXj', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 5.2.RegSvcs.exe.5170ee8.7.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'mtHImo5xm3ZXj', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FEF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00FEF98E
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01061C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_01061C41
                Source: C:\Users\user\Desktop\shipping doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Found API chain indicative of sandbox detection
                Source: C:\Users\user\Desktop\shipping doc.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-95846
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\shipping doc.exeAPI/Special instruction interceptor: Address: 1603214
                Source: C:\Users\user\Desktop\shipping doc.exeAPI/Special instruction interceptor: Address: 9D3214
                Source: C:\Users\user\Desktop\shipping doc.exeAPI/Special instruction interceptor: Address: EF3214
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,5_2_004019F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1469Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3093Jump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeAPI coverage: 3.9 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0103DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0103DBBE
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0104698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0104698F
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_010468EE FindFirstFileW,FindClose,0_2_010468EE
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0103D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0103D076
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0103D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0103D3A9
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0104979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0104979D
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01049642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_01049642
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01049B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_01049B2B
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01045C97 FindFirstFileW,FindNextFileW,FindClose,0_2_01045C97
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FD42DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99890Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99776Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99671Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99343Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99234Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99125Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98903Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98797Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98687Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98578Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98468Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98359Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98250Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98140Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98031Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97921Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97811Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97608Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97500Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: RegSvcs.exe, 00000005.00000002.3090155681.0000000005392000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI call chain: ExitProcess graph end node
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0104EAA2 BlockInput,0_2_0104EAA2
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01002622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_01002622
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,5_2_004019F0
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FD42DE
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FF4CE8 mov eax, dword ptr fs:[00000030h]0_2_00FF4CE8
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_016034E0 mov eax, dword ptr fs:[00000030h]0_2_016034E0
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01603480 mov eax, dword ptr fs:[00000030h]0_2_01603480
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01601E70 mov eax, dword ptr fs:[00000030h]0_2_01601E70
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 2_2_009D3480 mov eax, dword ptr fs:[00000030h]2_2_009D3480
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 2_2_009D1E70 mov eax, dword ptr fs:[00000030h]2_2_009D1E70
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 2_2_009D34E0 mov eax, dword ptr fs:[00000030h]2_2_009D34E0
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 4_2_00EF34E0 mov eax, dword ptr fs:[00000030h]4_2_00EF34E0
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 4_2_00EF1E70 mov eax, dword ptr fs:[00000030h]4_2_00EF1E70
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 4_2_00EF3480 mov eax, dword ptr fs:[00000030h]4_2_00EF3480
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01030B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_01030B62
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01002622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_01002622
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FF083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00FF083F
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FF09D5 SetUnhandledExceptionFilter,0_2_00FF09D5
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FF0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00FF0C21
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0040CE09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0040E61C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00416F6A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004123F1 SetUnhandledExceptionFilter,5_2_004123F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\shipping doc.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\shipping doc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 730008Jump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01031201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_01031201
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01012BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_01012BA5
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0103B226 SendInput,keybd_event,0_2_0103B226
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0103E355 mouse_event,0_2_0103E355
                Source: C:\Users\user\Desktop\shipping doc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\shipping doc.exe"Jump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\shipping doc.exe"Jump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\shipping doc.exe"Jump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01030B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_01030B62
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01031663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_01031663
                Source: shipping doc.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: shipping doc.exeBinary or memory string: Shell_TrayWnd
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FF0698 cpuid 0_2_00FF0698
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoA,5_2_00417A20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01048195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_01048195
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0102D27A GetUserNameW,0_2_0102D27A
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_0100BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0100BB6F
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_00FD42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00FD42DE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3ab2f90.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3a65570.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.51c0000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.273fe8e.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.273efa6.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.273fe8e.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.273efa6.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3a65570.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5170ee8.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5170ee8.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3a66458.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3ab2f90.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3a66458.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.51c0000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5170000.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5170000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3089748754.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3088288855.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3088288855.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3087827951.00000000026FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3089848386.00000000051C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3088288855.0000000002AB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3089267189.0000000003A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2536, type: MEMORYSTR
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3ab2f90.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3a65570.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.51c0000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.273fe8e.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.273efa6.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.273fe8e.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.273efa6.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3a65570.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5170ee8.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5170ee8.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3a66458.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3ab2f90.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3a66458.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.51c0000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5170000.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5170000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3089748754.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3087827951.00000000026FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3089848386.00000000051C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3089267189.0000000003A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: shipping doc.exeBinary or memory string: WIN_81
                Source: shipping doc.exeBinary or memory string: WIN_XP
                Source: shipping doc.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                Source: shipping doc.exeBinary or memory string: WIN_XPe
                Source: shipping doc.exeBinary or memory string: WIN_VISTA
                Source: shipping doc.exeBinary or memory string: WIN_7
                Source: shipping doc.exeBinary or memory string: WIN_8
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3ab2f90.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3a65570.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.51c0000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.273fe8e.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.273efa6.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.273fe8e.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.273efa6.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3a65570.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5170ee8.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5170ee8.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3a66458.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3ab2f90.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3a66458.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.51c0000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5170000.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5170000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3089748754.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3088288855.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3087827951.00000000026FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3089848386.00000000051C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3089267189.0000000003A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2536, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3ab2f90.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3a65570.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.51c0000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.273fe8e.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.273efa6.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.273fe8e.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.273efa6.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3a65570.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5170ee8.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5170ee8.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3a66458.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3ab2f90.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3a66458.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.51c0000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5170000.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5170000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3089748754.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3088288855.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3088288855.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3087827951.00000000026FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3089848386.00000000051C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3088288855.0000000002AB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3089267189.0000000003A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2536, type: MEMORYSTR
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3ab2f90.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3a65570.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.51c0000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.273fe8e.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.273efa6.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.273fe8e.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.273efa6.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3a65570.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5170ee8.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5170ee8.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3a66458.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3ab2f90.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.3a66458.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.51c0000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5170000.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.RegSvcs.exe.5170000.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3089748754.0000000005170000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3087827951.00000000026FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3089848386.00000000051C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3089267189.0000000003A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01051204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_01051204
                Source: C:\Users\user\Desktop\shipping doc.exeCode function: 0_2_01051806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_01051806

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		121
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		11
                Disable or Modify Tools                		2
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts1
                Native API                		2
                Valid Accounts                		1
                DLL Side-Loading                		11
                Deobfuscate/Decode Files or Information                		121
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol2
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                Valid Accounts                		2
                Obfuscated Files or Information                		1
                Credentials in Registry                		2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                Access Token Manipulation                		1
                Software Packing                		NTDS148
                System Information Discovery                		Distributed Component Object Model121
                Input Capture                		1
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                Process Injection                		1
                DLL Side-Loading                		LSA Secrets341
                Security Software Discovery                		SSH3
                Clipboard Data                		11
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                Valid Accounts                		Cached Domain Credentials221
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items221
                Virtualization/Sandbox Evasion                		DCSync2
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1496591 Sample: shipping doc.exe Startdate: 21/08/2024 Architecture: WINDOWS Score: 100 26 mail.thelamalab.com 2->26 36 Suricata IDS alerts for network traffic 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 9 other signatures 2->42 9 shipping doc.exe 4 2->9         started        signatures3 process4 signatures5 52 Binary is likely a compiled AutoIt script file 9->52 12 shipping doc.exe 2 9->12         started        15 RegSvcs.exe 9->15         started        process6 signatures7 54 Binary is likely a compiled AutoIt script file 12->54 17 shipping doc.exe 2 12->17         started        20 RegSvcs.exe 12->20         started        56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->56 process8 signatures9 30 Binary is likely a compiled AutoIt script file 17->30 32 Writes to foreign memory regions 17->32 34 Maps a DLL or memory area into another process 17->34 22 RegSvcs.exe 2 17->22         started        process10 dnsIp11 28 mail.thelamalab.com 162.251.80.30, 49735, 587 PUBLIC-DOMAIN-REGISTRYUS United States 22->28 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->44 46 Tries to steal Mail credentials (via file / registry access) 22->46 48 Tries to harvest and steal ftp login credentials 22->48 50 Tries to harvest and steal browser information (history, passwords, etc) 22->50 signatures12

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                shipping doc.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://account.dyn.com/0%URL Reputationsafe
                http://mail.thelamalab.com0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                mail.thelamalab.com
                		162.251.80.30
                		truetrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://mail.thelamalab.comRegSvcs.exe, 00000005.00000002.3088288855.0000000002AB7000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://account.dyn.com/RegSvcs.exe, 00000005.00000002.3089748754.0000000005170000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3087827951.00000000026FE000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3089848386.00000000051C0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.3089267189.0000000003A61000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  162.251.80.30
                  		mail.thelamalab.comUnited States
                  		394695PUBLIC-DOMAIN-REGISTRYUStrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1496591
                  Start date and time:2024-08-21 14:35:07 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 6m 53s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:10
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:shipping doc.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@11/8@1/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 96%
                  • Number of executed functions: 50
                  • Number of non-executed functions: 291
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: shipping doc.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  08:36:19API Interceptor23x Sleep call for process: RegSvcs.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  162.251.80.30shipping advice.exeGet hashmaliciousAgentTeslaBrowse

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    mail.thelamalab.comshipping advice.exeGet hashmaliciousAgentTeslaBrowse
                    • 162.251.80.30
                    new p o.exeGet hashmaliciousAgentTeslaBrowse
                    • 162.222.226.100
                    SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeGet hashmaliciousAgentTeslaBrowse
                    • 162.222.226.100
                    DOCUMENTS.exeGet hashmaliciousAgentTeslaBrowse
                    • 162.222.226.100
                    SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeGet hashmaliciousAgentTeslaBrowse
                    • 162.222.226.100
                    SHIPPING ORDER.exeGet hashmaliciousAgentTeslaBrowse
                    • 162.222.226.100
                    receipt-73633T36X90N.exeGet hashmaliciousAgentTeslaBrowse
                    • 162.222.226.100
                    AQQ-T7630-CVE8.exeGet hashmaliciousAgentTeslaBrowse
                    • 162.222.226.100
                    SecuriteInfo.com.Win32.CrypterX-gen.1573.32091.exeGet hashmaliciousAgentTeslaBrowse
                    • 162.222.226.100
                    SCAN_INCORRECT_DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                    • 162.222.226.100

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    PUBLIC-DOMAIN-REGISTRYUSshipping advice.exeGet hashmaliciousAgentTeslaBrowse
                    • 162.251.80.30
                    rShippingDocuments.exeGet hashmaliciousAgentTeslaBrowse
                    • 207.174.215.249
                    rShippingDocuments.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 207.174.215.249
                    New PO pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                    • 208.91.199.224
                    https://vagvn.remmipyservice.org/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https%3a%2f%2foutlook.office.com%2fowa%2f&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=1&msaredir=1&client-request-id=7f545595-f5d6-deb9-f7f9-d2b50e22cac0&protectedtoken=true&claims=%7b%22id_token%22%3a%7b%22xms_cc%22%3a%7b%22values%22%3a%5b%22CP1%22%5d%7d%7d%7d&nonce=638594191528303546.52bdeb30-750b-42d2-83a1-0b37c2fd3e58&state=DctBFoAgCABRrNdxSARJPI6kbVt2_Vj82U0CgD1sIVEE2iWmvZZelE1ItF6nss_lQtiUHCtPRpNRkFzazc-UpZbiPfL7jfwD&sso_reload=truGet hashmaliciousHTMLPhisherBrowse
                    • 199.79.63.24
                    http://sapr.co.inGet hashmaliciousUnknownBrowse
                    • 103.53.42.238
                    http://payment1-payu.maklifedairy.in/Get hashmaliciousUnknownBrowse
                    • 45.113.122.245
                    Shipping Documents.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 207.174.215.249
                    https://professionalprojectmanagementpro.benchurl.com/c/l?u=116E33D3&e=188D7F3&c=167E3A&t=0&l=108F0FCB5&email=kVZdtuK%2FWFCzmtjGcu30tMObv%2BTy5rLraMk9iWbyXew%3D&seq=1Get hashmaliciousUnknownBrowse
                    • 162.215.241.39
                    QUOTE-4K748388-A-CCC2.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 199.79.62.115

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Temp\aut81E1.tmp

                    Download File
                    Process:C:\Users\user\Desktop\shipping doc.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):267776
                    Entropy (8bit):7.903691293241842
                    Encrypted:false
                    SSDEEP:6144:p8TxlPvbK+nzcFm+DokDCFjAoAausjzeZUrYKJ3WImj:2TnbKmobDokGFMDdsjzo0Y2Yj
                    MD5:E1A6E1608016E25141ECB39F29C6A3CC
                    SHA1:DA8366B9358014FCFBC2C1FF3FE4B48CE71A1DE7
                    SHA-256:F555C646B6A5B9E1B95F998815D9D26346CAAF5950ADDE982F9A45101EC3DFBE
                    SHA-512:8D44C96C3AA166EC50B44922544CD0C57957BC84E85454A8590C19F967B58D5A0065C162CF5181610013A524711FC44858AD61CE17C4A9AEB19A4187E38F4FCF
                    Malicious:false
                    Reputation:low
                    Preview:...XW1BKPR4C..8D.JYVNXT1.KTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1.KTR:\.<8.M.x.O....#=!.3:]_6%'y5/6:^6k67.1=\.-*j...x9^&.z_9Il28DDJYV&H..n:.,.2.L.5.4ku1&k@.5_.=cC.:h;.(.).Oph:,(2.L.g-4.'.&f.95y#.=.[[,h;.(NXT1BKTR4CH28DDJ'.V>T1BK..4C.3<D0.Y.NXT1BKTR.Ck33EMJY.OXTK@KTR4Cg.8DDZYVN.U1BK.R4SH28FDJ\VNXT1BKQR4CH28DD*]VN\T1.pVR6CH.8DTJYFNXT1RKTB4CH28DTJYVNXT1BKTR.VJ2hDDJY6LXT.CKTR4CH28DDJYVNXT1BKTR4CH2..EJEVNXT1BKTR4CH28DDJYVNXT1BKTR.NJ2xDDJYVNXT1BKT.5C.38DDJYVNXT1BKTR4CH28DDJYVNXzE'3 R4CP.9DDZYVN.U1BOTR4CH28DDJYVNXt1B+z P"<S8D.'YVN.U1B%TR4.I28DDJYVNXT1BK.R4.fVY0%JYV.hT1BkVR4UH28NFJYVNXT1BKTR4C.28.j8*$-XT1B.UR4#J28.EJYvLXT1BKTR4CH28D.JY.NXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR

                    C:\Users\user\AppData\Local\Temp\aut8230.tmp

                    Download File
                    Process:C:\Users\user\Desktop\shipping doc.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):43596
                    Entropy (8bit):7.823258312379333
                    Encrypted:false
                    SSDEEP:768:U6LFiPO+FBXrMg0GF96ikCW042SOHG8I5sQRD41xHLSJYt3i+FLLq45CuSSLU7Ja:UKF+FBXrSGFOxN41YJRGLoTSw6d
                    MD5:7FD503441BF5C5DD301C499CDC5201FD
                    SHA1:536108C30929686AE6E898FE897160CF871F8C4D
                    SHA-256:FF0446121065F12F02234BAFF34312DF2C1544FBF75C9415805FF60549734F1A
                    SHA-512:0F20A7868783CEA299A947EC211FAF6D50ACC5E1789D81BC2F51ED2164198FA1EB1EFEA776A4E780201F0EB5FA75AEC2C68EFA33A768E9EE9C939983F3337265
                    Malicious:false
                    Reputation:low
                    Preview:EA06..P...(.y.6g5.L...6.Pf.Z..gE..*S9..m5.M.`..jm3....9..3.Rfs.t.aX..*.9.^g6......6.Ufs.D.mE.L..9.Vg0.L..p.....L....3.Qfs.\.h..Q&s.<.iV.L..9..g6.L.0.:...U.s.\.aY...9.>g8.L.5i..6.R.s...A6.Vf..4.oL..@.U.g0........3.Sfsj...L..i .l.3.U@...RmP.Mh ....H.3....>g6.......3.V.sZ..qX.LjSi.Fg9..s....lk39...S........mUf.Jd.qI.L..i.jm1..U.:...R.2..........y..3..R...jm5.;.8J..gW...4......Sfs.P...0S.s.$.h..Ufs.P. .l....`.H...o.P.h....6@/E.g9.......L.@6..m1...T ....T@...........2.3..6.4...2..*.9...?R@5uN...)J...Z..9...X.L..9...C.L.`5P...F........J.3.Pf.J..Z."L.`...mB.L.6. ..D..(..8.N.L.i..3..A@..g3.....`.%F..@u.T.iY.kg5......x(.`,......UP...4..(@MH..8.M.....iX.M..i.Nl..M.3i.Jm6.D*.i..g7..(`..(...o@.@..T...g.t.r...B.jd.mJ..j....m6...3 ..........L.6...............A8.H(si...N.M.YI..p...q.Y..(...K...Z....L.r..V..4 ..1..H@.eVm6......6...f.........&..e"g8... .d...B..e\...M......|..&T...`...h..J...@u. p.....i...yR.. ..S.H....|......(..... .P.9@...Zm4.L....X... .uBm2.M

                    C:\Users\user\AppData\Local\Temp\aut86D2.tmp

                    Download File
                    Process:C:\Users\user\Desktop\shipping doc.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):267776
                    Entropy (8bit):7.903691293241842
                    Encrypted:false
                    SSDEEP:6144:p8TxlPvbK+nzcFm+DokDCFjAoAausjzeZUrYKJ3WImj:2TnbKmobDokGFMDdsjzo0Y2Yj
                    MD5:E1A6E1608016E25141ECB39F29C6A3CC
                    SHA1:DA8366B9358014FCFBC2C1FF3FE4B48CE71A1DE7
                    SHA-256:F555C646B6A5B9E1B95F998815D9D26346CAAF5950ADDE982F9A45101EC3DFBE
                    SHA-512:8D44C96C3AA166EC50B44922544CD0C57957BC84E85454A8590C19F967B58D5A0065C162CF5181610013A524711FC44858AD61CE17C4A9AEB19A4187E38F4FCF
                    Malicious:false
                    Reputation:low
                    Preview:...XW1BKPR4C..8D.JYVNXT1.KTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1.KTR:\.<8.M.x.O....#=!.3:]_6%'y5/6:^6k67.1=\.-*j...x9^&.z_9Il28DDJYV&H..n:.,.2.L.5.4ku1&k@.5_.=cC.:h;.(.).Oph:,(2.L.g-4.'.&f.95y#.=.[[,h;.(NXT1BKTR4CH28DDJ'.V>T1BK..4C.3<D0.Y.NXT1BKTR.Ck33EMJY.OXTK@KTR4Cg.8DDZYVN.U1BK.R4SH28FDJ\VNXT1BKQR4CH28DD*]VN\T1.pVR6CH.8DTJYFNXT1RKTB4CH28DTJYVNXT1BKTR.VJ2hDDJY6LXT.CKTR4CH28DDJYVNXT1BKTR4CH2..EJEVNXT1BKTR4CH28DDJYVNXT1BKTR.NJ2xDDJYVNXT1BKT.5C.38DDJYVNXT1BKTR4CH28DDJYVNXzE'3 R4CP.9DDZYVN.U1BOTR4CH28DDJYVNXt1B+z P"<S8D.'YVN.U1B%TR4.I28DDJYVNXT1BK.R4.fVY0%JYV.hT1BkVR4UH28NFJYVNXT1BKTR4C.28.j8*$-XT1B.UR4#J28.EJYvLXT1BKTR4CH28D.JY.NXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR

                    C:\Users\user\AppData\Local\Temp\aut8721.tmp

                    Download File
                    Process:C:\Users\user\Desktop\shipping doc.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):43596
                    Entropy (8bit):7.823258312379333
                    Encrypted:false
                    SSDEEP:768:U6LFiPO+FBXrMg0GF96ikCW042SOHG8I5sQRD41xHLSJYt3i+FLLq45CuSSLU7Ja:UKF+FBXrSGFOxN41YJRGLoTSw6d
                    MD5:7FD503441BF5C5DD301C499CDC5201FD
                    SHA1:536108C30929686AE6E898FE897160CF871F8C4D
                    SHA-256:FF0446121065F12F02234BAFF34312DF2C1544FBF75C9415805FF60549734F1A
                    SHA-512:0F20A7868783CEA299A947EC211FAF6D50ACC5E1789D81BC2F51ED2164198FA1EB1EFEA776A4E780201F0EB5FA75AEC2C68EFA33A768E9EE9C939983F3337265
                    Malicious:false
                    Reputation:low
                    Preview:EA06..P...(.y.6g5.L...6.Pf.Z..gE..*S9..m5.M.`..jm3....9..3.Rfs.t.aX..*.9.^g6......6.Ufs.D.mE.L..9.Vg0.L..p.....L....3.Qfs.\.h..Q&s.<.iV.L..9..g6.L.0.:...U.s.\.aY...9.>g8.L.5i..6.R.s...A6.Vf..4.oL..@.U.g0........3.Sfsj...L..i .l.3.U@...RmP.Mh ....H.3....>g6.......3.V.sZ..qX.LjSi.Fg9..s....lk39...S........mUf.Jd.qI.L..i.jm1..U.:...R.2..........y..3..R...jm5.;.8J..gW...4......Sfs.P...0S.s.$.h..Ufs.P. .l....`.H...o.P.h....6@/E.g9.......L.@6..m1...T ....T@...........2.3..6.4...2..*.9...?R@5uN...)J...Z..9...X.L..9...C.L.`5P...F........J.3.Pf.J..Z."L.`...mB.L.6. ..D..(..8.N.L.i..3..A@..g3.....`.%F..@u.T.iY.kg5......x(.`,......UP...4..(@MH..8.M.....iX.M..i.Nl..M.3i.Jm6.D*.i..g7..(`..(...o@.@..T...g.t.r...B.jd.mJ..j....m6...3 ..........L.6...............A8.H(si...N.M.YI..p...q.Y..(...K...Z....L.r..V..4 ..1..H@.eVm6......6...f.........&..e"g8... .d...B..e\...M......|..&T...`...h..J...@u. p.....i...yR.. ..S.H....|......(..... .P.9@...Zm4.L....X... .uBm2.M

                    C:\Users\user\AppData\Local\Temp\aut8C12.tmp

                    Download File
                    Process:C:\Users\user\Desktop\shipping doc.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):267776
                    Entropy (8bit):7.903691293241842
                    Encrypted:false
                    SSDEEP:6144:p8TxlPvbK+nzcFm+DokDCFjAoAausjzeZUrYKJ3WImj:2TnbKmobDokGFMDdsjzo0Y2Yj
                    MD5:E1A6E1608016E25141ECB39F29C6A3CC
                    SHA1:DA8366B9358014FCFBC2C1FF3FE4B48CE71A1DE7
                    SHA-256:F555C646B6A5B9E1B95F998815D9D26346CAAF5950ADDE982F9A45101EC3DFBE
                    SHA-512:8D44C96C3AA166EC50B44922544CD0C57957BC84E85454A8590C19F967B58D5A0065C162CF5181610013A524711FC44858AD61CE17C4A9AEB19A4187E38F4FCF
                    Malicious:false
                    Reputation:low
                    Preview:...XW1BKPR4C..8D.JYVNXT1.KTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1.KTR:\.<8.M.x.O....#=!.3:]_6%'y5/6:^6k67.1=\.-*j...x9^&.z_9Il28DDJYV&H..n:.,.2.L.5.4ku1&k@.5_.=cC.:h;.(.).Oph:,(2.L.g-4.'.&f.95y#.=.[[,h;.(NXT1BKTR4CH28DDJ'.V>T1BK..4C.3<D0.Y.NXT1BKTR.Ck33EMJY.OXTK@KTR4Cg.8DDZYVN.U1BK.R4SH28FDJ\VNXT1BKQR4CH28DD*]VN\T1.pVR6CH.8DTJYFNXT1RKTB4CH28DTJYVNXT1BKTR.VJ2hDDJY6LXT.CKTR4CH28DDJYVNXT1BKTR4CH2..EJEVNXT1BKTR4CH28DDJYVNXT1BKTR.NJ2xDDJYVNXT1BKT.5C.38DDJYVNXT1BKTR4CH28DDJYVNXzE'3 R4CP.9DDZYVN.U1BOTR4CH28DDJYVNXt1B+z P"<S8D.'YVN.U1B%TR4.I28DDJYVNXT1BK.R4.fVY0%JYV.hT1BkVR4UH28NFJYVNXT1BKTR4C.28.j8*$-XT1B.UR4#J28.EJYvLXT1BKTR4CH28D.JY.NXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR

                    C:\Users\user\AppData\Local\Temp\aut8C42.tmp

                    Download File
                    Process:C:\Users\user\Desktop\shipping doc.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):43596
                    Entropy (8bit):7.823258312379333
                    Encrypted:false
                    SSDEEP:768:U6LFiPO+FBXrMg0GF96ikCW042SOHG8I5sQRD41xHLSJYt3i+FLLq45CuSSLU7Ja:UKF+FBXrSGFOxN41YJRGLoTSw6d
                    MD5:7FD503441BF5C5DD301C499CDC5201FD
                    SHA1:536108C30929686AE6E898FE897160CF871F8C4D
                    SHA-256:FF0446121065F12F02234BAFF34312DF2C1544FBF75C9415805FF60549734F1A
                    SHA-512:0F20A7868783CEA299A947EC211FAF6D50ACC5E1789D81BC2F51ED2164198FA1EB1EFEA776A4E780201F0EB5FA75AEC2C68EFA33A768E9EE9C939983F3337265
                    Malicious:false
                    Reputation:low
                    Preview:EA06..P...(.y.6g5.L...6.Pf.Z..gE..*S9..m5.M.`..jm3....9..3.Rfs.t.aX..*.9.^g6......6.Ufs.D.mE.L..9.Vg0.L..p.....L....3.Qfs.\.h..Q&s.<.iV.L..9..g6.L.0.:...U.s.\.aY...9.>g8.L.5i..6.R.s...A6.Vf..4.oL..@.U.g0........3.Sfsj...L..i .l.3.U@...RmP.Mh ....H.3....>g6.......3.V.sZ..qX.LjSi.Fg9..s....lk39...S........mUf.Jd.qI.L..i.jm1..U.:...R.2..........y..3..R...jm5.;.8J..gW...4......Sfs.P...0S.s.$.h..Ufs.P. .l....`.H...o.P.h....6@/E.g9.......L.@6..m1...T ....T@...........2.3..6.4...2..*.9...?R@5uN...)J...Z..9...X.L..9...C.L.`5P...F........J.3.Pf.J..Z."L.`...mB.L.6. ..D..(..8.N.L.i..3..A@..g3.....`.%F..@u.T.iY.kg5......x(.`,......UP...4..(@MH..8.M.....iX.M..i.Nl..M.3i.Jm6.D*.i..g7..(`..(...o@.@..T...g.t.r...B.jd.mJ..j....m6...3 ..........L.6...............A8.H(si...N.M.YI..p...q.Y..(...K...Z....L.r..V..4 ..1..H@.eVm6......6...f.........&..e"g8... .d...B..e\...M......|..&T...`...h..J...@u. p.....i...yR.. ..S.H....|......(..... .P.9@...Zm4.L....X... .uBm2.M

                    C:\Users\user\AppData\Local\Temp\disturb

                    Download File
                    Process:C:\Users\user\Desktop\shipping doc.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):267776
                    Entropy (8bit):7.903691293241842
                    Encrypted:false
                    SSDEEP:6144:p8TxlPvbK+nzcFm+DokDCFjAoAausjzeZUrYKJ3WImj:2TnbKmobDokGFMDdsjzo0Y2Yj
                    MD5:E1A6E1608016E25141ECB39F29C6A3CC
                    SHA1:DA8366B9358014FCFBC2C1FF3FE4B48CE71A1DE7
                    SHA-256:F555C646B6A5B9E1B95F998815D9D26346CAAF5950ADDE982F9A45101EC3DFBE
                    SHA-512:8D44C96C3AA166EC50B44922544CD0C57957BC84E85454A8590C19F967B58D5A0065C162CF5181610013A524711FC44858AD61CE17C4A9AEB19A4187E38F4FCF
                    Malicious:false
                    Reputation:low
                    Preview:...XW1BKPR4C..8D.JYVNXT1.KTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1.KTR:\.<8.M.x.O....#=!.3:]_6%'y5/6:^6k67.1=\.-*j...x9^&.z_9Il28DDJYV&H..n:.,.2.L.5.4ku1&k@.5_.=cC.:h;.(.).Oph:,(2.L.g-4.'.&f.95y#.=.[[,h;.(NXT1BKTR4CH28DDJ'.V>T1BK..4C.3<D0.Y.NXT1BKTR.Ck33EMJY.OXTK@KTR4Cg.8DDZYVN.U1BK.R4SH28FDJ\VNXT1BKQR4CH28DD*]VN\T1.pVR6CH.8DTJYFNXT1RKTB4CH28DTJYVNXT1BKTR.VJ2hDDJY6LXT.CKTR4CH28DDJYVNXT1BKTR4CH2..EJEVNXT1BKTR4CH28DDJYVNXT1BKTR.NJ2xDDJYVNXT1BKT.5C.38DDJYVNXT1BKTR4CH28DDJYVNXzE'3 R4CP.9DDZYVN.U1BOTR4CH28DDJYVNXt1B+z P"<S8D.'YVN.U1B%TR4.I28DDJYVNXT1BK.R4.fVY0%JYV.hT1BkVR4UH28NFJYVNXT1BKTR4C.28.j8*$-XT1B.UR4#J28.EJYvLXT1BKTR4CH28D.JY.NXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR4CH28DDJYVNXT1BKTR

                    C:\Users\user\AppData\Local\Temp\reindulging

                    Download File
                    Process:C:\Users\user\Desktop\shipping doc.exe
                    File Type:ASCII text, with very long lines (65536), with no line terminators
                    Category:dropped
                    Size (bytes):86022
                    Entropy (8bit):4.179137230612306
                    Encrypted:false
                    SSDEEP:1536:Tm+tP4EQlPZLUC6L+phIrywDWUvBEdHOln98sePj8:Tm+t4EYiHKrgPbeL8
                    MD5:A29474C115176FEDF0426FA64D12F0BE
                    SHA1:E6A913C4DD5B997AEAC5006AF3E09A07DB549E96
                    SHA-256:D2726F6BDB845BAFCF2816F08BB42ECFC482B60B300E995988115E9764CA1382
                    SHA-512:83F8A92C2B5E952A4EEAC2C215A69ECF534B5F39890761CEC51EE85D24BAAC0EC00DBACAA6F05B6E1D174574D2A3C779DFE013E6BEB5FE4ED039D4B4153EA012
                    Malicious:false
                    Reputation:low
                    Preview:30E78M35H35Z38F62A65T63E38R31E65N63T63Z63S30C32A30I30N30X30T35W36Q35Q37Q62U38H36E62O30U30L30G30I30G30Z36X36K38E39K34M35D38G34V62F39A36F35S30L30C30N30V30K30Y36V36O38V39V34J64J38S36K62Y61F37L32R30K30F30W30P30I30I36M36U38V39L35I35I38Y38U62F38G36P65A30N30P30H30I30U30I36O36C38P39S34Z35V38X61R62Q39E36Q35Q30T30F30Y30R30S30Z36E36Z38Q39S34U64L38I63W62Z61T36K63Q30C30R30X30I30O30O36O36Z38G39R35L35C38Z65E62J38R33W33Q30O30C30B30Y30M30J36M36E38O39D34T35U39J30C62J39J33Q32J30K30A30E30Y30E30B36O36K38K39Y34I64G39D32Q62F61Y32B65A30P30L30Q30E30O30M36D36F38U39A35T35F39A34J62C38U36X34B30C30I30I30O30N30Y36J36V38O39Z34M35M39W36X62D39X36C63K30W30Y30E30Q30C30I36A36X38Q39R34A64C39Y38Z62X61P36B63J30D30X30D30K30M30O36U36Y38F39V35B35R39J61R33U33Z63L30O36F36Q38P39J34Y35L39Z63W62C39I36F65W30A30C30T30U30D30A36I36B38S39R38H64Q34B34X66N66S66K66I66R66Q62V61C37V34C30C30J30B30B30E30P36T36T38J39N39T35F34Y36L66J66B66N66E66O66B62B38F36T34V30D30S30U30U30I30F36D36O38U39B38F35W34Y38L66C66A66S66P66X66V62M39G36E63U30H30F30K30P30X3

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):7.171474732971932
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:shipping doc.exe
                    File size:1'285'120 bytes
                    MD5:ac09eb920712db66910ef959bebb8fd0
                    SHA1:11fc5cca33cef45a601c5df6be4f3e7e73ad51a4
                    SHA256:2d3fb537499bf57a40ffd8def80f6685de2e297bb449dec013d2fe29340cb10b
                    SHA512:e6e1c6a678bb60e4f66d92cc6317de2289aefc43ea30e72381e27dde7a698fde3a0e679ac8eb3d83398cc25e6ab6ea300cac41b159fa9b922af23f47de50080d
                    SSDEEP:24576:RqDEvCTbMWu7rQYlBQcBiT6rprG8aHkNRoOiuIYWS+0H:RTvC/MTQYxsWR7aHkuRYWe
                    TLSH:BC55C00273D1C022FFABA2334B5AF6515BBC69660123E61F13981D7ABD701B1563E7A3
                    File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                    File Icon

                    Icon Hash:aaf3e3e3938382a0

                    Static PE Info

                    General

                    Entrypoint:0x420577
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                    Time Stamp:0x66C5C7CB [Wed Aug 21 10:56:11 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:1
                    File Version Major:5
                    File Version Minor:1
                    Subsystem Version Major:5
                    Subsystem Version Minor:1
                    Import Hash:948cc502fe9226992dce9417f952fce3

                    Entrypoint Preview

                    Instruction
                    call 00007EFFF0AE3383h
                    jmp 00007EFFF0AE2C8Fh
                    push ebp
                    mov ebp, esp
                    push esi
                    push dword ptr [ebp+08h]
                    mov esi, ecx
                    call 00007EFFF0AE2E6Dh
                    mov dword ptr [esi], 0049FDF0h
                    mov eax, esi
                    pop esi
                    pop ebp
                    retn 0004h
                    and dword ptr [ecx+04h], 00000000h
                    mov eax, ecx
                    and dword ptr [ecx+08h], 00000000h
                    mov dword ptr [ecx+04h], 0049FDF8h
                    mov dword ptr [ecx], 0049FDF0h
                    ret
                    push ebp
                    mov ebp, esp
                    push esi
                    push dword ptr [ebp+08h]
                    mov esi, ecx
                    call 00007EFFF0AE2E3Ah
                    mov dword ptr [esi], 0049FE0Ch
                    mov eax, esi
                    pop esi
                    pop ebp
                    retn 0004h
                    and dword ptr [ecx+04h], 00000000h
                    mov eax, ecx
                    and dword ptr [ecx+08h], 00000000h
                    mov dword ptr [ecx+04h], 0049FE14h
                    mov dword ptr [ecx], 0049FE0Ch
                    ret
                    push ebp
                    mov ebp, esp
                    push esi
                    mov esi, ecx
                    lea eax, dword ptr [esi+04h]
                    mov dword ptr [esi], 0049FDD0h
                    and dword ptr [eax], 00000000h
                    and dword ptr [eax+04h], 00000000h
                    push eax
                    mov eax, dword ptr [ebp+08h]
                    add eax, 04h
                    push eax
                    call 00007EFFF0AE5A2Dh
                    pop ecx
                    pop ecx
                    mov eax, esi
                    pop esi
                    pop ebp
                    retn 0004h
                    lea eax, dword ptr [ecx+04h]
                    mov dword ptr [ecx], 0049FDD0h
                    push eax
                    call 00007EFFF0AE5A78h
                    pop ecx
                    ret
                    push ebp
                    mov ebp, esp
                    push esi
                    mov esi, ecx
                    lea eax, dword ptr [esi+04h]
                    mov dword ptr [esi], 0049FDD0h
                    push eax
                    call 00007EFFF0AE5A61h
                    test byte ptr [ebp+08h], 00000001h
                    pop ecx

                    Rich Headers

                    Programming Language:
                    • [ C ] VS2008 SP1 build 30729
                    • [IMP] VS2008 SP1 build 30729

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x631e4.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1380000x7594.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0xd40000x631e40x63200d9aafbcf714ac0b9d46b0f433636f2caFalse0.9342956927805801data7.906608270690346IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x1380000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                    RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                    RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                    RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                    RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                    RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                    RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                    RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                    RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                    RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                    RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                    RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                    RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                    RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                    RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                    RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                    RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                    RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                    RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                    RT_RCDATA0xdc7b80x5a4aadata1.000327173813116
                    RT_GROUP_ICON0x136c640x76dataEnglishGreat Britain0.6610169491525424
                    RT_GROUP_ICON0x136cdc0x14dataEnglishGreat Britain1.25
                    RT_GROUP_ICON0x136cf00x14dataEnglishGreat Britain1.15
                    RT_GROUP_ICON0x136d040x14dataEnglishGreat Britain1.25
                    RT_VERSION0x136d180xdcdataEnglishGreat Britain0.6181818181818182
                    RT_MANIFEST0x136df40x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                    Imports

                    DLLImport
                    WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                    VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                    COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                    MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                    WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                    PSAPI.DLLGetProcessMemoryInfo
                    IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                    USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                    UxTheme.dllIsThemeActive
                    KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                    USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                    GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                    COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                    ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                    SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                    OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishGreat Britain

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                    2024-08-21T14:36:22.905117+0200TCP2855245ETPRO MALWARE Agent Tesla Exfil via SMTP149735587192.168.2.4162.251.80.30
                    2024-08-21T14:36:22.905117+0200TCP2855542ETPRO MALWARE Agent Tesla CnC Exfil Activity149735587192.168.2.4162.251.80.30
                    2024-08-21T14:36:16.456932+0200TCP2030171ET MALWARE AgentTesla Exfil Via SMTP149735587192.168.2.4162.251.80.30
                    2024-08-21T14:36:16.456932+0200TCP2839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity149735587192.168.2.4162.251.80.30
                    2024-08-21T14:36:16.456932+0200TCP2840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2149735587192.168.2.4162.251.80.30

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Aug 21, 2024 14:36:21.014292955 CEST49735587192.168.2.4162.251.80.30
                    Aug 21, 2024 14:36:21.019161940 CEST58749735162.251.80.30192.168.2.4
                    Aug 21, 2024 14:36:21.019315958 CEST49735587192.168.2.4162.251.80.30
                    Aug 21, 2024 14:36:21.693260908 CEST58749735162.251.80.30192.168.2.4
                    Aug 21, 2024 14:36:21.694747925 CEST49735587192.168.2.4162.251.80.30
                    Aug 21, 2024 14:36:21.699552059 CEST58749735162.251.80.30192.168.2.4
                    Aug 21, 2024 14:36:21.863823891 CEST58749735162.251.80.30192.168.2.4
                    Aug 21, 2024 14:36:21.866720915 CEST49735587192.168.2.4162.251.80.30
                    Aug 21, 2024 14:36:21.873013973 CEST58749735162.251.80.30192.168.2.4
                    Aug 21, 2024 14:36:22.042109013 CEST58749735162.251.80.30192.168.2.4
                    Aug 21, 2024 14:36:22.042464018 CEST49735587192.168.2.4162.251.80.30
                    Aug 21, 2024 14:36:22.049195051 CEST58749735162.251.80.30192.168.2.4
                    Aug 21, 2024 14:36:22.228568077 CEST58749735162.251.80.30192.168.2.4
                    Aug 21, 2024 14:36:22.228960991 CEST49735587192.168.2.4162.251.80.30
                    Aug 21, 2024 14:36:22.242955923 CEST58749735162.251.80.30192.168.2.4
                    Aug 21, 2024 14:36:22.400721073 CEST58749735162.251.80.30192.168.2.4
                    Aug 21, 2024 14:36:22.400886059 CEST49735587192.168.2.4162.251.80.30
                    Aug 21, 2024 14:36:22.405730963 CEST58749735162.251.80.30192.168.2.4
                    Aug 21, 2024 14:36:22.712636948 CEST58749735162.251.80.30192.168.2.4
                    Aug 21, 2024 14:36:22.712903023 CEST49735587192.168.2.4162.251.80.30
                    Aug 21, 2024 14:36:22.717844963 CEST58749735162.251.80.30192.168.2.4
                    Aug 21, 2024 14:36:22.885437012 CEST58749735162.251.80.30192.168.2.4
                    Aug 21, 2024 14:36:22.905033112 CEST49735587192.168.2.4162.251.80.30
                    Aug 21, 2024 14:36:22.905117035 CEST49735587192.168.2.4162.251.80.30
                    Aug 21, 2024 14:36:22.905158997 CEST49735587192.168.2.4162.251.80.30
                    Aug 21, 2024 14:36:22.905158997 CEST49735587192.168.2.4162.251.80.30
                    Aug 21, 2024 14:36:22.909998894 CEST58749735162.251.80.30192.168.2.4
                    Aug 21, 2024 14:36:22.910010099 CEST58749735162.251.80.30192.168.2.4
                    Aug 21, 2024 14:36:22.910192013 CEST58749735162.251.80.30192.168.2.4
                    Aug 21, 2024 14:36:22.910218000 CEST58749735162.251.80.30192.168.2.4
                    Aug 21, 2024 14:36:23.191478014 CEST58749735162.251.80.30192.168.2.4
                    Aug 21, 2024 14:36:23.238010883 CEST49735587192.168.2.4162.251.80.30
                    Aug 21, 2024 14:38:00.691200972 CEST49735587192.168.2.4162.251.80.30
                    Aug 21, 2024 14:38:00.696335077 CEST58749735162.251.80.30192.168.2.4
                    Aug 21, 2024 14:38:01.057809114 CEST58749735162.251.80.30192.168.2.4
                    Aug 21, 2024 14:38:01.057965994 CEST58749735162.251.80.30192.168.2.4
                    Aug 21, 2024 14:38:01.058074951 CEST49735587192.168.2.4162.251.80.30
                    Aug 21, 2024 14:38:01.058271885 CEST49735587192.168.2.4162.251.80.30
                    Aug 21, 2024 14:38:01.063008070 CEST58749735162.251.80.30192.168.2.4

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Aug 21, 2024 14:36:20.668103933 CEST5247153192.168.2.41.1.1.1
                    Aug 21, 2024 14:36:21.007420063 CEST53524711.1.1.1192.168.2.4

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Aug 21, 2024 14:36:20.668103933 CEST192.168.2.41.1.1.10x32d2Standard query (0)mail.thelamalab.comA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Aug 21, 2024 14:36:21.007420063 CEST1.1.1.1192.168.2.40x32d2No error (0)mail.thelamalab.com162.251.80.30A (IP address)IN (0x0001)false

                    SMTP Packets

                    TimestampSource PortDest PortSource IPDest IPCommands
                    Aug 21, 2024 14:36:21.693260908 CEST58749735162.251.80.30192.168.2.4220-md-114.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 21 Aug 2024 18:06:21 +0530
                    220-We do not authorize the use of this system to transport unsolicited,
                    220 and/or bulk e-mail.
                    Aug 21, 2024 14:36:21.694747925 CEST49735587192.168.2.4162.251.80.30EHLO 813848
                    Aug 21, 2024 14:36:21.863823891 CEST58749735162.251.80.30192.168.2.4250-md-114.webhostbox.net Hello 813848 [8.46.123.33]
                    250-SIZE 52428800
                    250-8BITMIME
                    250-PIPELINING
                    250-PIPECONNECT
                    250-AUTH PLAIN LOGIN
                    250-STARTTLS
                    250 HELP
                    Aug 21, 2024 14:36:21.866720915 CEST49735587192.168.2.4162.251.80.30AUTH login YmlsbGluZ0B0aGVsYW1hbGFiLmNvbQ==
                    Aug 21, 2024 14:36:22.042109013 CEST58749735162.251.80.30192.168.2.4334 UGFzc3dvcmQ6
                    Aug 21, 2024 14:36:22.228568077 CEST58749735162.251.80.30192.168.2.4235 Authentication succeeded
                    Aug 21, 2024 14:36:22.228960991 CEST49735587192.168.2.4162.251.80.30MAIL FROM:<billing@thelamalab.com>
                    Aug 21, 2024 14:36:22.400721073 CEST58749735162.251.80.30192.168.2.4250 OK
                    Aug 21, 2024 14:36:22.400886059 CEST49735587192.168.2.4162.251.80.30RCPT TO:<jinhux31@gmail.com>
                    Aug 21, 2024 14:36:22.712636948 CEST58749735162.251.80.30192.168.2.4250 Accepted
                    Aug 21, 2024 14:36:22.712903023 CEST49735587192.168.2.4162.251.80.30DATA
                    Aug 21, 2024 14:36:22.885437012 CEST58749735162.251.80.30192.168.2.4354 Enter message, ending with "." on a line by itself
                    Aug 21, 2024 14:36:22.905158997 CEST49735587192.168.2.4162.251.80.30.
                    Aug 21, 2024 14:36:23.191478014 CEST58749735162.251.80.30192.168.2.4250 OK id=1sgkZa-00266h-2Z
                    Aug 21, 2024 14:38:00.691200972 CEST49735587192.168.2.4162.251.80.30QUIT
                    Aug 21, 2024 14:38:01.057809114 CEST58749735162.251.80.30192.168.2.4221 md-114.webhostbox.net closing connection

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:08:36:14
                    Start date:21/08/2024
                    Path:C:\Users\user\Desktop\shipping doc.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\shipping doc.exe"
                    Imagebase:0xfd0000
                    File size:1'285'120 bytes
                    MD5 hash:AC09EB920712DB66910EF959BEBB8FD0
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1849484585.0000000001610000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:1
                    Start time:08:36:15
                    Start date:21/08/2024
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Users\user\Desktop\shipping doc.exe"
                    Imagebase:0x280000
                    File size:45'984 bytes
                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:2
                    Start time:08:36:15
                    Start date:21/08/2024
                    Path:C:\Users\user\Desktop\shipping doc.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\shipping doc.exe"
                    Imagebase:0xfd0000
                    File size:1'285'120 bytes
                    MD5 hash:AC09EB920712DB66910EF959BEBB8FD0
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.1862188106.00000000009E0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:3
                    Start time:08:36:16
                    Start date:21/08/2024
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Users\user\Desktop\shipping doc.exe"
                    Imagebase:0x280000
                    File size:45'984 bytes
                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:4
                    Start time:08:36:16
                    Start date:21/08/2024
                    Path:C:\Users\user\Desktop\shipping doc.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\shipping doc.exe"
                    Imagebase:0xfd0000
                    File size:1'285'120 bytes
                    MD5 hash:AC09EB920712DB66910EF959BEBB8FD0
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000004.00000002.1873906355.0000000000F00000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:5
                    Start time:08:36:17
                    Start date:21/08/2024
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\shipping doc.exe"
                    Imagebase:0x580000
                    File size:45'984 bytes
                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3089748754.0000000005170000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3089748754.0000000005170000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.3089748754.0000000005170000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000005.00000002.3089748754.0000000005170000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3088288855.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3088288855.0000000002A61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3088288855.0000000002AAF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3087827951.00000000026FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3087827951.00000000026FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.3087827951.00000000026FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3089848386.00000000051C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3089848386.00000000051C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.3089848386.00000000051C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000005.00000002.3089848386.00000000051C0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3088288855.0000000002AB7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000005.00000002.3087011399.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3089267189.0000000003A61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3089267189.0000000003A61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.3089267189.0000000003A61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:high
                    Has exited:false

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:3.3%
                      Dynamic/Decrypted Code Coverage:1%
                      Signature Coverage:3%
                      Total number of Nodes:1983
                      Total number of Limit Nodes:59
                      execution_graph 95707 fddddc 95710 fdb710 95707->95710 95711 fdb72b 95710->95711 95712 1020146 95711->95712 95713 10200f8 95711->95713 95732 fdb750 95711->95732 95776 10558a2 235 API calls 2 library calls 95712->95776 95716 1020102 95713->95716 95718 102010f 95713->95718 95713->95732 95774 1055d33 235 API calls 95716->95774 95731 fdba20 95718->95731 95775 10561d0 235 API calls 2 library calls 95718->95775 95723 10203d9 95723->95723 95725 fdba4e 95727 1020322 95783 1055c0c 82 API calls 95727->95783 95731->95725 95784 104359c 82 API calls __wsopen_s 95731->95784 95732->95725 95732->95727 95732->95731 95736 fdbbe0 40 API calls 95732->95736 95737 fed336 40 API calls 95732->95737 95741 fdec40 95732->95741 95765 fda81b 41 API calls 95732->95765 95766 fed2f0 40 API calls 95732->95766 95767 fea01b 235 API calls 95732->95767 95768 ff0242 5 API calls __Init_thread_wait 95732->95768 95769 feedcd 22 API calls 95732->95769 95770 ff00a3 29 API calls __onexit 95732->95770 95771 ff01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95732->95771 95772 feee53 82 API calls 95732->95772 95773 fee5ca 235 API calls 95732->95773 95777 fdaceb 23 API calls ISource 95732->95777 95778 102f6bf 23 API calls 95732->95778 95779 fda8c7 95732->95779 95736->95732 95737->95732 95762 fdec76 ISource 95741->95762 95742 ff0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 95742->95762 95743 ff01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 95743->95762 95744 fefddb 22 API calls 95744->95762 95746 fdfef7 95752 fda8c7 22 API calls 95746->95752 95758 fded9d ISource 95746->95758 95748 1024b0b 95801 104359c 82 API calls __wsopen_s 95748->95801 95749 1024600 95754 fda8c7 22 API calls 95749->95754 95749->95758 95752->95758 95753 fda8c7 22 API calls 95753->95762 95754->95758 95756 fdfbe3 95756->95758 95760 1024bdc 95756->95760 95764 fdf3ae ISource 95756->95764 95757 fda961 22 API calls 95757->95762 95758->95732 95759 ff00a3 29 API calls pre_c_initialization 95759->95762 95802 104359c 82 API calls __wsopen_s 95760->95802 95762->95742 95762->95743 95762->95744 95762->95746 95762->95748 95762->95749 95762->95753 95762->95756 95762->95757 95762->95758 95762->95759 95763 1024beb 95762->95763 95762->95764 95785 fe06a0 95762->95785 95799 fe01e0 235 API calls 2 library calls 95762->95799 95803 104359c 82 API calls __wsopen_s 95763->95803 95764->95758 95800 104359c 82 API calls __wsopen_s 95764->95800 95765->95732 95766->95732 95767->95732 95768->95732 95769->95732 95770->95732 95771->95732 95772->95732 95773->95732 95774->95718 95775->95731 95776->95732 95777->95732 95778->95732 95780 fda8ea __fread_nolock 95779->95780 95781 fda8db 95779->95781 95780->95732 95781->95780 95808 fefe0b 95781->95808 95783->95731 95784->95723 95790 fe06bd 95785->95790 95792 fe0863 ISource 95785->95792 95786 fe0d36 95788 fe0847 ISource 95786->95788 95807 feacd5 39 API calls 95786->95807 95788->95762 95790->95786 95790->95788 95790->95792 95794 fe081e 95790->95794 95796 fe082a ISource 95790->95796 95791 1025ffd 95795 102600f 95791->95795 95806 ffcf65 39 API calls 95791->95806 95792->95786 95792->95788 95792->95791 95792->95796 95794->95796 95798 1025e15 95794->95798 95795->95762 95796->95788 95796->95791 95805 fece17 22 API calls ISource 95796->95805 95804 ffcf65 39 API calls 95798->95804 95799->95762 95800->95758 95801->95758 95802->95763 95803->95758 95804->95798 95805->95796 95806->95795 95807->95788 95810 fefddb 95808->95810 95811 fefdfa 95810->95811 95814 fefdfc 95810->95814 95818 ffea0c 95810->95818 95825 ff4ead 7 API calls 2 library calls 95810->95825 95811->95780 95813 ff066d 95827 ff32a4 RaiseException 95813->95827 95814->95813 95826 ff32a4 RaiseException 95814->95826 95817 ff068a 95817->95780 95824 1003820 _abort 95818->95824 95819 100385e 95829 fff2d9 20 API calls __dosmaperr 95819->95829 95820 1003849 RtlAllocateHeap 95822 100385c 95820->95822 95820->95824 95822->95810 95824->95819 95824->95820 95828 ff4ead 7 API calls 2 library calls 95824->95828 95825->95810 95826->95813 95827->95817 95828->95824 95829->95822 95830 1022a00 95845 fdd7b0 ISource 95830->95845 95831 fddb11 PeekMessageW 95831->95845 95832 fdd807 GetInputState 95832->95831 95832->95845 95834 1021cbe TranslateAcceleratorW 95834->95845 95835 fdda04 timeGetTime 95835->95845 95836 fddb8f PeekMessageW 95836->95845 95837 fddb73 TranslateMessage DispatchMessageW 95837->95836 95838 fddbaf Sleep 95856 fddbc0 95838->95856 95839 1022b74 Sleep 95839->95856 95840 fee551 timeGetTime 95840->95856 95841 1021dda timeGetTime 96007 fee300 23 API calls 95841->96007 95844 1022c0b GetExitCodeProcess 95849 1022c21 WaitForSingleObject 95844->95849 95850 1022c37 CloseHandle 95844->95850 95845->95831 95845->95832 95845->95834 95845->95835 95845->95836 95845->95837 95845->95838 95845->95839 95845->95841 95848 fdd9d5 95845->95848 95858 fdec40 235 API calls 95845->95858 95862 fddd50 95845->95862 95869 fddfd0 95845->95869 95892 fe1310 95845->95892 95948 fdbf40 95845->95948 96006 feedf6 IsDialogMessageW GetClassLongW 95845->96006 96008 1043a2a 23 API calls 95845->96008 96009 104359c 82 API calls __wsopen_s 95845->96009 95846 10629bf GetForegroundWindow 95846->95856 95849->95845 95849->95850 95850->95856 95851 1022a31 95851->95848 95852 1022ca9 Sleep 95852->95845 95856->95840 95856->95844 95856->95845 95856->95846 95856->95848 95856->95851 95856->95852 96010 1055658 23 API calls 95856->96010 96011 103e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 95856->96011 96012 103d4dc 47 API calls 95856->96012 95858->95845 95863 fddd6f 95862->95863 95865 fddd83 95862->95865 96013 fdd260 235 API calls 2 library calls 95863->96013 96014 104359c 82 API calls __wsopen_s 95865->96014 95867 fddd7a 95867->95845 95868 1022f75 95868->95868 95870 fde010 95869->95870 95880 fde0dc ISource 95870->95880 96017 ff0242 5 API calls __Init_thread_wait 95870->96017 95873 1022fca 95873->95880 96018 fda961 95873->96018 95874 fda961 22 API calls 95874->95880 95880->95874 95884 104359c 82 API calls 95880->95884 95886 fda8c7 22 API calls 95880->95886 95887 fdec40 235 API calls 95880->95887 95888 fe04f0 22 API calls 95880->95888 95889 fde3e1 95880->95889 96015 fda81b 41 API calls 95880->96015 96016 fea308 235 API calls 95880->96016 96025 ff0242 5 API calls __Init_thread_wait 95880->96025 96026 ff00a3 29 API calls __onexit 95880->96026 96027 ff01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95880->96027 96028 10547d4 235 API calls 95880->96028 96029 10568c1 235 API calls 95880->96029 95881 1022fee 96024 ff01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95881->96024 95884->95880 95886->95880 95887->95880 95888->95880 95889->95845 95893 fe1376 95892->95893 95894 fe17b0 95892->95894 95896 1026331 95893->95896 95897 fe1390 95893->95897 96149 ff0242 5 API calls __Init_thread_wait 95894->96149 95898 102633d 95896->95898 96160 105709c 235 API calls 95896->96160 96043 fe1940 95897->96043 95898->95845 95900 fe17ba 95902 fe17fb 95900->95902 96150 fd9cb3 95900->96150 95908 1026346 95902->95908 95909 fe182c 95902->95909 95905 fe1940 9 API calls 95906 fe13b6 95905->95906 95906->95902 95907 fe13ec 95906->95907 95907->95908 95932 fe1408 __fread_nolock 95907->95932 96161 104359c 82 API calls __wsopen_s 95908->96161 96157 fdaceb 23 API calls ISource 95909->96157 95912 fe1839 96158 fed217 235 API calls 95912->96158 95913 fe17d4 96156 ff01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 95913->96156 95916 102636e 96162 104359c 82 API calls __wsopen_s 95916->96162 95917 fe152f 95919 fe153c 95917->95919 95920 10263d1 95917->95920 95922 fe1940 9 API calls 95919->95922 96164 1055745 54 API calls _wcslen 95920->96164 95924 fe1549 95922->95924 95923 fefddb 22 API calls 95923->95932 95927 10264fa 95924->95927 95928 fe1940 9 API calls 95924->95928 95925 fe1872 96159 fefaeb 23 API calls 95925->96159 95926 fefe0b 22 API calls 95926->95932 95936 1026369 95927->95936 96165 104359c 82 API calls __wsopen_s 95927->96165 95934 fe1563 95928->95934 95931 fdec40 235 API calls 95931->95932 95932->95912 95932->95916 95932->95917 95932->95923 95932->95926 95932->95931 95933 10263b2 95932->95933 95932->95936 96163 104359c 82 API calls __wsopen_s 95933->96163 95934->95927 95937 fda8c7 22 API calls 95934->95937 95939 fe15c7 ISource 95934->95939 95936->95845 95937->95939 95938 fe1940 9 API calls 95938->95939 95939->95925 95939->95927 95939->95936 95939->95938 95941 fe167b ISource 95939->95941 96053 103d4ce 95939->96053 96056 105959f 95939->96056 96059 fd4f39 95939->96059 96065 1046ef1 95939->96065 96145 105958b 95939->96145 95940 fe171d 95940->95845 95941->95940 96148 fece17 22 API calls ISource 95941->96148 97229 fdadf0 95948->97229 95950 fdbf9d 95951 10204b6 95950->95951 95952 fdbfa9 95950->95952 97248 104359c 82 API calls __wsopen_s 95951->97248 95954 fdc01e 95952->95954 95955 10204c6 95952->95955 97234 fdac91 95954->97234 97249 104359c 82 API calls __wsopen_s 95955->97249 95958 fdc7da 95962 fefe0b 22 API calls 95958->95962 95967 fdc808 __fread_nolock 95962->95967 95965 10204f5 95968 102055a 95965->95968 97250 fed217 235 API calls 95965->97250 95972 fefe0b 22 API calls 95967->95972 95992 fdc603 95968->95992 97251 104359c 82 API calls __wsopen_s 95968->97251 95969 fdec40 235 API calls 95976 fdc039 ISource __fread_nolock 95969->95976 95970 1037120 22 API calls 95970->95976 95971 102091a 97261 1043209 23 API calls 95971->97261 95977 fdc350 ISource __fread_nolock 95972->95977 95973 fdaf8a 22 API calls 95973->95976 95976->95958 95976->95965 95976->95967 95976->95968 95976->95969 95976->95970 95976->95971 95976->95973 95978 10208a5 95976->95978 95982 1020591 95976->95982 95983 10208f6 95976->95983 95989 fdc237 95976->95989 95976->95992 95996 fefddb 22 API calls 95976->95996 95999 10209bf 95976->95999 96002 fdbbe0 40 API calls 95976->96002 96004 fefe0b 22 API calls 95976->96004 97238 fdad81 95976->97238 97253 1037099 22 API calls __fread_nolock 95976->97253 97254 1055745 54 API calls _wcslen 95976->97254 97255 feaa42 22 API calls ISource 95976->97255 97256 103f05c 40 API calls 95976->97256 97257 fda993 41 API calls 95976->97257 97258 fdaceb 23 API calls ISource 95976->97258 96005 fdc3ac 95977->96005 97247 fece17 22 API calls ISource 95977->97247 95979 fdec40 235 API calls 95978->95979 95981 10208cf 95979->95981 95981->95992 97259 fda81b 41 API calls 95981->97259 97252 104359c 82 API calls __wsopen_s 95982->97252 97260 104359c 82 API calls __wsopen_s 95983->97260 95990 fdc253 95989->95990 95991 fda8c7 22 API calls 95989->95991 95993 1020976 95990->95993 95998 fdc297 ISource 95990->95998 95991->95990 95992->95845 97262 fdaceb 23 API calls ISource 95993->97262 95996->95976 95998->95999 97245 fdaceb 23 API calls ISource 95998->97245 95999->95992 97263 104359c 82 API calls __wsopen_s 95999->97263 96000 fdc335 96000->95999 96001 fdc342 96000->96001 97246 fda704 22 API calls ISource 96001->97246 96002->95976 96004->95976 96005->95845 96006->95845 96007->95845 96008->95845 96009->95845 96010->95856 96011->95856 96012->95856 96013->95867 96014->95868 96015->95880 96016->95880 96017->95873 96019 fefe0b 22 API calls 96018->96019 96020 fda976 96019->96020 96030 fefddb 96020->96030 96022 fda984 96023 ff00a3 29 API calls __onexit 96022->96023 96023->95881 96024->95880 96025->95880 96026->95880 96027->95880 96028->95880 96029->95880 96031 fefde0 96030->96031 96032 ffea0c ___std_exception_copy 21 API calls 96031->96032 96033 fefdfa 96031->96033 96036 fefdfc 96031->96036 96040 ff4ead 7 API calls 2 library calls 96031->96040 96032->96031 96033->96022 96035 ff066d 96042 ff32a4 RaiseException 96035->96042 96036->96035 96041 ff32a4 RaiseException 96036->96041 96039 ff068a 96039->96022 96040->96031 96041->96035 96042->96039 96044 fe1981 96043->96044 96048 fe195d 96043->96048 96166 ff0242 5 API calls __Init_thread_wait 96044->96166 96046 fe198b 96046->96048 96167 ff01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96046->96167 96052 fe13a0 96048->96052 96168 ff0242 5 API calls __Init_thread_wait 96048->96168 96049 fe8727 96049->96052 96169 ff01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96049->96169 96052->95905 96170 103dbbe lstrlenW 96053->96170 96175 1057f59 96056->96175 96058 10595af 96058->95939 96060 fd4f4a 96059->96060 96061 fd4f43 96059->96061 96063 fd4f59 96060->96063 96064 fd4f6a FreeLibrary 96060->96064 96318 ffe678 96061->96318 96063->95939 96064->96063 96066 fda961 22 API calls 96065->96066 96067 1046f1d 96066->96067 96068 fda961 22 API calls 96067->96068 96069 1046f26 96068->96069 96070 1046f3a 96069->96070 96768 fdb567 39 API calls 96069->96768 96072 fd7510 53 API calls 96070->96072 96073 1046f57 _wcslen 96072->96073 96074 1046fbc 96073->96074 96075 10470bf 96073->96075 96144 10470e9 96073->96144 96077 fd7510 53 API calls 96074->96077 96583 fd4ecb 96075->96583 96079 1046fc8 96077->96079 96081 fda8c7 22 API calls 96079->96081 96087 1046fdb 96079->96087 96080 10470e5 96083 fda961 22 API calls 96080->96083 96080->96144 96081->96087 96082 fd4ecb 94 API calls 96082->96080 96084 104711a 96083->96084 96085 fda961 22 API calls 96084->96085 96088 1047126 96085->96088 96086 1047027 96090 fd7510 53 API calls 96086->96090 96087->96086 96089 1047005 96087->96089 96093 fda8c7 22 API calls 96087->96093 96092 fda961 22 API calls 96088->96092 96769 fd33c6 96089->96769 96091 1047034 96090->96091 96095 1047047 96091->96095 96096 104703d 96091->96096 96097 104712f 96092->96097 96093->96089 96778 103e199 GetFileAttributesW 96095->96778 96099 fda8c7 22 API calls 96096->96099 96101 fda961 22 API calls 96097->96101 96098 104700f 96102 fd7510 53 API calls 96098->96102 96099->96095 96104 1047138 96101->96104 96105 104701b 96102->96105 96103 1047050 96106 1047063 96103->96106 96109 fd4c6d 22 API calls 96103->96109 96107 fd7510 53 API calls 96104->96107 96108 fd6350 22 API calls 96105->96108 96111 fd7510 53 API calls 96106->96111 96116 1047069 96106->96116 96110 1047145 96107->96110 96108->96086 96109->96106 96605 fd525f 96110->96605 96113 10470a0 96111->96113 96779 103d076 57 API calls 96113->96779 96115 1047166 96647 fd4c6d 96115->96647 96116->96144 96119 10471a9 96120 fda8c7 22 API calls 96119->96120 96122 10471ba 96120->96122 96121 fd4c6d 22 API calls 96123 1047186 96121->96123 96650 fd6350 96122->96650 96123->96119 96780 fd6b57 96123->96780 96127 104719b 96129 fd6b57 22 API calls 96127->96129 96128 fd6350 22 API calls 96130 10471d6 96128->96130 96129->96119 96131 fd6350 22 API calls 96130->96131 96132 10471e4 96131->96132 96133 fd7510 53 API calls 96132->96133 96134 10471f0 96133->96134 96659 103d7bc 96134->96659 96136 1047201 96137 103d4ce 4 API calls 96136->96137 96138 104720b 96137->96138 96139 fd7510 53 API calls 96138->96139 96143 1047239 96138->96143 96140 1047229 96139->96140 96713 1042947 96140->96713 96142 fd4f39 68 API calls 96142->96144 96143->96142 96144->95939 96146 1057f59 120 API calls 96145->96146 96147 105959b 96146->96147 96147->95939 96148->95941 96149->95900 96151 fd9cc2 _wcslen 96150->96151 96152 fefe0b 22 API calls 96151->96152 96153 fd9cea __fread_nolock 96152->96153 96154 fefddb 22 API calls 96153->96154 96155 fd9d00 96154->96155 96155->95913 96156->95902 96157->95912 96158->95925 96159->95925 96160->95898 96161->95936 96162->95936 96163->95936 96164->95934 96165->95936 96166->96046 96167->96048 96168->96049 96169->96052 96171 103d4d5 96170->96171 96172 103dbdc GetFileAttributesW 96170->96172 96171->95939 96172->96171 96173 103dbe8 FindFirstFileW 96172->96173 96173->96171 96174 103dbf9 FindClose 96173->96174 96174->96171 96213 fd7510 96175->96213 96179 1058281 96180 105844f 96179->96180 96184 105828f 96179->96184 96277 1058ee4 60 API calls 96180->96277 96183 105845e 96183->96184 96185 105846a 96183->96185 96249 1057e86 96184->96249 96201 1057fd5 ISource 96185->96201 96186 fd7510 53 API calls 96204 1058049 96186->96204 96191 10582c8 96264 fefc70 96191->96264 96194 1058302 96271 fd63eb 22 API calls 96194->96271 96195 10582e8 96270 104359c 82 API calls __wsopen_s 96195->96270 96198 10582f3 GetCurrentProcess TerminateProcess 96198->96194 96199 1058311 96272 fd6a50 22 API calls 96199->96272 96201->96058 96202 105832a 96212 1058352 96202->96212 96273 fe04f0 22 API calls 96202->96273 96204->96179 96204->96186 96204->96201 96268 103417d 22 API calls __fread_nolock 96204->96268 96269 105851d 42 API calls _strftime 96204->96269 96205 10584c5 96205->96201 96208 10584d9 FreeLibrary 96205->96208 96206 1058341 96274 1058b7b 75 API calls 96206->96274 96208->96201 96212->96205 96275 fe04f0 22 API calls 96212->96275 96276 fdaceb 23 API calls ISource 96212->96276 96278 1058b7b 75 API calls 96212->96278 96214 fd7525 96213->96214 96215 fd7522 96213->96215 96216 fd752d 96214->96216 96217 fd755b 96214->96217 96215->96201 96236 1058cd3 96215->96236 96279 ff51c6 26 API calls 96216->96279 96218 10150f6 96217->96218 96221 fd756d 96217->96221 96228 101500f 96217->96228 96282 ff5183 26 API calls 96218->96282 96280 fefb21 51 API calls 96221->96280 96222 fd753d 96226 fefddb 22 API calls 96222->96226 96223 101510e 96223->96223 96227 fd7547 96226->96227 96229 fd9cb3 22 API calls 96227->96229 96230 fefe0b 22 API calls 96228->96230 96235 1015088 96228->96235 96229->96215 96231 1015058 96230->96231 96232 fefddb 22 API calls 96231->96232 96233 101507f 96232->96233 96234 fd9cb3 22 API calls 96233->96234 96234->96235 96281 fefb21 51 API calls 96235->96281 96283 fdaec9 96236->96283 96238 1058cee CharLowerBuffW 96289 1038e54 96238->96289 96242 fda961 22 API calls 96243 1058d2a 96242->96243 96296 fd6d25 96243->96296 96245 1058d3e 96309 fd93b2 96245->96309 96247 1058e5e _wcslen 96247->96204 96248 1058d48 _wcslen 96248->96247 96313 105851d 42 API calls _strftime 96248->96313 96250 1057ea1 96249->96250 96254 1057eec 96249->96254 96251 fefe0b 22 API calls 96250->96251 96252 1057ec3 96251->96252 96253 fefddb 22 API calls 96252->96253 96252->96254 96253->96252 96255 1059096 96254->96255 96256 10592ab ISource 96255->96256 96263 10590ba _strcat _wcslen 96255->96263 96256->96191 96257 fdb567 39 API calls 96257->96263 96258 fdb38f 39 API calls 96258->96263 96259 fdb6b5 39 API calls 96259->96263 96260 fd7510 53 API calls 96260->96263 96261 ffea0c 21 API calls ___std_exception_copy 96261->96263 96263->96256 96263->96257 96263->96258 96263->96259 96263->96260 96263->96261 96317 103efae 24 API calls _wcslen 96263->96317 96266 fefc85 96264->96266 96265 fefd1d VirtualAlloc 96267 fefceb 96265->96267 96266->96265 96266->96267 96267->96194 96267->96195 96268->96204 96269->96204 96270->96198 96271->96199 96272->96202 96273->96206 96274->96212 96275->96212 96276->96212 96277->96183 96278->96212 96279->96222 96280->96222 96281->96218 96282->96223 96284 fdaedc 96283->96284 96288 fdaed9 __fread_nolock 96283->96288 96285 fefddb 22 API calls 96284->96285 96286 fdaee7 96285->96286 96287 fefe0b 22 API calls 96286->96287 96287->96288 96288->96238 96290 1038e74 _wcslen 96289->96290 96291 1038f63 96290->96291 96294 1038ea9 96290->96294 96295 1038f68 96290->96295 96291->96242 96291->96248 96294->96291 96314 fece60 41 API calls 96294->96314 96295->96291 96315 fece60 41 API calls 96295->96315 96297 fd6d34 96296->96297 96298 fd6d91 96296->96298 96297->96298 96300 fd6d3f 96297->96300 96299 fd93b2 22 API calls 96298->96299 96306 fd6d62 __fread_nolock 96299->96306 96301 fd6d5a 96300->96301 96302 1014c9d 96300->96302 96316 fd6f34 22 API calls 96301->96316 96303 fefddb 22 API calls 96302->96303 96305 1014ca7 96303->96305 96307 fefe0b 22 API calls 96305->96307 96306->96245 96308 1014cda 96307->96308 96310 fd93c9 __fread_nolock 96309->96310 96311 fd93c0 96309->96311 96310->96248 96311->96310 96312 fdaec9 22 API calls 96311->96312 96312->96310 96313->96247 96314->96294 96315->96295 96316->96306 96317->96263 96319 ffe684 __FrameHandler3::FrameUnwindToState 96318->96319 96320 ffe6aa 96319->96320 96321 ffe695 96319->96321 96330 ffe6a5 __fread_nolock 96320->96330 96331 ff918d EnterCriticalSection 96320->96331 96348 fff2d9 20 API calls __dosmaperr 96321->96348 96324 ffe69a 96349 10027ec 26 API calls pre_c_initialization 96324->96349 96326 ffe6c6 96332 ffe602 96326->96332 96328 ffe6d1 96350 ffe6ee LeaveCriticalSection __fread_nolock 96328->96350 96330->96060 96331->96326 96333 ffe60f 96332->96333 96334 ffe624 96332->96334 96383 fff2d9 20 API calls __dosmaperr 96333->96383 96346 ffe61f 96334->96346 96351 ffdc0b 96334->96351 96336 ffe614 96384 10027ec 26 API calls pre_c_initialization 96336->96384 96343 ffe646 96368 100862f 96343->96368 96346->96328 96348->96324 96349->96330 96350->96330 96352 ffdc1f 96351->96352 96353 ffdc23 96351->96353 96357 1004d7a 96352->96357 96353->96352 96354 ffd955 __fread_nolock 26 API calls 96353->96354 96355 ffdc43 96354->96355 96391 10059be 96355->96391 96358 1004d90 96357->96358 96359 ffe640 96357->96359 96358->96359 96360 10029c8 _free 20 API calls 96358->96360 96361 ffd955 96359->96361 96360->96359 96362 ffd976 96361->96362 96363 ffd961 96361->96363 96362->96343 96523 fff2d9 20 API calls __dosmaperr 96363->96523 96365 ffd966 96524 10027ec 26 API calls pre_c_initialization 96365->96524 96367 ffd971 96367->96343 96369 100863e 96368->96369 96371 1008653 96368->96371 96528 fff2c6 20 API calls __dosmaperr 96369->96528 96372 100868e 96371->96372 96377 100867a 96371->96377 96530 fff2c6 20 API calls __dosmaperr 96372->96530 96373 1008643 96529 fff2d9 20 API calls __dosmaperr 96373->96529 96375 1008693 96531 fff2d9 20 API calls __dosmaperr 96375->96531 96525 1008607 96377->96525 96380 100869b 96532 10027ec 26 API calls pre_c_initialization 96380->96532 96381 ffe64c 96381->96346 96385 10029c8 96381->96385 96383->96336 96384->96346 96386 10029fc __dosmaperr 96385->96386 96387 10029d3 RtlFreeHeap 96385->96387 96386->96346 96387->96386 96388 10029e8 96387->96388 96582 fff2d9 20 API calls __dosmaperr 96388->96582 96390 10029ee GetLastError 96390->96386 96392 10059ca __FrameHandler3::FrameUnwindToState 96391->96392 96393 10059d2 96392->96393 96394 10059ea 96392->96394 96470 fff2c6 20 API calls __dosmaperr 96393->96470 96396 1005a88 96394->96396 96400 1005a1f 96394->96400 96475 fff2c6 20 API calls __dosmaperr 96396->96475 96397 10059d7 96471 fff2d9 20 API calls __dosmaperr 96397->96471 96416 1005147 EnterCriticalSection 96400->96416 96401 1005a8d 96476 fff2d9 20 API calls __dosmaperr 96401->96476 96404 1005a25 96406 1005a41 96404->96406 96407 1005a56 96404->96407 96405 1005a95 96477 10027ec 26 API calls pre_c_initialization 96405->96477 96472 fff2d9 20 API calls __dosmaperr 96406->96472 96417 1005aa9 96407->96417 96411 1005a46 96473 fff2c6 20 API calls __dosmaperr 96411->96473 96412 10059df __fread_nolock 96412->96352 96413 1005a51 96474 1005a80 LeaveCriticalSection __wsopen_s 96413->96474 96416->96404 96418 1005ad7 96417->96418 96456 1005ad0 96417->96456 96419 1005afa 96418->96419 96420 1005adb 96418->96420 96423 1005b4b 96419->96423 96424 1005b2e 96419->96424 96485 fff2c6 20 API calls __dosmaperr 96420->96485 96428 1005b61 96423->96428 96491 1009424 28 API calls __wsopen_s 96423->96491 96488 fff2c6 20 API calls __dosmaperr 96424->96488 96425 1005cb1 96425->96413 96426 1005ae0 96486 fff2d9 20 API calls __dosmaperr 96426->96486 96478 100564e 96428->96478 96431 1005b33 96489 fff2d9 20 API calls __dosmaperr 96431->96489 96433 1005ae7 96487 10027ec 26 API calls pre_c_initialization 96433->96487 96437 1005ba8 96443 1005c02 WriteFile 96437->96443 96444 1005bbc 96437->96444 96438 1005b6f 96440 1005b73 96438->96440 96441 1005b95 96438->96441 96439 1005b3b 96490 10027ec 26 API calls pre_c_initialization 96439->96490 96461 1005c69 96440->96461 96492 10055e1 GetLastError WriteConsoleW CreateFileW __wsopen_s 96440->96492 96493 100542e 45 API calls 3 library calls 96441->96493 96446 1005c25 GetLastError 96443->96446 96451 1005b8b 96443->96451 96447 1005bf2 96444->96447 96448 1005bc4 96444->96448 96446->96451 96496 10056c4 7 API calls 2 library calls 96447->96496 96452 1005be2 96448->96452 96453 1005bc9 96448->96453 96451->96456 96460 1005c45 96451->96460 96451->96461 96495 1005891 8 API calls 2 library calls 96452->96495 96454 1005bd2 96453->96454 96453->96461 96494 10057a3 7 API calls 2 library calls 96454->96494 96502 ff0a8c 96456->96502 96459 1005c8e 96501 fff2c6 20 API calls __dosmaperr 96459->96501 96464 1005c60 96460->96464 96465 1005c4c 96460->96465 96461->96456 96500 fff2d9 20 API calls __dosmaperr 96461->96500 96462 1005be0 96462->96451 96499 fff2a3 20 API calls __dosmaperr 96464->96499 96497 fff2d9 20 API calls __dosmaperr 96465->96497 96468 1005c51 96498 fff2c6 20 API calls __dosmaperr 96468->96498 96470->96397 96471->96412 96472->96411 96473->96413 96474->96412 96475->96401 96476->96405 96477->96412 96509 100f89b 96478->96509 96480 1005663 96480->96437 96480->96438 96481 100565e 96481->96480 96518 1002d74 38 API calls 2 library calls 96481->96518 96483 1005686 96483->96480 96484 10056a4 GetConsoleMode 96483->96484 96484->96480 96485->96426 96486->96433 96487->96456 96488->96431 96489->96439 96490->96456 96491->96428 96492->96451 96493->96451 96494->96462 96495->96462 96496->96462 96497->96468 96498->96456 96499->96456 96500->96459 96501->96456 96503 ff0a97 IsProcessorFeaturePresent 96502->96503 96504 ff0a95 96502->96504 96506 ff0c5d 96503->96506 96504->96425 96522 ff0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96506->96522 96508 ff0d40 96508->96425 96510 100f8b5 96509->96510 96511 100f8a8 96509->96511 96514 100f8c1 96510->96514 96520 fff2d9 20 API calls __dosmaperr 96510->96520 96519 fff2d9 20 API calls __dosmaperr 96511->96519 96513 100f8ad 96513->96481 96514->96481 96516 100f8e2 96521 10027ec 26 API calls pre_c_initialization 96516->96521 96518->96483 96519->96513 96520->96516 96521->96513 96522->96508 96523->96365 96524->96367 96533 1008585 96525->96533 96527 100862b 96527->96381 96528->96373 96529->96381 96530->96375 96531->96380 96532->96381 96534 1008591 __FrameHandler3::FrameUnwindToState 96533->96534 96544 1005147 EnterCriticalSection 96534->96544 96536 100859f 96537 10085d1 96536->96537 96538 10085c6 96536->96538 96560 fff2d9 20 API calls __dosmaperr 96537->96560 96545 10086ae 96538->96545 96541 10085cc 96561 10085fb LeaveCriticalSection __wsopen_s 96541->96561 96543 10085ee __fread_nolock 96543->96527 96544->96536 96562 10053c4 96545->96562 96547 10086c4 96575 1005333 21 API calls 2 library calls 96547->96575 96548 10086be 96548->96547 96550 10086f6 96548->96550 96553 10053c4 __wsopen_s 26 API calls 96548->96553 96550->96547 96551 10053c4 __wsopen_s 26 API calls 96550->96551 96554 1008702 FindCloseChangeNotification 96551->96554 96552 100871c 96555 100873e 96552->96555 96576 fff2a3 20 API calls __dosmaperr 96552->96576 96556 10086ed 96553->96556 96554->96547 96557 100870e GetLastError 96554->96557 96555->96541 96559 10053c4 __wsopen_s 26 API calls 96556->96559 96557->96547 96559->96550 96560->96541 96561->96543 96563 10053d1 96562->96563 96564 10053e6 96562->96564 96577 fff2c6 20 API calls __dosmaperr 96563->96577 96568 100540b 96564->96568 96579 fff2c6 20 API calls __dosmaperr 96564->96579 96567 10053d6 96578 fff2d9 20 API calls __dosmaperr 96567->96578 96568->96548 96569 1005416 96580 fff2d9 20 API calls __dosmaperr 96569->96580 96572 10053de 96572->96548 96573 100541e 96581 10027ec 26 API calls pre_c_initialization 96573->96581 96575->96552 96576->96555 96577->96567 96578->96572 96579->96569 96580->96573 96581->96572 96582->96390 96792 fd4e90 LoadLibraryA 96583->96792 96588 fd4ef6 LoadLibraryExW 96800 fd4e59 LoadLibraryA 96588->96800 96589 1013ccf 96591 fd4f39 68 API calls 96589->96591 96593 1013cd6 96591->96593 96594 fd4e59 3 API calls 96593->96594 96598 1013cde 96594->96598 96596 fd4f20 96597 fd4f2c 96596->96597 96596->96598 96600 fd4f39 68 API calls 96597->96600 96822 fd50f5 96598->96822 96602 fd4f31 96600->96602 96602->96080 96602->96082 96604 1013d05 96606 fda961 22 API calls 96605->96606 96607 fd5275 96606->96607 96608 fda961 22 API calls 96607->96608 96609 fd527d 96608->96609 96610 fda961 22 API calls 96609->96610 96611 fd5285 96610->96611 96612 fda961 22 API calls 96611->96612 96613 fd528d 96612->96613 96614 1013df5 96613->96614 96615 fd52c1 96613->96615 96616 fda8c7 22 API calls 96614->96616 96617 fd6d25 22 API calls 96615->96617 96618 1013dfe 96616->96618 96619 fd52cf 96617->96619 97065 fda6c3 96618->97065 96621 fd93b2 22 API calls 96619->96621 96622 fd52d9 96621->96622 96623 fd5304 96622->96623 96624 fd6d25 22 API calls 96622->96624 96625 fd5349 96623->96625 96626 fd5325 96623->96626 96642 1013e20 96623->96642 96628 fd52fa 96624->96628 96627 fd6d25 22 API calls 96625->96627 96626->96625 96632 fd4c6d 22 API calls 96626->96632 96629 fd535a 96627->96629 96630 fd93b2 22 API calls 96628->96630 96631 fd5370 96629->96631 96636 fda8c7 22 API calls 96629->96636 96630->96623 96633 fd5384 96631->96633 96639 fda8c7 22 API calls 96631->96639 96634 fd5332 96632->96634 96637 fd538f 96633->96637 96640 fda8c7 22 API calls 96633->96640 96634->96625 96638 fd6d25 22 API calls 96634->96638 96635 fd6b57 22 API calls 96644 1013ee0 96635->96644 96636->96631 96641 fda8c7 22 API calls 96637->96641 96645 fd539a 96637->96645 96638->96625 96639->96633 96640->96637 96641->96645 96642->96635 96643 fd4c6d 22 API calls 96643->96644 96644->96625 96644->96643 97071 fd49bd 22 API calls __fread_nolock 96644->97071 96645->96115 96648 fdaec9 22 API calls 96647->96648 96649 fd4c78 96648->96649 96649->96119 96649->96121 96651 1014a51 96650->96651 96652 fd6362 96650->96652 97082 fd4a88 22 API calls __fread_nolock 96651->97082 97072 fd6373 96652->97072 96655 fd636e 96655->96128 96656 1014a67 96657 1014a5b 96657->96656 96658 fda8c7 22 API calls 96657->96658 96658->96656 96660 103d7d8 96659->96660 96661 103d7f3 96660->96661 96662 103d7dd 96660->96662 96663 fda961 22 API calls 96661->96663 96664 fda8c7 22 API calls 96662->96664 96712 103d7ee 96662->96712 96665 103d7fb 96663->96665 96664->96712 96666 fda961 22 API calls 96665->96666 96667 103d803 96666->96667 96668 fda961 22 API calls 96667->96668 96669 103d80e 96668->96669 96670 fda961 22 API calls 96669->96670 96671 103d816 96670->96671 96672 fda961 22 API calls 96671->96672 96673 103d81e 96672->96673 96674 fda961 22 API calls 96673->96674 96675 103d826 96674->96675 96676 fda961 22 API calls 96675->96676 96677 103d82e 96676->96677 96678 fda961 22 API calls 96677->96678 96679 103d836 96678->96679 96680 fd525f 22 API calls 96679->96680 96681 103d84d 96680->96681 96682 fd525f 22 API calls 96681->96682 96683 103d866 96682->96683 96684 fd4c6d 22 API calls 96683->96684 96685 103d872 96684->96685 96686 103d885 96685->96686 96687 fd93b2 22 API calls 96685->96687 96688 fd4c6d 22 API calls 96686->96688 96687->96686 96689 103d88e 96688->96689 96690 103d89e 96689->96690 96691 fd93b2 22 API calls 96689->96691 96692 103d8b0 96690->96692 96693 fda8c7 22 API calls 96690->96693 96691->96690 96694 fd6350 22 API calls 96692->96694 96693->96692 96695 103d8bb 96694->96695 97088 103d978 22 API calls 96695->97088 96697 103d8ca 97089 103d978 22 API calls 96697->97089 96699 103d8dd 96700 fd4c6d 22 API calls 96699->96700 96701 103d8e7 96700->96701 96702 103d8fe 96701->96702 96703 103d8ec 96701->96703 96704 fd4c6d 22 API calls 96702->96704 96705 fd33c6 22 API calls 96703->96705 96706 103d907 96704->96706 96707 103d8f9 96705->96707 96708 103d925 96706->96708 96709 fd33c6 22 API calls 96706->96709 96710 fd6350 22 API calls 96707->96710 96711 fd6350 22 API calls 96708->96711 96709->96707 96710->96708 96711->96712 96712->96136 96714 1042954 __wsopen_s 96713->96714 96715 fefe0b 22 API calls 96714->96715 96716 1042971 96715->96716 96717 fd5722 22 API calls 96716->96717 96718 104297b 96717->96718 96719 104274e 27 API calls 96718->96719 96720 1042986 96719->96720 96721 fd511f 64 API calls 96720->96721 96722 104299b 96721->96722 96723 1042a6c 96722->96723 96724 10429bf 96722->96724 96725 1042e66 75 API calls 96723->96725 97103 1042e66 96724->97103 96741 1042a38 96725->96741 96729 fd50f5 40 API calls 96730 1042a91 96729->96730 96732 fd50f5 40 API calls 96730->96732 96731 1042a75 ISource 96731->96143 96734 1042aa1 96732->96734 96733 10429ed 97110 ffd583 26 API calls 96733->97110 96735 fd50f5 40 API calls 96734->96735 96737 1042abc 96735->96737 96738 fd50f5 40 API calls 96737->96738 96739 1042acc 96738->96739 96740 fd50f5 40 API calls 96739->96740 96742 1042ae7 96740->96742 96741->96729 96741->96731 96743 fd50f5 40 API calls 96742->96743 96744 1042af7 96743->96744 96745 fd50f5 40 API calls 96744->96745 96746 1042b07 96745->96746 96747 fd50f5 40 API calls 96746->96747 96748 1042b17 96747->96748 97090 1043017 GetTempPathW GetTempFileNameW 96748->97090 96750 1042b22 96751 ffe5eb 29 API calls 96750->96751 96762 1042b33 96751->96762 96752 1042bed 96753 ffe678 67 API calls 96752->96753 96754 1042bf8 96753->96754 96756 1042c12 96754->96756 96757 1042bfe DeleteFileW 96754->96757 96755 fd50f5 40 API calls 96755->96762 96758 1042c91 CopyFileW 96756->96758 96764 1042c18 96756->96764 96757->96731 96759 1042ca7 DeleteFileW 96758->96759 96760 1042cb9 DeleteFileW 96758->96760 96759->96731 97100 1042fd8 CreateFileW 96760->97100 96762->96731 96762->96752 96762->96755 97091 ffdbb3 96762->97091 97111 10422ce 96764->97111 96767 1042c80 DeleteFileW 96767->96731 96768->96070 96770 fd33dd 96769->96770 96771 10130bb 96769->96771 97218 fd33ee 96770->97218 96773 fefddb 22 API calls 96771->96773 96775 10130c5 _wcslen 96773->96775 96774 fd33e8 96774->96098 96776 fefe0b 22 API calls 96775->96776 96777 10130fe __fread_nolock 96776->96777 96778->96103 96779->96116 96781 1014ba1 96780->96781 96784 fd6b67 _wcslen 96780->96784 96782 fd93b2 22 API calls 96781->96782 96783 1014baa 96782->96783 96783->96783 96785 fd6b7d 96784->96785 96786 fd6ba2 96784->96786 97228 fd6f34 22 API calls 96785->97228 96788 fefddb 22 API calls 96786->96788 96790 fd6bae 96788->96790 96789 fd6b85 __fread_nolock 96789->96127 96791 fefe0b 22 API calls 96790->96791 96791->96789 96793 fd4ea8 GetProcAddress 96792->96793 96794 fd4ec6 96792->96794 96795 fd4eb8 96793->96795 96797 ffe5eb 96794->96797 96795->96794 96796 fd4ebf FreeLibrary 96795->96796 96796->96794 96830 ffe52a 96797->96830 96799 fd4eea 96799->96588 96799->96589 96801 fd4e8d 96800->96801 96802 fd4e6e GetProcAddress 96800->96802 96805 fd4f80 96801->96805 96803 fd4e7e 96802->96803 96803->96801 96804 fd4e86 FreeLibrary 96803->96804 96804->96801 96806 fefe0b 22 API calls 96805->96806 96807 fd4f95 96806->96807 96891 fd5722 96807->96891 96809 fd4fa1 __fread_nolock 96810 fd50a5 96809->96810 96811 1013d1d 96809->96811 96820 fd4fdc 96809->96820 96894 fd42a2 CreateStreamOnHGlobal 96810->96894 96905 104304d 74 API calls 96811->96905 96814 1013d22 96816 fd511f 64 API calls 96814->96816 96815 fd50f5 40 API calls 96815->96820 96817 1013d45 96816->96817 96818 fd50f5 40 API calls 96817->96818 96821 fd506e ISource 96818->96821 96820->96814 96820->96815 96820->96821 96900 fd511f 96820->96900 96821->96596 96823 1013d70 96822->96823 96824 fd5107 96822->96824 96927 ffe8c4 96824->96927 96827 10428fe 97048 104274e 96827->97048 96829 1042919 96829->96604 96833 ffe536 __FrameHandler3::FrameUnwindToState 96830->96833 96831 ffe544 96855 fff2d9 20 API calls __dosmaperr 96831->96855 96833->96831 96834 ffe574 96833->96834 96836 ffe579 96834->96836 96837 ffe586 96834->96837 96835 ffe549 96856 10027ec 26 API calls pre_c_initialization 96835->96856 96857 fff2d9 20 API calls __dosmaperr 96836->96857 96847 1008061 96837->96847 96841 ffe58f 96842 ffe595 96841->96842 96843 ffe5a2 96841->96843 96858 fff2d9 20 API calls __dosmaperr 96842->96858 96859 ffe5d4 LeaveCriticalSection __fread_nolock 96843->96859 96844 ffe554 __fread_nolock 96844->96799 96848 100806d __FrameHandler3::FrameUnwindToState 96847->96848 96860 1002f5e EnterCriticalSection 96848->96860 96850 100807b 96861 10080fb 96850->96861 96854 10080ac __fread_nolock 96854->96841 96855->96835 96856->96844 96857->96844 96858->96844 96859->96844 96860->96850 96862 100811e 96861->96862 96863 1008177 96862->96863 96870 1008088 96862->96870 96877 ff918d EnterCriticalSection 96862->96877 96878 ff91a1 LeaveCriticalSection 96862->96878 96879 1004c7d 96863->96879 96867 10029c8 _free 20 API calls 96868 1008189 96867->96868 96868->96870 96886 1003405 11 API calls 2 library calls 96868->96886 96874 10080b7 96870->96874 96871 10081a8 96887 ff918d EnterCriticalSection 96871->96887 96890 1002fa6 LeaveCriticalSection 96874->96890 96876 10080be 96876->96854 96877->96862 96878->96862 96884 1004c8a _abort 96879->96884 96880 1004cca 96889 fff2d9 20 API calls __dosmaperr 96880->96889 96881 1004cb5 RtlAllocateHeap 96882 1004cc8 96881->96882 96881->96884 96882->96867 96884->96880 96884->96881 96888 ff4ead 7 API calls 2 library calls 96884->96888 96886->96871 96887->96870 96888->96884 96889->96882 96890->96876 96892 fefddb 22 API calls 96891->96892 96893 fd5734 96892->96893 96893->96809 96895 fd42bc FindResourceExW 96894->96895 96899 fd42d9 96894->96899 96896 10135ba LoadResource 96895->96896 96895->96899 96897 10135cf SizeofResource 96896->96897 96896->96899 96898 10135e3 LockResource 96897->96898 96897->96899 96898->96899 96899->96820 96901 1013d90 96900->96901 96902 fd512e 96900->96902 96906 ffece3 96902->96906 96905->96814 96909 ffeaaa 96906->96909 96908 fd513c 96908->96820 96910 ffeab6 __FrameHandler3::FrameUnwindToState 96909->96910 96911 ffeac2 96910->96911 96912 ffeae8 96910->96912 96922 fff2d9 20 API calls __dosmaperr 96911->96922 96924 ff918d EnterCriticalSection 96912->96924 96915 ffeac7 96923 10027ec 26 API calls pre_c_initialization 96915->96923 96916 ffeaf4 96925 ffec0a 62 API calls 2 library calls 96916->96925 96919 ffeb08 96926 ffeb27 LeaveCriticalSection __fread_nolock 96919->96926 96921 ffead2 __fread_nolock 96921->96908 96922->96915 96923->96921 96924->96916 96925->96919 96926->96921 96930 ffe8e1 96927->96930 96929 fd5118 96929->96827 96931 ffe8ed __FrameHandler3::FrameUnwindToState 96930->96931 96932 ffe92d 96931->96932 96933 ffe925 __fread_nolock 96931->96933 96936 ffe900 ___scrt_fastfail 96931->96936 96943 ff918d EnterCriticalSection 96932->96943 96933->96929 96935 ffe937 96944 ffe6f8 96935->96944 96957 fff2d9 20 API calls __dosmaperr 96936->96957 96939 ffe91a 96958 10027ec 26 API calls pre_c_initialization 96939->96958 96943->96935 96948 ffe70a ___scrt_fastfail 96944->96948 96950 ffe727 96944->96950 96945 ffe717 97025 fff2d9 20 API calls __dosmaperr 96945->97025 96947 ffe71c 97026 10027ec 26 API calls pre_c_initialization 96947->97026 96948->96945 96948->96950 96952 ffe76a __fread_nolock 96948->96952 96959 ffe96c LeaveCriticalSection __fread_nolock 96950->96959 96951 ffe886 ___scrt_fastfail 97028 fff2d9 20 API calls __dosmaperr 96951->97028 96952->96950 96952->96951 96954 ffd955 __fread_nolock 26 API calls 96952->96954 96960 1008d45 96952->96960 97027 ffcf78 26 API calls 4 library calls 96952->97027 96954->96952 96957->96939 96958->96933 96959->96933 96961 1008d57 96960->96961 96962 1008d6f 96960->96962 97029 fff2c6 20 API calls __dosmaperr 96961->97029 96964 10090d9 96962->96964 96967 1008db4 96962->96967 97045 fff2c6 20 API calls __dosmaperr 96964->97045 96965 1008d5c 97030 fff2d9 20 API calls __dosmaperr 96965->97030 96970 1008dbf 96967->96970 96971 1008d64 96967->96971 96978 1008def 96967->96978 96969 10090de 97046 fff2d9 20 API calls __dosmaperr 96969->97046 97031 fff2c6 20 API calls __dosmaperr 96970->97031 96971->96952 96974 1008dcc 97047 10027ec 26 API calls pre_c_initialization 96974->97047 96975 1008dc4 97032 fff2d9 20 API calls __dosmaperr 96975->97032 96979 1008e08 96978->96979 96980 1008e4a 96978->96980 96981 1008e2e 96978->96981 96979->96981 97014 1008e15 96979->97014 97036 1003820 21 API calls 2 library calls 96980->97036 97033 fff2c6 20 API calls __dosmaperr 96981->97033 96983 1008e33 97034 fff2d9 20 API calls __dosmaperr 96983->97034 96986 100f89b __fread_nolock 26 API calls 96989 1008fb3 96986->96989 96987 1008e61 96990 10029c8 _free 20 API calls 96987->96990 96988 1008e3a 97035 10027ec 26 API calls pre_c_initialization 96988->97035 96992 1009029 96989->96992 96995 1008fcc GetConsoleMode 96989->96995 96993 1008e6a 96990->96993 96994 100902d ReadFile 96992->96994 96996 10029c8 _free 20 API calls 96993->96996 96997 10090a1 GetLastError 96994->96997 96998 1009047 96994->96998 96995->96992 96999 1008fdd 96995->96999 97000 1008e71 96996->97000 97001 1009005 96997->97001 97002 10090ae 96997->97002 96998->96997 97003 100901e 96998->97003 96999->96994 97004 1008fe3 ReadConsoleW 96999->97004 97005 1008e96 97000->97005 97006 1008e7b 97000->97006 97023 1008e45 __fread_nolock 97001->97023 97040 fff2a3 20 API calls __dosmaperr 97001->97040 97043 fff2d9 20 API calls __dosmaperr 97002->97043 97018 1009083 97003->97018 97019 100906c 97003->97019 97003->97023 97004->97003 97010 1008fff GetLastError 97004->97010 97039 1009424 28 API calls __wsopen_s 97005->97039 97037 fff2d9 20 API calls __dosmaperr 97006->97037 97010->97001 97011 10029c8 _free 20 API calls 97011->96971 97012 1008e80 97038 fff2c6 20 API calls __dosmaperr 97012->97038 97013 10090b3 97044 fff2c6 20 API calls __dosmaperr 97013->97044 97014->96986 97021 100909a 97018->97021 97018->97023 97041 1008a61 31 API calls 3 library calls 97019->97041 97042 10088a1 29 API calls __wsopen_s 97021->97042 97023->97011 97024 100909f 97024->97023 97025->96947 97026->96950 97027->96952 97028->96947 97029->96965 97030->96971 97031->96975 97032->96974 97033->96983 97034->96988 97035->97023 97036->96987 97037->97012 97038->97023 97039->97014 97040->97023 97041->97023 97042->97024 97043->97013 97044->97023 97045->96969 97046->96974 97047->96971 97051 ffe4e8 97048->97051 97050 104275d 97050->96829 97054 ffe469 97051->97054 97053 ffe505 97053->97050 97055 ffe48c 97054->97055 97056 ffe478 97054->97056 97061 ffe488 __alldvrm 97055->97061 97064 100333f 11 API calls 2 library calls 97055->97064 97062 fff2d9 20 API calls __dosmaperr 97056->97062 97058 ffe47d 97063 10027ec 26 API calls pre_c_initialization 97058->97063 97061->97053 97062->97058 97063->97061 97064->97061 97066 fda6dd 97065->97066 97067 fda6d0 97065->97067 97068 fefddb 22 API calls 97066->97068 97067->96623 97069 fda6e7 97068->97069 97070 fefe0b 22 API calls 97069->97070 97070->97067 97071->96644 97074 fd6382 97072->97074 97079 fd63b6 __fread_nolock 97072->97079 97073 1014a82 97076 fefddb 22 API calls 97073->97076 97074->97073 97075 fd63a9 97074->97075 97074->97079 97083 fda587 97075->97083 97078 1014a91 97076->97078 97080 fefe0b 22 API calls 97078->97080 97079->96655 97081 1014ac5 __fread_nolock 97080->97081 97082->96657 97084 fda59d 97083->97084 97087 fda598 __fread_nolock 97083->97087 97085 101f80f 97084->97085 97086 fefe0b 22 API calls 97084->97086 97086->97087 97087->97079 97088->96697 97089->96699 97090->96750 97092 ffdbc1 97091->97092 97097 ffdbdd 97091->97097 97093 ffdbcd 97092->97093 97094 ffdbe3 97092->97094 97092->97097 97143 fff2d9 20 API calls __dosmaperr 97093->97143 97140 ffd9cc 97094->97140 97097->96762 97098 ffdbd2 97144 10027ec 26 API calls pre_c_initialization 97098->97144 97101 1043013 97100->97101 97102 1042fff SetFileTime CloseHandle 97100->97102 97101->96731 97102->97101 97108 1042e7a 97103->97108 97104 fd50f5 40 API calls 97104->97108 97105 10429c4 97105->96731 97109 ffd583 26 API calls 97105->97109 97106 10428fe 27 API calls 97106->97108 97107 fd511f 64 API calls 97107->97108 97108->97104 97108->97105 97108->97106 97108->97107 97109->96733 97110->96741 97112 10422e7 97111->97112 97113 10422d9 97111->97113 97115 104232c 97112->97115 97116 ffe5eb 29 API calls 97112->97116 97139 10422f0 97112->97139 97114 ffe5eb 29 API calls 97113->97114 97114->97112 97186 1042557 97115->97186 97118 1042311 97116->97118 97118->97115 97119 104231a 97118->97119 97122 ffe678 67 API calls 97119->97122 97119->97139 97120 1042370 97121 1042395 97120->97121 97125 1042374 97120->97125 97190 1042171 97121->97190 97122->97139 97124 1042381 97130 ffe678 67 API calls 97124->97130 97124->97139 97125->97124 97127 ffe678 67 API calls 97125->97127 97126 104239d 97128 10423c3 97126->97128 97129 10423a3 97126->97129 97127->97124 97197 10423f3 97128->97197 97131 10423b0 97129->97131 97133 ffe678 67 API calls 97129->97133 97130->97139 97134 ffe678 67 API calls 97131->97134 97131->97139 97133->97131 97134->97139 97135 10423ca 97136 10423de 97135->97136 97137 ffe678 67 API calls 97135->97137 97138 ffe678 67 API calls 97136->97138 97136->97139 97137->97136 97138->97139 97139->96760 97139->96767 97145 ffd97b 97140->97145 97142 ffd9f0 97142->97097 97143->97098 97144->97097 97146 ffd987 __FrameHandler3::FrameUnwindToState 97145->97146 97153 ff918d EnterCriticalSection 97146->97153 97148 ffd995 97154 ffd9f4 97148->97154 97152 ffd9b3 __fread_nolock 97152->97142 97153->97148 97162 10049a1 97154->97162 97160 ffd9a2 97161 ffd9c0 LeaveCriticalSection __fread_nolock 97160->97161 97161->97152 97163 ffd955 __fread_nolock 26 API calls 97162->97163 97164 10049b0 97163->97164 97165 100f89b __fread_nolock 26 API calls 97164->97165 97166 10049b6 97165->97166 97170 ffda09 97166->97170 97183 1003820 21 API calls 2 library calls 97166->97183 97168 1004a15 97169 10029c8 _free 20 API calls 97168->97169 97169->97170 97171 ffda3a 97170->97171 97174 ffda4c 97171->97174 97177 ffda24 97171->97177 97172 ffda5a 97184 fff2d9 20 API calls __dosmaperr 97172->97184 97174->97172 97174->97177 97181 ffda85 __fread_nolock 97174->97181 97175 ffda5f 97185 10027ec 26 API calls pre_c_initialization 97175->97185 97182 1004a56 62 API calls 97177->97182 97178 ffdc0b 62 API calls 97178->97181 97179 ffd955 __fread_nolock 26 API calls 97179->97181 97180 10059be __wsopen_s 62 API calls 97180->97181 97181->97177 97181->97178 97181->97179 97181->97180 97182->97160 97183->97168 97184->97175 97185->97177 97187 104257c 97186->97187 97189 1042565 __fread_nolock 97186->97189 97188 ffe8c4 __fread_nolock 40 API calls 97187->97188 97188->97189 97189->97120 97191 ffea0c ___std_exception_copy 21 API calls 97190->97191 97192 104217f 97191->97192 97193 ffea0c ___std_exception_copy 21 API calls 97192->97193 97194 1042190 97193->97194 97195 ffea0c ___std_exception_copy 21 API calls 97194->97195 97196 104219c 97195->97196 97196->97126 97201 1042408 97197->97201 97198 10424c0 97209 1042724 97198->97209 97200 10421cc 40 API calls 97200->97201 97201->97198 97201->97200 97204 10424c7 97201->97204 97205 1042606 97201->97205 97213 1042269 40 API calls 97201->97213 97204->97135 97206 1042617 97205->97206 97207 104261d 97205->97207 97206->97207 97214 10426d7 97206->97214 97207->97201 97210 1042731 97209->97210 97211 1042742 97209->97211 97212 ffdbb3 65 API calls 97210->97212 97211->97204 97212->97211 97213->97201 97215 1042703 97214->97215 97216 1042714 97214->97216 97217 ffdbb3 65 API calls 97215->97217 97216->97206 97217->97216 97219 fd33fe _wcslen 97218->97219 97220 101311d 97219->97220 97221 fd3411 97219->97221 97223 fefddb 22 API calls 97220->97223 97222 fda587 22 API calls 97221->97222 97225 fd341e __fread_nolock 97222->97225 97224 1013127 97223->97224 97226 fefe0b 22 API calls 97224->97226 97225->96774 97227 1013157 __fread_nolock 97226->97227 97228->96789 97230 fdae01 97229->97230 97233 fdae1c ISource 97229->97233 97231 fdaec9 22 API calls 97230->97231 97232 fdae09 CharUpperBuffW 97231->97232 97232->97233 97233->95950 97235 fdacae 97234->97235 97237 fdacd1 97235->97237 97264 104359c 82 API calls __wsopen_s 97235->97264 97237->95976 97239 101fadb 97238->97239 97240 fdad92 97238->97240 97241 fefddb 22 API calls 97240->97241 97242 fdad99 97241->97242 97265 fdadcd 97242->97265 97245->96000 97246->95977 97247->95977 97248->95955 97249->95992 97250->95968 97251->95992 97252->95992 97253->95976 97254->95976 97255->95976 97256->95976 97257->95976 97258->95976 97259->95983 97260->95992 97261->95989 97262->95999 97263->95992 97264->97237 97268 fdaddd 97265->97268 97266 fdadb6 97266->95976 97267 fefddb 22 API calls 97267->97268 97268->97266 97268->97267 97269 fda961 22 API calls 97268->97269 97270 fda8c7 22 API calls 97268->97270 97271 fdadcd 22 API calls 97268->97271 97269->97268 97270->97268 97271->97268 97272 1008402 97277 10081be 97272->97277 97275 100842a 97282 10081ef try_get_first_available_module 97277->97282 97279 10083ee 97296 10027ec 26 API calls pre_c_initialization 97279->97296 97281 1008343 97281->97275 97289 1010984 97281->97289 97285 1008338 97282->97285 97292 ff8e0b 40 API calls 2 library calls 97282->97292 97284 100838c 97284->97285 97293 ff8e0b 40 API calls 2 library calls 97284->97293 97285->97281 97295 fff2d9 20 API calls __dosmaperr 97285->97295 97287 10083ab 97287->97285 97294 ff8e0b 40 API calls 2 library calls 97287->97294 97297 1010081 97289->97297 97291 101099f 97291->97275 97292->97284 97293->97287 97294->97285 97295->97279 97296->97281 97300 101008d __FrameHandler3::FrameUnwindToState 97297->97300 97298 101009b 97354 fff2d9 20 API calls __dosmaperr 97298->97354 97300->97298 97302 10100d4 97300->97302 97301 10100a0 97355 10027ec 26 API calls pre_c_initialization 97301->97355 97308 101065b 97302->97308 97307 10100aa __fread_nolock 97307->97291 97309 1010678 97308->97309 97310 10106a6 97309->97310 97311 101068d 97309->97311 97357 1005221 97310->97357 97371 fff2c6 20 API calls __dosmaperr 97311->97371 97314 10106ab 97316 10106b4 97314->97316 97317 10106cb 97314->97317 97315 1010692 97372 fff2d9 20 API calls __dosmaperr 97315->97372 97373 fff2c6 20 API calls __dosmaperr 97316->97373 97370 101039a CreateFileW 97317->97370 97321 10106b9 97374 fff2d9 20 API calls __dosmaperr 97321->97374 97323 1010781 GetFileType 97324 10107d3 97323->97324 97325 101078c GetLastError 97323->97325 97379 100516a 21 API calls 2 library calls 97324->97379 97377 fff2a3 20 API calls __dosmaperr 97325->97377 97326 1010756 GetLastError 97376 fff2a3 20 API calls __dosmaperr 97326->97376 97329 1010704 97329->97323 97329->97326 97375 101039a CreateFileW 97329->97375 97331 101079a CloseHandle 97331->97315 97334 10107c3 97331->97334 97332 1010749 97332->97323 97332->97326 97378 fff2d9 20 API calls __dosmaperr 97334->97378 97335 10107f4 97337 1010840 97335->97337 97380 10105ab 72 API calls 3 library calls 97335->97380 97342 101086d 97337->97342 97381 101014d 72 API calls 4 library calls 97337->97381 97338 10107c8 97338->97315 97341 1010866 97341->97342 97343 101087e 97341->97343 97344 10086ae __wsopen_s 29 API calls 97342->97344 97345 10100f8 97343->97345 97346 10108fc CloseHandle 97343->97346 97344->97345 97356 1010121 LeaveCriticalSection __wsopen_s 97345->97356 97382 101039a CreateFileW 97346->97382 97348 1010927 97349 1010931 GetLastError 97348->97349 97350 101095d 97348->97350 97383 fff2a3 20 API calls __dosmaperr 97349->97383 97350->97345 97352 101093d 97384 1005333 21 API calls 2 library calls 97352->97384 97354->97301 97355->97307 97356->97307 97358 100522d __FrameHandler3::FrameUnwindToState 97357->97358 97385 1002f5e EnterCriticalSection 97358->97385 97361 1005259 97389 1005000 97361->97389 97363 10052a4 __fread_nolock 97363->97314 97364 1005234 97364->97361 97366 10052c7 EnterCriticalSection 97364->97366 97368 100527b 97364->97368 97367 10052d4 LeaveCriticalSection 97366->97367 97366->97368 97367->97364 97386 100532a 97368->97386 97370->97329 97371->97315 97372->97345 97373->97321 97374->97315 97375->97332 97376->97315 97377->97331 97378->97338 97379->97335 97380->97337 97381->97341 97382->97348 97383->97352 97384->97350 97385->97364 97397 1002fa6 LeaveCriticalSection 97386->97397 97388 1005331 97388->97363 97390 1004c7d _abort 20 API calls 97389->97390 97392 1005012 97390->97392 97391 100501f 97393 10029c8 _free 20 API calls 97391->97393 97392->97391 97398 1003405 11 API calls 2 library calls 97392->97398 97395 1005071 97393->97395 97395->97368 97396 1005147 EnterCriticalSection 97395->97396 97396->97368 97397->97388 97398->97392 97399 fdf7bf 97400 fdfcb6 97399->97400 97401 fdf7d3 97399->97401 97435 fdaceb 23 API calls ISource 97400->97435 97403 fdfcc2 97401->97403 97404 fefddb 22 API calls 97401->97404 97436 fdaceb 23 API calls ISource 97403->97436 97406 fdf7e5 97404->97406 97406->97403 97407 fdf83e 97406->97407 97408 fdfd3d 97406->97408 97410 fe1310 235 API calls 97407->97410 97424 fded9d ISource 97407->97424 97437 1041155 22 API calls 97408->97437 97432 fdec76 ISource 97410->97432 97411 fe06a0 41 API calls 97411->97432 97412 fdfef7 97418 fda8c7 22 API calls 97412->97418 97412->97424 97414 1024b0b 97439 104359c 82 API calls __wsopen_s 97414->97439 97415 1024600 97422 fda8c7 22 API calls 97415->97422 97415->97424 97418->97424 97420 ff0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97420->97432 97421 fda8c7 22 API calls 97421->97432 97422->97424 97423 fdfbe3 97423->97424 97426 1024bdc 97423->97426 97433 fdf3ae ISource 97423->97433 97425 fda961 22 API calls 97425->97432 97440 104359c 82 API calls __wsopen_s 97426->97440 97428 ff01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97428->97432 97429 1024beb 97441 104359c 82 API calls __wsopen_s 97429->97441 97430 ff00a3 29 API calls pre_c_initialization 97430->97432 97431 fefddb 22 API calls 97431->97432 97432->97411 97432->97412 97432->97414 97432->97415 97432->97420 97432->97421 97432->97423 97432->97424 97432->97425 97432->97428 97432->97429 97432->97430 97432->97431 97432->97433 97434 fe01e0 235 API calls 2 library calls 97432->97434 97433->97424 97438 104359c 82 API calls __wsopen_s 97433->97438 97434->97432 97435->97403 97436->97408 97437->97424 97438->97424 97439->97424 97440->97429 97441->97424 97442 fe0b9d 97443 fe0ba6 __fread_nolock 97442->97443 97444 fe0847 __fread_nolock 97443->97444 97445 fd7510 53 API calls 97443->97445 97446 1025cb8 97443->97446 97449 fe0bf7 97443->97449 97451 fefddb 22 API calls 97443->97451 97453 fefe0b 22 API calls 97443->97453 97445->97443 97454 fd4a88 22 API calls __fread_nolock 97446->97454 97448 1025cc4 97448->97444 97452 fda8c7 22 API calls 97448->97452 97450 fda587 22 API calls 97449->97450 97450->97444 97451->97443 97452->97444 97453->97443 97454->97448 97455 1012ba5 97456 fd2b25 97455->97456 97457 1012baf 97455->97457 97483 fd2b83 7 API calls 97456->97483 97498 fd3a5a 97457->97498 97461 1012bb8 97463 fd9cb3 22 API calls 97461->97463 97465 1012bc6 97463->97465 97464 fd2b2f 97472 fd2b44 97464->97472 97487 fd3837 97464->97487 97466 1012bf5 97465->97466 97467 1012bce 97465->97467 97469 fd33c6 22 API calls 97466->97469 97468 fd33c6 22 API calls 97467->97468 97471 1012bd9 97468->97471 97481 1012bf1 GetForegroundWindow ShellExecuteW 97469->97481 97473 fd6350 22 API calls 97471->97473 97477 fd2b5f 97472->97477 97497 fd30f2 Shell_NotifyIconW ___scrt_fastfail 97472->97497 97476 1012be7 97473->97476 97479 fd33c6 22 API calls 97476->97479 97480 fd2b66 SetCurrentDirectoryW 97477->97480 97478 1012c26 97478->97477 97479->97481 97482 fd2b7a 97480->97482 97481->97478 97505 fd2cd4 7 API calls 97483->97505 97485 fd2b2a 97486 fd2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97485->97486 97486->97464 97488 fd3862 ___scrt_fastfail 97487->97488 97506 fd4212 97488->97506 97491 fd38e8 97493 1013386 Shell_NotifyIconW 97491->97493 97494 fd3906 Shell_NotifyIconW 97491->97494 97510 fd3923 97494->97510 97496 fd391c 97496->97472 97497->97477 97538 1011f50 97498->97538 97501 fd9cb3 22 API calls 97502 fd3a8d 97501->97502 97540 fd3aa2 97502->97540 97504 fd3a97 97504->97461 97505->97485 97507 10135a4 97506->97507 97508 fd38b7 97506->97508 97507->97508 97509 10135ad DestroyIcon 97507->97509 97508->97491 97532 103c874 42 API calls _strftime 97508->97532 97509->97508 97511 fd393f 97510->97511 97530 fd3a13 97510->97530 97533 fd6270 97511->97533 97514 1013393 LoadStringW 97517 10133ad 97514->97517 97515 fd395a 97516 fd6b57 22 API calls 97515->97516 97518 fd396f 97516->97518 97521 fda8c7 22 API calls 97517->97521 97526 fd3994 ___scrt_fastfail 97517->97526 97519 fd397c 97518->97519 97520 10133c9 97518->97520 97519->97517 97522 fd3986 97519->97522 97523 fd6350 22 API calls 97520->97523 97521->97526 97524 fd6350 22 API calls 97522->97524 97525 10133d7 97523->97525 97524->97526 97525->97526 97527 fd33c6 22 API calls 97525->97527 97528 fd39f9 Shell_NotifyIconW 97526->97528 97529 10133f9 97527->97529 97528->97530 97531 fd33c6 22 API calls 97529->97531 97530->97496 97531->97526 97532->97491 97534 fefe0b 22 API calls 97533->97534 97535 fd6295 97534->97535 97536 fefddb 22 API calls 97535->97536 97537 fd394d 97536->97537 97537->97514 97537->97515 97539 fd3a67 GetModuleFileNameW 97538->97539 97539->97501 97541 1011f50 __wsopen_s 97540->97541 97542 fd3aaf GetFullPathNameW 97541->97542 97543 fd3ace 97542->97543 97544 fd3ae9 97542->97544 97545 fd6b57 22 API calls 97543->97545 97546 fda6c3 22 API calls 97544->97546 97547 fd3ada 97545->97547 97546->97547 97550 fd37a0 97547->97550 97551 fd37ae 97550->97551 97552 fd93b2 22 API calls 97551->97552 97553 fd37c2 97552->97553 97553->97504 97554 ff03fb 97555 ff0407 __FrameHandler3::FrameUnwindToState 97554->97555 97583 fefeb1 97555->97583 97557 ff040e 97558 ff0561 97557->97558 97561 ff0438 97557->97561 97610 ff083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 97558->97610 97560 ff0568 97611 ff4e52 28 API calls _abort 97560->97611 97572 ff0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 97561->97572 97594 100247d 97561->97594 97563 ff056e 97612 ff4e04 28 API calls _abort 97563->97612 97567 ff0576 97568 ff0457 97570 ff04d8 97602 ff0959 97570->97602 97572->97570 97606 ff4e1a 38 API calls 2 library calls 97572->97606 97574 ff04de 97575 ff04f3 97574->97575 97607 ff0992 GetModuleHandleW 97575->97607 97577 ff04fa 97577->97560 97578 ff04fe 97577->97578 97579 ff0507 97578->97579 97608 ff4df5 28 API calls _abort 97578->97608 97609 ff0040 13 API calls 2 library calls 97579->97609 97582 ff050f 97582->97568 97584 fefeba 97583->97584 97613 ff0698 IsProcessorFeaturePresent 97584->97613 97586 fefec6 97614 ff2c94 10 API calls 3 library calls 97586->97614 97588 fefecb 97589 fefecf 97588->97589 97615 1002317 97588->97615 97589->97557 97592 fefee6 97592->97557 97595 1002494 97594->97595 97596 ff0a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 97595->97596 97597 ff0451 97596->97597 97597->97568 97598 1002421 97597->97598 97599 1002450 97598->97599 97600 ff0a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 97599->97600 97601 1002479 97600->97601 97601->97572 97658 ff2340 97602->97658 97605 ff097f 97605->97574 97606->97570 97607->97577 97608->97579 97609->97582 97610->97560 97611->97563 97612->97567 97613->97586 97614->97588 97619 100d1f6 97615->97619 97618 ff2cbd 8 API calls 3 library calls 97618->97589 97620 100d213 97619->97620 97623 100d20f 97619->97623 97620->97623 97625 1004bfb 97620->97625 97621 ff0a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 97622 fefed8 97621->97622 97622->97592 97622->97618 97623->97621 97626 1004c07 __FrameHandler3::FrameUnwindToState 97625->97626 97637 1002f5e EnterCriticalSection 97626->97637 97628 1004c0e 97638 10050af 97628->97638 97630 1004c1d 97631 1004c2c 97630->97631 97651 1004a8f 29 API calls 97630->97651 97653 1004c48 LeaveCriticalSection _abort 97631->97653 97634 1004c27 97652 1004b45 GetStdHandle GetFileType 97634->97652 97635 1004c3d __fread_nolock 97635->97620 97637->97628 97639 10050bb __FrameHandler3::FrameUnwindToState 97638->97639 97640 10050c8 97639->97640 97641 10050df 97639->97641 97655 fff2d9 20 API calls __dosmaperr 97640->97655 97654 1002f5e EnterCriticalSection 97641->97654 97644 10050cd 97656 10027ec 26 API calls pre_c_initialization 97644->97656 97645 10050eb 97649 1005000 __wsopen_s 21 API calls 97645->97649 97650 1005117 97645->97650 97648 10050d7 __fread_nolock 97648->97630 97649->97645 97657 100513e LeaveCriticalSection _abort 97650->97657 97651->97634 97652->97631 97653->97635 97654->97645 97655->97644 97656->97648 97657->97648 97659 ff096c GetStartupInfoW 97658->97659 97659->97605 97660 fd1098 97665 fd42de 97660->97665 97664 fd10a7 97666 fda961 22 API calls 97665->97666 97667 fd42f5 GetVersionExW 97666->97667 97668 fd6b57 22 API calls 97667->97668 97669 fd4342 97668->97669 97670 fd93b2 22 API calls 97669->97670 97672 fd4378 97669->97672 97671 fd436c 97670->97671 97674 fd37a0 22 API calls 97671->97674 97673 fd441b GetCurrentProcess IsWow64Process 97672->97673 97676 10137df 97672->97676 97675 fd4437 97673->97675 97674->97672 97677 fd444f LoadLibraryA 97675->97677 97678 1013824 GetSystemInfo 97675->97678 97679 fd449c GetSystemInfo 97677->97679 97680 fd4460 GetProcAddress 97677->97680 97681 fd4476 97679->97681 97680->97679 97682 fd4470 GetNativeSystemInfo 97680->97682 97683 fd447a FreeLibrary 97681->97683 97684 fd109d 97681->97684 97682->97681 97683->97684 97685 ff00a3 29 API calls __onexit 97684->97685 97685->97664 97686 fd105b 97691 fd344d 97686->97691 97688 fd106a 97722 ff00a3 29 API calls __onexit 97688->97722 97690 fd1074 97692 fd345d __wsopen_s 97691->97692 97693 fda961 22 API calls 97692->97693 97694 fd3513 97693->97694 97695 fd3a5a 24 API calls 97694->97695 97696 fd351c 97695->97696 97723 fd3357 97696->97723 97699 fd33c6 22 API calls 97700 fd3535 97699->97700 97729 fd515f 97700->97729 97703 fda961 22 API calls 97704 fd354d 97703->97704 97705 fda6c3 22 API calls 97704->97705 97706 fd3556 RegOpenKeyExW 97705->97706 97707 fd3578 97706->97707 97708 1013176 RegQueryValueExW 97706->97708 97707->97688 97709 1013193 97708->97709 97710 101320c RegCloseKey 97708->97710 97711 fefe0b 22 API calls 97709->97711 97710->97707 97721 101321e _wcslen 97710->97721 97712 10131ac 97711->97712 97713 fd5722 22 API calls 97712->97713 97714 10131b7 RegQueryValueExW 97713->97714 97716 10131d4 97714->97716 97718 10131ee ISource 97714->97718 97715 fd4c6d 22 API calls 97715->97721 97717 fd6b57 22 API calls 97716->97717 97717->97718 97718->97710 97719 fd9cb3 22 API calls 97719->97721 97720 fd515f 22 API calls 97720->97721 97721->97707 97721->97715 97721->97719 97721->97720 97722->97690 97724 1011f50 __wsopen_s 97723->97724 97725 fd3364 GetFullPathNameW 97724->97725 97726 fd3386 97725->97726 97727 fd6b57 22 API calls 97726->97727 97728 fd33a4 97727->97728 97728->97699 97730 fd516e 97729->97730 97734 fd518f __fread_nolock 97729->97734 97733 fefe0b 22 API calls 97730->97733 97731 fefddb 22 API calls 97732 fd3544 97731->97732 97732->97703 97733->97734 97734->97731 97735 fd2e37 97736 fda961 22 API calls 97735->97736 97737 fd2e4d 97736->97737 97814 fd4ae3 97737->97814 97739 fd2e6b 97740 fd3a5a 24 API calls 97739->97740 97741 fd2e7f 97740->97741 97742 fd9cb3 22 API calls 97741->97742 97743 fd2e8c 97742->97743 97744 fd4ecb 94 API calls 97743->97744 97745 fd2ea5 97744->97745 97746 fd2ead 97745->97746 97747 1012cb0 97745->97747 97751 fda8c7 22 API calls 97746->97751 97844 1042cf9 97747->97844 97749 1012cc3 97750 1012ccf 97749->97750 97753 fd4f39 68 API calls 97749->97753 97756 fd4f39 68 API calls 97750->97756 97752 fd2ec3 97751->97752 97828 fd6f88 22 API calls 97752->97828 97753->97750 97755 fd2ecf 97757 fd9cb3 22 API calls 97755->97757 97758 1012ce5 97756->97758 97759 fd2edc 97757->97759 97870 fd3084 22 API calls 97758->97870 97829 fda81b 41 API calls 97759->97829 97762 fd2eec 97764 fd9cb3 22 API calls 97762->97764 97763 1012d02 97871 fd3084 22 API calls 97763->97871 97766 fd2f12 97764->97766 97830 fda81b 41 API calls 97766->97830 97767 1012d1e 97769 fd3a5a 24 API calls 97767->97769 97770 1012d44 97769->97770 97872 fd3084 22 API calls 97770->97872 97771 fd2f21 97773 fda961 22 API calls 97771->97773 97775 fd2f3f 97773->97775 97774 1012d50 97776 fda8c7 22 API calls 97774->97776 97831 fd3084 22 API calls 97775->97831 97778 1012d5e 97776->97778 97873 fd3084 22 API calls 97778->97873 97779 fd2f4b 97832 ff4a28 40 API calls 3 library calls 97779->97832 97781 1012d6d 97785 fda8c7 22 API calls 97781->97785 97783 fd2f59 97783->97758 97784 fd2f63 97783->97784 97833 ff4a28 40 API calls 3 library calls 97784->97833 97787 1012d83 97785->97787 97874 fd3084 22 API calls 97787->97874 97788 fd2f6e 97788->97763 97790 fd2f78 97788->97790 97834 ff4a28 40 API calls 3 library calls 97790->97834 97791 1012d90 97793 fd2f83 97793->97767 97794 fd2f8d 97793->97794 97835 ff4a28 40 API calls 3 library calls 97794->97835 97796 fd2f98 97797 fd2fdc 97796->97797 97836 fd3084 22 API calls 97796->97836 97797->97781 97798 fd2fe8 97797->97798 97798->97791 97838 fd63eb 22 API calls 97798->97838 97800 fd2fbf 97802 fda8c7 22 API calls 97800->97802 97804 fd2fcd 97802->97804 97803 fd2ff8 97839 fd6a50 22 API calls 97803->97839 97837 fd3084 22 API calls 97804->97837 97807 fd3006 97840 fd70b0 23 API calls 97807->97840 97811 fd3021 97812 fd3065 97811->97812 97841 fd6f88 22 API calls 97811->97841 97842 fd70b0 23 API calls 97811->97842 97843 fd3084 22 API calls 97811->97843 97815 fd4af0 __wsopen_s 97814->97815 97816 fd6b57 22 API calls 97815->97816 97817 fd4b22 97815->97817 97816->97817 97818 fd4c6d 22 API calls 97817->97818 97827 fd4b58 97817->97827 97818->97817 97819 fd9cb3 22 API calls 97821 fd4c52 97819->97821 97820 fd9cb3 22 API calls 97820->97827 97822 fd515f 22 API calls 97821->97822 97825 fd4c5e 97822->97825 97823 fd4c6d 22 API calls 97823->97827 97824 fd515f 22 API calls 97824->97827 97825->97739 97826 fd4c29 97826->97819 97826->97825 97827->97820 97827->97823 97827->97824 97827->97826 97828->97755 97829->97762 97830->97771 97831->97779 97832->97783 97833->97788 97834->97793 97835->97796 97836->97800 97837->97797 97838->97803 97839->97807 97840->97811 97841->97811 97842->97811 97843->97811 97845 1042d15 97844->97845 97846 fd511f 64 API calls 97845->97846 97847 1042d29 97846->97847 97848 1042e66 75 API calls 97847->97848 97849 1042d3b 97848->97849 97850 fd50f5 40 API calls 97849->97850 97867 1042d3f 97849->97867 97851 1042d56 97850->97851 97852 fd50f5 40 API calls 97851->97852 97853 1042d66 97852->97853 97854 fd50f5 40 API calls 97853->97854 97855 1042d81 97854->97855 97856 fd50f5 40 API calls 97855->97856 97857 1042d9c 97856->97857 97858 fd511f 64 API calls 97857->97858 97859 1042db3 97858->97859 97860 ffea0c ___std_exception_copy 21 API calls 97859->97860 97861 1042dba 97860->97861 97862 ffea0c ___std_exception_copy 21 API calls 97861->97862 97863 1042dc4 97862->97863 97864 fd50f5 40 API calls 97863->97864 97865 1042dd8 97864->97865 97866 10428fe 27 API calls 97865->97866 97868 1042dee 97866->97868 97867->97749 97868->97867 97869 10422ce 79 API calls 97868->97869 97869->97867 97870->97763 97871->97767 97872->97774 97873->97781 97874->97791 97875 fd3156 97878 fd3170 97875->97878 97879 fd3187 97878->97879 97880 fd318c 97879->97880 97881 fd31eb 97879->97881 97919 fd31e9 97879->97919 97882 fd3199 97880->97882 97883 fd3265 PostQuitMessage 97880->97883 97885 1012dfb 97881->97885 97886 fd31f1 97881->97886 97890 fd31a4 97882->97890 97891 1012e7c 97882->97891 97892 fd316a 97883->97892 97884 fd31d0 DefWindowProcW 97884->97892 97927 fd18e2 10 API calls 97885->97927 97887 fd321d SetTimer RegisterWindowMessageW 97886->97887 97888 fd31f8 97886->97888 97887->97892 97896 fd3246 CreatePopupMenu 97887->97896 97893 fd3201 KillTimer 97888->97893 97894 1012d9c 97888->97894 97897 fd31ae 97890->97897 97898 1012e68 97890->97898 97932 103bf30 34 API calls ___scrt_fastfail 97891->97932 97923 fd30f2 Shell_NotifyIconW ___scrt_fastfail 97893->97923 97906 1012da1 97894->97906 97907 1012dd7 MoveWindow 97894->97907 97895 1012e1c 97928 fee499 42 API calls 97895->97928 97896->97892 97903 fd31b9 97897->97903 97904 1012e4d 97897->97904 97931 103c161 27 API calls ___scrt_fastfail 97898->97931 97910 fd31c4 97903->97910 97911 fd3253 97903->97911 97904->97884 97930 1030ad7 22 API calls 97904->97930 97905 1012e8e 97905->97884 97905->97892 97912 1012da7 97906->97912 97913 1012dc6 SetFocus 97906->97913 97907->97892 97908 fd3214 97924 fd3c50 DeleteObject DestroyWindow 97908->97924 97909 fd3263 97909->97892 97910->97884 97929 fd30f2 Shell_NotifyIconW ___scrt_fastfail 97910->97929 97925 fd326f 44 API calls ___scrt_fastfail 97911->97925 97912->97910 97917 1012db0 97912->97917 97913->97892 97926 fd18e2 10 API calls 97917->97926 97919->97884 97921 1012e41 97922 fd3837 49 API calls 97921->97922 97922->97919 97923->97908 97924->97892 97925->97909 97926->97892 97927->97895 97928->97910 97929->97921 97930->97919 97931->97909 97932->97905 97933 fddf10 97934 fdb710 235 API calls 97933->97934 97935 fddf1e 97934->97935 97936 fd1033 97941 fd4c91 97936->97941 97940 fd1042 97942 fda961 22 API calls 97941->97942 97943 fd4cff 97942->97943 97949 fd3af0 97943->97949 97946 fd4d9c 97947 fd1038 97946->97947 97952 fd51f7 22 API calls __fread_nolock 97946->97952 97948 ff00a3 29 API calls __onexit 97947->97948 97948->97940 97953 fd3b1c 97949->97953 97952->97946 97954 fd3b0f 97953->97954 97955 fd3b29 97953->97955 97954->97946 97955->97954 97956 fd3b30 RegOpenKeyExW 97955->97956 97956->97954 97957 fd3b4a RegQueryValueExW 97956->97957 97958 fd3b6b 97957->97958 97959 fd3b80 RegCloseKey 97957->97959 97958->97959 97959->97954 97960 fd1cad SystemParametersInfoW 97961 16023b0 97976 1600000 97961->97976 97963 160245b 97979 16022a0 97963->97979 97965 1602484 CreateFileW 97967 16024d3 97965->97967 97968 16024d8 97965->97968 97968->97967 97969 16024ef VirtualAlloc 97968->97969 97969->97967 97970 160250d ReadFile 97969->97970 97970->97967 97971 1602528 97970->97971 97972 16012a0 13 API calls 97971->97972 97973 160255b 97972->97973 97974 160257e ExitProcess 97973->97974 97975 1602330 CreateProcessW 97973->97975 97974->97967 97975->97974 97982 1603480 GetPEB 97976->97982 97978 160068b 97978->97963 97980 16022a9 Sleep 97979->97980 97981 16022b7 97980->97981 97983 16034aa 97982->97983 97983->97978 97984 1023f75 97995 feceb1 97984->97995 97986 1023f8b 97988 1024006 97986->97988 98004 fee300 23 API calls 97986->98004 97989 fdbf40 235 API calls 97988->97989 97991 1024052 97989->97991 97993 1024a88 97991->97993 98006 104359c 82 API calls __wsopen_s 97991->98006 97992 1023fe6 97992->97991 98005 1041abf 22 API calls 97992->98005 97996 fecebf 97995->97996 97997 feced2 97995->97997 98007 fdaceb 23 API calls ISource 97996->98007 97999 feced7 97997->97999 98000 fecf05 97997->98000 98002 fefddb 22 API calls 97999->98002 98008 fdaceb 23 API calls ISource 98000->98008 98003 fecec9 98002->98003 98003->97986 98004->97992 98005->97988 98006->97993 98007->98003 98008->98003 98009 fd1044 98014 fd10f3 98009->98014 98011 fd104a 98050 ff00a3 29 API calls __onexit 98011->98050 98013 fd1054 98051 fd1398 98014->98051 98018 fd116a 98019 fda961 22 API calls 98018->98019 98020 fd1174 98019->98020 98021 fda961 22 API calls 98020->98021 98022 fd117e 98021->98022 98023 fda961 22 API calls 98022->98023 98024 fd1188 98023->98024 98025 fda961 22 API calls 98024->98025 98026 fd11c6 98025->98026 98027 fda961 22 API calls 98026->98027 98028 fd1292 98027->98028 98061 fd171c 98028->98061 98032 fd12c4 98033 fda961 22 API calls 98032->98033 98034 fd12ce 98033->98034 98035 fe1940 9 API calls 98034->98035 98036 fd12f9 98035->98036 98082 fd1aab 98036->98082 98038 fd1315 98039 fd1325 GetStdHandle 98038->98039 98040 1012485 98039->98040 98041 fd137a 98039->98041 98040->98041 98042 101248e 98040->98042 98045 fd1387 OleInitialize 98041->98045 98043 fefddb 22 API calls 98042->98043 98044 1012495 98043->98044 98089 104011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 98044->98089 98045->98011 98047 101249e 98090 1040944 CreateThread 98047->98090 98049 10124aa CloseHandle 98049->98041 98050->98013 98091 fd13f1 98051->98091 98054 fd13f1 22 API calls 98055 fd13d0 98054->98055 98056 fda961 22 API calls 98055->98056 98057 fd13dc 98056->98057 98058 fd6b57 22 API calls 98057->98058 98059 fd1129 98058->98059 98060 fd1bc3 6 API calls 98059->98060 98060->98018 98062 fda961 22 API calls 98061->98062 98063 fd172c 98062->98063 98064 fda961 22 API calls 98063->98064 98065 fd1734 98064->98065 98066 fda961 22 API calls 98065->98066 98067 fd174f 98066->98067 98068 fefddb 22 API calls 98067->98068 98069 fd129c 98068->98069 98070 fd1b4a 98069->98070 98071 fd1b58 98070->98071 98072 fda961 22 API calls 98071->98072 98073 fd1b63 98072->98073 98074 fda961 22 API calls 98073->98074 98075 fd1b6e 98074->98075 98076 fda961 22 API calls 98075->98076 98077 fd1b79 98076->98077 98078 fda961 22 API calls 98077->98078 98079 fd1b84 98078->98079 98080 fefddb 22 API calls 98079->98080 98081 fd1b96 RegisterWindowMessageW 98080->98081 98081->98032 98083 fd1abb 98082->98083 98084 101272d 98082->98084 98085 fefddb 22 API calls 98083->98085 98098 1043209 23 API calls 98084->98098 98087 fd1ac3 98085->98087 98087->98038 98088 1012738 98089->98047 98090->98049 98099 104092a 28 API calls 98090->98099 98092 fda961 22 API calls 98091->98092 98093 fd13fc 98092->98093 98094 fda961 22 API calls 98093->98094 98095 fd1404 98094->98095 98096 fda961 22 API calls 98095->98096 98097 fd13c6 98096->98097 98097->98054 98098->98088 98100 10090fa 98101 1009107 98100->98101 98105 100911f 98100->98105 98150 fff2d9 20 API calls __dosmaperr 98101->98150 98103 100910c 98151 10027ec 26 API calls pre_c_initialization 98103->98151 98106 100917a 98105->98106 98114 1009117 98105->98114 98152 100fdc4 21 API calls 2 library calls 98105->98152 98108 ffd955 __fread_nolock 26 API calls 98106->98108 98109 1009192 98108->98109 98120 1008c32 98109->98120 98111 1009199 98112 ffd955 __fread_nolock 26 API calls 98111->98112 98111->98114 98113 10091c5 98112->98113 98113->98114 98115 ffd955 __fread_nolock 26 API calls 98113->98115 98116 10091d3 98115->98116 98116->98114 98117 ffd955 __fread_nolock 26 API calls 98116->98117 98118 10091e3 98117->98118 98119 ffd955 __fread_nolock 26 API calls 98118->98119 98119->98114 98121 1008c3e __FrameHandler3::FrameUnwindToState 98120->98121 98122 1008c46 98121->98122 98123 1008c5e 98121->98123 98154 fff2c6 20 API calls __dosmaperr 98122->98154 98124 1008d24 98123->98124 98128 1008c97 98123->98128 98161 fff2c6 20 API calls __dosmaperr 98124->98161 98127 1008c4b 98155 fff2d9 20 API calls __dosmaperr 98127->98155 98131 1008ca6 98128->98131 98132 1008cbb 98128->98132 98129 1008d29 98162 fff2d9 20 API calls __dosmaperr 98129->98162 98156 fff2c6 20 API calls __dosmaperr 98131->98156 98153 1005147 EnterCriticalSection 98132->98153 98136 1008cb3 98163 10027ec 26 API calls pre_c_initialization 98136->98163 98137 1008cab 98157 fff2d9 20 API calls __dosmaperr 98137->98157 98138 1008cc1 98141 1008cf2 98138->98141 98142 1008cdd 98138->98142 98139 1008c53 __fread_nolock 98139->98111 98144 1008d45 __fread_nolock 38 API calls 98141->98144 98158 fff2d9 20 API calls __dosmaperr 98142->98158 98146 1008ced 98144->98146 98160 1008d1c LeaveCriticalSection __wsopen_s 98146->98160 98147 1008ce2 98159 fff2c6 20 API calls __dosmaperr 98147->98159 98150->98103 98151->98114 98152->98106 98153->98138 98154->98127 98155->98139 98156->98137 98157->98136 98158->98147 98159->98146 98160->98139 98161->98129 98162->98136 98163->98139 98164 fd2de3 98165 fd2df0 __wsopen_s 98164->98165 98166 fd2e09 98165->98166 98167 1012c2b ___scrt_fastfail 98165->98167 98168 fd3aa2 23 API calls 98166->98168 98170 1012c47 GetOpenFileNameW 98167->98170 98169 fd2e12 98168->98169 98180 fd2da5 98169->98180 98172 1012c96 98170->98172 98173 fd6b57 22 API calls 98172->98173 98175 1012cab 98173->98175 98175->98175 98177 fd2e27 98198 fd44a8 98177->98198 98181 1011f50 __wsopen_s 98180->98181 98182 fd2db2 GetLongPathNameW 98181->98182 98183 fd6b57 22 API calls 98182->98183 98184 fd2dda 98183->98184 98185 fd3598 98184->98185 98186 fda961 22 API calls 98185->98186 98187 fd35aa 98186->98187 98188 fd3aa2 23 API calls 98187->98188 98189 fd35b5 98188->98189 98190 10132eb 98189->98190 98191 fd35c0 98189->98191 98195 101330d 98190->98195 98233 fece60 41 API calls 98190->98233 98193 fd515f 22 API calls 98191->98193 98194 fd35cc 98193->98194 98227 fd35f3 98194->98227 98197 fd35df 98197->98177 98199 fd4ecb 94 API calls 98198->98199 98200 fd44cd 98199->98200 98201 1013833 98200->98201 98203 fd4ecb 94 API calls 98200->98203 98202 1042cf9 80 API calls 98201->98202 98204 1013848 98202->98204 98205 fd44e1 98203->98205 98206 1013869 98204->98206 98207 101384c 98204->98207 98205->98201 98208 fd44e9 98205->98208 98210 fefe0b 22 API calls 98206->98210 98209 fd4f39 68 API calls 98207->98209 98211 1013854 98208->98211 98212 fd44f5 98208->98212 98209->98211 98217 10138ae 98210->98217 98249 103da5a 82 API calls 98211->98249 98248 fd940c 136 API calls 2 library calls 98212->98248 98215 fd2e31 98216 1013862 98216->98206 98219 1013a5f 98217->98219 98224 fd9cb3 22 API calls 98217->98224 98234 fda4a1 98217->98234 98242 fd3ff7 98217->98242 98250 103967e 22 API calls __fread_nolock 98217->98250 98251 10395ad 42 API calls _wcslen 98217->98251 98252 1040b5a 22 API calls 98217->98252 98218 fd4f39 68 API calls 98218->98219 98219->98218 98253 103989b 82 API calls __wsopen_s 98219->98253 98224->98217 98228 fd3605 98227->98228 98232 fd3624 __fread_nolock 98227->98232 98230 fefe0b 22 API calls 98228->98230 98229 fefddb 22 API calls 98231 fd363b 98229->98231 98230->98232 98231->98197 98232->98229 98233->98190 98235 fda52b 98234->98235 98241 fda4b1 __fread_nolock 98234->98241 98237 fefe0b 22 API calls 98235->98237 98236 fefddb 22 API calls 98238 fda4b8 98236->98238 98237->98241 98239 fda4d6 98238->98239 98240 fefddb 22 API calls 98238->98240 98239->98217 98240->98239 98241->98236 98243 fd400a 98242->98243 98245 fd40ae 98242->98245 98244 fefe0b 22 API calls 98243->98244 98246 fd403c 98243->98246 98244->98246 98245->98217 98246->98245 98247 fefddb 22 API calls 98246->98247 98247->98246 98248->98215 98249->98216 98250->98217 98251->98217 98252->98217 98253->98219

                      Executed Functions

                      Function 00FD42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 234 fd42de-fd434d call fda961 GetVersionExW call fd6b57 239 1013617-101362a 234->239 240 fd4353 234->240 241 101362b-101362f 239->241 242 fd4355-fd4357 240->242 243 1013631 241->243 244 1013632-101363e 241->244 245 fd435d-fd43bc call fd93b2 call fd37a0 242->245 246 1013656 242->246 243->244 244->241 247 1013640-1013642 244->247 263 10137df-10137e6 245->263 264 fd43c2-fd43c4 245->264 250 101365d-1013660 246->250 247->242 249 1013648-101364f 247->249 249->239 252 1013651 249->252 253 fd441b-fd4435 GetCurrentProcess IsWow64Process 250->253 254 1013666-10136a8 250->254 252->246 256 fd4494-fd449a 253->256 257 fd4437 253->257 254->253 258 10136ae-10136b1 254->258 260 fd443d-fd4449 256->260 257->260 261 10136b3-10136bd 258->261 262 10136db-10136e5 258->262 270 fd444f-fd445e LoadLibraryA 260->270 271 1013824-1013828 GetSystemInfo 260->271 272 10136ca-10136d6 261->272 273 10136bf-10136c5 261->273 266 10136e7-10136f3 262->266 267 10136f8-1013702 262->267 268 1013806-1013809 263->268 269 10137e8 263->269 264->250 265 fd43ca-fd43dd 264->265 274 1013726-101372f 265->274 275 fd43e3-fd43e5 265->275 266->253 277 1013715-1013721 267->277 278 1013704-1013710 267->278 279 10137f4-10137fc 268->279 280 101380b-101381a 268->280 276 10137ee 269->276 281 fd449c-fd44a6 GetSystemInfo 270->281 282 fd4460-fd446e GetProcAddress 270->282 272->253 273->253 286 1013731-1013737 274->286 287 101373c-1013748 274->287 284 fd43eb-fd43ee 275->284 285 101374d-1013762 275->285 276->279 277->253 278->253 279->268 280->276 288 101381c-1013822 280->288 283 fd4476-fd4478 281->283 282->281 289 fd4470-fd4474 GetNativeSystemInfo 282->289 294 fd447a-fd447b FreeLibrary 283->294 295 fd4481-fd4493 283->295 290 1013791-1013794 284->290 291 fd43f4-fd440f 284->291 292 1013764-101376a 285->292 293 101376f-101377b 285->293 286->253 287->253 288->279 289->283 290->253 298 101379a-10137c1 290->298 296 1013780-101378c 291->296 297 fd4415 291->297 292->253 293->253 294->295 296->253 297->253 299 10137c3-10137c9 298->299 300 10137ce-10137da 298->300 299->253 300->253
                      APIs
                      • GetVersionExW.KERNEL32(?), ref: 00FD430D
                        • Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A
                      • GetCurrentProcess.KERNEL32(?,0106CB64,00000000,?,?), ref: 00FD4422
                      • IsWow64Process.KERNEL32(00000000,?,?), ref: 00FD4429
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00FD4454
                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00FD4466
                      • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00FD4474
                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 00FD447B
                      • GetSystemInfo.KERNEL32(?,?,?), ref: 00FD44A0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                      • String ID: GetNativeSystemInfo$kernel32.dll$|O
                      • API String ID: 3290436268-3101561225
                      • Opcode ID: 3f68ab76f19d29fa15df96b9aa85d74026a89ae2d2080f6abbd35726425b6621
                      • Instruction ID: ca300ab538dcda7dbadbaa2887573ff95459bdb70cb7c037a97528c6edc60007
                      • Opcode Fuzzy Hash: 3f68ab76f19d29fa15df96b9aa85d74026a89ae2d2080f6abbd35726425b6621
                      • Instruction Fuzzy Hash: 54A17E3790EAC0DFC732CF6974402997EE57B26250F88D89AD4C1ABB0ED63E4548DB61
                      Function 00FD42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 661 fd42a2-fd42ba CreateStreamOnHGlobal 662 fd42bc-fd42d3 FindResourceExW 661->662 663 fd42da-fd42dd 661->663 664 fd42d9 662->664 665 10135ba-10135c9 LoadResource 662->665 664->663 665->664 666 10135cf-10135dd SizeofResource 665->666 666->664 667 10135e3-10135ee LockResource 666->667 667->664 668 10135f4-1013612 667->668 668->664
                      APIs
                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00FD50AA,?,?,00000000,00000000), ref: 00FD42B2
                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FD50AA,?,?,00000000,00000000), ref: 00FD42C9
                      • LoadResource.KERNEL32(?,00000000,?,?,00FD50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FD4F20), ref: 010135BE
                      • SizeofResource.KERNEL32(?,00000000,?,?,00FD50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FD4F20), ref: 010135D3
                      • LockResource.KERNEL32(00FD50AA,?,?,00FD50AA,?,?,00000000,00000000,?,?,?,?,?,?,00FD4F20,?), ref: 010135E6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                      • String ID: SCRIPT
                      • API String ID: 3051347437-3967369404
                      • Opcode ID: 779150f581d366f3b762bac67e75dbe809d34fe908aba790a38d95ecd3026e02
                      • Instruction ID: 9a20dce47b81f62748ad2d0d4817700ed697be4a802990822c8061a239cd0dd6
                      • Opcode Fuzzy Hash: 779150f581d366f3b762bac67e75dbe809d34fe908aba790a38d95ecd3026e02
                      • Instruction Fuzzy Hash: 29117C71200701BFE7218B65DD48F277BBAEBC5B62F14416AF886D7254DB76E8009670
                      Function 01012BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00FD2B6B
                        • Part of subcall function 00FD3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010A1418,?,00FD2E7F,?,?,?,00000000), ref: 00FD3A78
                        • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                      • GetForegroundWindow.USER32(runas,?,?,?,?,?,01092224), ref: 01012C10
                      • ShellExecuteW.SHELL32(00000000,?,?,01092224), ref: 01012C17
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                      • String ID: runas
                      • API String ID: 448630720-4000483414
                      • Opcode ID: 5cf8a314a001ca664b2c8870a3807ab5608ffa61ca519ee494a94cf881fb62f5
                      • Instruction ID: 2195e01886312c64bc9bf9f35f8201d0d7d9f5d7834452a629c22947a2c6263f
                      • Opcode Fuzzy Hash: 5cf8a314a001ca664b2c8870a3807ab5608ffa61ca519ee494a94cf881fb62f5
                      • Instruction Fuzzy Hash: 6911D2316082016AC715FF64DD5196EBBA6ABA1750F4C041FF2C2462A2CF7D8A09B752
                      Function 0103DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?,01015222), ref: 0103DBCE
                      • GetFileAttributesW.KERNELBASE(?), ref: 0103DBDD
                      • FindFirstFileW.KERNELBASE(?,?), ref: 0103DBEE
                      • FindClose.KERNEL32(00000000), ref: 0103DBFA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: FileFind$AttributesCloseFirstlstrlen
                      • String ID:
                      • API String ID: 2695905019-0
                      • Opcode ID: 5636fbe5babc33fd04b1c5df193f8701aa0757787e722d7b48f6947f3cc79c62
                      • Instruction ID: a80e2ed19f3b0f52dad72d31fde7b219afd0fb06a1e6629289c2e7c363d68361
                      • Opcode Fuzzy Hash: 5636fbe5babc33fd04b1c5df193f8701aa0757787e722d7b48f6947f3cc79c62
                      • Instruction Fuzzy Hash: F7F0EC7043051597A2306BBC9D0D46A77AC9E41334B404742F8F5C10F0EBB5995447D5
                      Function 00FDD730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetInputState.USER32 ref: 00FDD807
                      • timeGetTime.WINMM ref: 00FDDA07
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FDDB28
                      • TranslateMessage.USER32(?), ref: 00FDDB7B
                      • DispatchMessageW.USER32(?), ref: 00FDDB89
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FDDB9F
                      • Sleep.KERNEL32(0000000A), ref: 00FDDBB1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                      • String ID:
                      • API String ID: 2189390790-0
                      • Opcode ID: dc1f6823e225c8353a8f3ab58ec25c58db943e98e2e7c1c036e4c11eab88b1c9
                      • Instruction ID: 1de6216cec3ae3ca10fdb80e23ff6325f78efa3a025fc81343fa39cfd9737e23
                      • Opcode Fuzzy Hash: dc1f6823e225c8353a8f3ab58ec25c58db943e98e2e7c1c036e4c11eab88b1c9
                      • Instruction Fuzzy Hash: AA421330608342DFD739DF24C894BAABBE2BF85314F18855AE4D587391D775E844EB82
                      Function 00FD2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSysColorBrush.USER32(0000000F), ref: 00FD2D07
                      • RegisterClassExW.USER32(00000030), ref: 00FD2D31
                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FD2D42
                      • InitCommonControlsEx.COMCTL32(?), ref: 00FD2D5F
                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FD2D6F
                      • LoadIconW.USER32(000000A9), ref: 00FD2D85
                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FD2D94
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                      • API String ID: 2914291525-1005189915
                      • Opcode ID: aca0c8aabbff89e1949a99ae1d8d67146aae8cec6e182723749481d1882e86f7
                      • Instruction ID: c3f78532a1c807ba05fda7af368226b56545a90e939e9de83918291335868e68
                      • Opcode Fuzzy Hash: aca0c8aabbff89e1949a99ae1d8d67146aae8cec6e182723749481d1882e86f7
                      • Instruction Fuzzy Hash: 632117B5D01358AFEB20DFA4E949BDDBBB8FB08700F00811AF591A6294D7BA0544CF91
                      Function 0101065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 302 101065b-101068b call 101042f 305 10106a6-10106b2 call 1005221 302->305 306 101068d-1010698 call fff2c6 302->306 311 10106b4-10106c9 call fff2c6 call fff2d9 305->311 312 10106cb-1010714 call 101039a 305->312 313 101069a-10106a1 call fff2d9 306->313 311->313 322 1010781-101078a GetFileType 312->322 323 1010716-101071f 312->323 320 101097d-1010983 313->320 324 10107d3-10107d6 322->324 325 101078c-10107bd GetLastError call fff2a3 CloseHandle 322->325 327 1010721-1010725 323->327 328 1010756-101077c GetLastError call fff2a3 323->328 331 10107d8-10107dd 324->331 332 10107df-10107e5 324->332 325->313 341 10107c3-10107ce call fff2d9 325->341 327->328 333 1010727-1010754 call 101039a 327->333 328->313 337 10107e9-1010837 call 100516a 331->337 332->337 338 10107e7 332->338 333->322 333->328 344 1010847-101086b call 101014d 337->344 345 1010839-1010845 call 10105ab 337->345 338->337 341->313 352 101086d 344->352 353 101087e-10108c1 344->353 345->344 351 101086f-1010879 call 10086ae 345->351 351->320 352->351 355 10108c3-10108c7 353->355 356 10108e2-10108f0 353->356 355->356 360 10108c9-10108dd 355->360 357 10108f6-10108fa 356->357 358 101097b 356->358 357->358 361 10108fc-101092f CloseHandle call 101039a 357->361 358->320 360->356 364 1010931-101095d GetLastError call fff2a3 call 1005333 361->364 365 1010963-1010977 361->365 364->365 365->358
                      APIs
                        • Part of subcall function 0101039A: CreateFileW.KERNELBASE(00000000,00000000,?,01010704,?,?,00000000,?,01010704,00000000,0000000C), ref: 010103B7
                      • GetLastError.KERNEL32 ref: 0101076F
                      • __dosmaperr.LIBCMT ref: 01010776
                      • GetFileType.KERNELBASE(00000000), ref: 01010782
                      • GetLastError.KERNEL32 ref: 0101078C
                      • __dosmaperr.LIBCMT ref: 01010795
                      • CloseHandle.KERNEL32(00000000), ref: 010107B5
                      • CloseHandle.KERNEL32(?), ref: 010108FF
                      • GetLastError.KERNEL32 ref: 01010931
                      • __dosmaperr.LIBCMT ref: 01010938
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                      • String ID: H
                      • API String ID: 4237864984-2852464175
                      • Opcode ID: 864f4027594d7c233ab582dc9384d7fb6ab44ab8f9fee991661cc61ae74a9492
                      • Instruction ID: c046e7d17304479e691a7d271609d77846a4ff5abb0683aa099704938a0cfe78
                      • Opcode Fuzzy Hash: 864f4027594d7c233ab582dc9384d7fb6ab44ab8f9fee991661cc61ae74a9492
                      • Instruction Fuzzy Hash: 99A13832A041098FDF19EF68D851BAE3BE0AF06324F14419DF8D5EB2D9D7398952CB91
                      Function 00FD344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                        • Part of subcall function 00FD3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010A1418,?,00FD2E7F,?,?,?,00000000), ref: 00FD3A78
                        • Part of subcall function 00FD3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FD3379
                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00FD356A
                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0101318D
                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 010131CE
                      • RegCloseKey.ADVAPI32(?), ref: 01013210
                      • _wcslen.LIBCMT ref: 01013277
                      • _wcslen.LIBCMT ref: 01013286
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                      • API String ID: 98802146-2727554177
                      • Opcode ID: 1dbbc2dc6a2b6ecbf5b07bda14eb63fa0e0fc89b2db75a7975a79e2e093aed85
                      • Instruction ID: 18256a687bb4a9c0a6c31cf53867051ef4c9a8c7b127a713bc0eed05d661d3c7
                      • Opcode Fuzzy Hash: 1dbbc2dc6a2b6ecbf5b07bda14eb63fa0e0fc89b2db75a7975a79e2e093aed85
                      • Instruction Fuzzy Hash: 9971E4724043019ED324EF69DC818ABBBE8FF86750F84843EF5C497264EB7A9548DB52
                      Function 00FD2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetSysColorBrush.USER32(0000000F), ref: 00FD2B8E
                      • LoadCursorW.USER32(00000000,00007F00), ref: 00FD2B9D
                      • LoadIconW.USER32(00000063), ref: 00FD2BB3
                      • LoadIconW.USER32(000000A4), ref: 00FD2BC5
                      • LoadIconW.USER32(000000A2), ref: 00FD2BD7
                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00FD2BEF
                      • RegisterClassExW.USER32(?), ref: 00FD2C40
                        • Part of subcall function 00FD2CD4: GetSysColorBrush.USER32(0000000F), ref: 00FD2D07
                        • Part of subcall function 00FD2CD4: RegisterClassExW.USER32(00000030), ref: 00FD2D31
                        • Part of subcall function 00FD2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FD2D42
                        • Part of subcall function 00FD2CD4: InitCommonControlsEx.COMCTL32(?), ref: 00FD2D5F
                        • Part of subcall function 00FD2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FD2D6F
                        • Part of subcall function 00FD2CD4: LoadIconW.USER32(000000A9), ref: 00FD2D85
                        • Part of subcall function 00FD2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FD2D94
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                      • String ID: #$0$AutoIt v3
                      • API String ID: 423443420-4155596026
                      • Opcode ID: 5748b6c0cb35e84f66f941b2b17884b6edcc36b79a2f7e64fb8855132e563b45
                      • Instruction ID: db43bd0a8cc39adac1eed36ab4823e4ee7809fb39f5c15c2a3acca650c6475ba
                      • Opcode Fuzzy Hash: 5748b6c0cb35e84f66f941b2b17884b6edcc36b79a2f7e64fb8855132e563b45
                      • Instruction Fuzzy Hash: AA218E76E00314AFDB209FA5E944B9D7FF5FB08B50F40801AF584A2394D3BA0540DF90
                      Function 00FD3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 443 fd3170-fd3185 444 fd31e5-fd31e7 443->444 445 fd3187-fd318a 443->445 444->445 448 fd31e9 444->448 446 fd318c-fd3193 445->446 447 fd31eb 445->447 449 fd3199-fd319e 446->449 450 fd3265-fd326d PostQuitMessage 446->450 452 1012dfb-1012e23 call fd18e2 call fee499 447->452 453 fd31f1-fd31f6 447->453 451 fd31d0-fd31d8 DefWindowProcW 448->451 457 fd31a4-fd31a8 449->457 458 1012e7c-1012e90 call 103bf30 449->458 460 fd3219-fd321b 450->460 459 fd31de-fd31e4 451->459 488 1012e28-1012e2f 452->488 454 fd321d-fd3244 SetTimer RegisterWindowMessageW 453->454 455 fd31f8-fd31fb 453->455 454->460 464 fd3246-fd3251 CreatePopupMenu 454->464 461 fd3201-fd3214 KillTimer call fd30f2 call fd3c50 455->461 462 1012d9c-1012d9f 455->462 465 fd31ae-fd31b3 457->465 466 1012e68-1012e77 call 103c161 457->466 458->460 482 1012e96 458->482 460->459 461->460 474 1012da1-1012da5 462->474 475 1012dd7-1012df6 MoveWindow 462->475 464->460 471 fd31b9-fd31be 465->471 472 1012e4d-1012e54 465->472 466->460 480 fd31c4-fd31ca 471->480 481 fd3253-fd3263 call fd326f 471->481 472->451 476 1012e5a-1012e63 call 1030ad7 472->476 483 1012da7-1012daa 474->483 484 1012dc6-1012dd2 SetFocus 474->484 475->460 476->451 480->451 480->488 481->460 482->451 483->480 489 1012db0-1012dc1 call fd18e2 483->489 484->460 488->451 493 1012e35-1012e48 call fd30f2 call fd3837 488->493 489->460 493->451
                      APIs
                      • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00FD316A,?,?), ref: 00FD31D8
                      • KillTimer.USER32(?,00000001,?,?,?,?,?,00FD316A,?,?), ref: 00FD3204
                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FD3227
                      • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00FD316A,?,?), ref: 00FD3232
                      • CreatePopupMenu.USER32 ref: 00FD3246
                      • PostQuitMessage.USER32(00000000), ref: 00FD3267
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                      • String ID: TaskbarCreated
                      • API String ID: 129472671-2362178303
                      • Opcode ID: a7781a905c0220edc4fae11d086ea3ef84c7bfc5d201ae992257bc2c964b9701
                      • Instruction ID: b44e235fa34e885523597182ec83334bbf163cb4746656d8545beef21e235f4c
                      • Opcode Fuzzy Hash: a7781a905c0220edc4fae11d086ea3ef84c7bfc5d201ae992257bc2c964b9701
                      • Instruction Fuzzy Hash: 6941E437A00201AAEB246FB8DD09B793A5AF705351F5C411BF7D2C6395CA7E9A40B362
                      Function 01008D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 499 1008d45-1008d55 500 1008d57-1008d6a call fff2c6 call fff2d9 499->500 501 1008d6f-1008d71 499->501 518 10090f1 500->518 503 1008d77-1008d7d 501->503 504 10090d9-10090e6 call fff2c6 call fff2d9 501->504 503->504 505 1008d83-1008dae 503->505 520 10090ec call 10027ec 504->520 505->504 508 1008db4-1008dbd 505->508 511 1008dd7-1008dd9 508->511 512 1008dbf-1008dd2 call fff2c6 call fff2d9 508->512 516 10090d5-10090d7 511->516 517 1008ddf-1008de3 511->517 512->520 521 10090f4-10090f9 516->521 517->516 523 1008de9-1008ded 517->523 518->521 520->518 523->512 526 1008def-1008e06 523->526 528 1008e23-1008e2c 526->528 529 1008e08-1008e0b 526->529 532 1008e4a-1008e54 528->532 533 1008e2e-1008e45 call fff2c6 call fff2d9 call 10027ec 528->533 530 1008e15-1008e1e 529->530 531 1008e0d-1008e13 529->531 537 1008ebf-1008ed9 530->537 531->530 531->533 535 1008e56-1008e58 532->535 536 1008e5b-1008e79 call 1003820 call 10029c8 * 2 532->536 562 100900c 533->562 535->536 572 1008e96-1008ebc call 1009424 536->572 573 1008e7b-1008e91 call fff2d9 call fff2c6 536->573 539 1008fad-1008fb6 call 100f89b 537->539 540 1008edf-1008eef 537->540 551 1008fb8-1008fca 539->551 552 1009029 539->552 540->539 544 1008ef5-1008ef7 540->544 544->539 548 1008efd-1008f23 544->548 548->539 553 1008f29-1008f3c 548->553 551->552 557 1008fcc-1008fdb GetConsoleMode 551->557 555 100902d-1009045 ReadFile 552->555 553->539 558 1008f3e-1008f40 553->558 560 10090a1-10090ac GetLastError 555->560 561 1009047-100904d 555->561 557->552 563 1008fdd-1008fe1 557->563 558->539 564 1008f42-1008f6d 558->564 566 10090c5-10090c8 560->566 567 10090ae-10090c0 call fff2d9 call fff2c6 560->567 561->560 568 100904f 561->568 570 100900f-1009019 call 10029c8 562->570 563->555 569 1008fe3-1008ffd ReadConsoleW 563->569 564->539 571 1008f6f-1008f82 564->571 580 1009005-100900b call fff2a3 566->580 581 10090ce-10090d0 566->581 567->562 576 1009052-1009064 568->576 578 100901e-1009027 569->578 579 1008fff GetLastError 569->579 570->521 571->539 583 1008f84-1008f86 571->583 572->537 573->562 576->570 587 1009066-100906a 576->587 578->576 579->580 580->562 581->570 583->539 584 1008f88-1008fa8 583->584 584->539 593 1009083-100908e 587->593 594 100906c-100907c call 1008a61 587->594 599 1009090 call 1008bb1 593->599 600 100909a-100909f call 10088a1 593->600 605 100907f-1009081 594->605 606 1009095-1009098 599->606 600->606 605->570 606->605
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 343f3fa5452264d369bb29e5d2be5fd7461fb79d65f7e3c0b9dbaae0ca4120c3
                      • Instruction ID: 062819872a75c00b55280d3a0eab8458b490428f348d88a42a49aed3d2cbea9d
                      • Opcode Fuzzy Hash: 343f3fa5452264d369bb29e5d2be5fd7461fb79d65f7e3c0b9dbaae0ca4120c3
                      • Instruction Fuzzy Hash: EDC1BF74D04249AFEB22DFACD844BADBFB4BF09314F04419AF698A72D2C7359941CB61
                      Function 016025D0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 607 16025d0-160267e call 1600000 610 1602685-16026ab call 16034e0 CreateFileW 607->610 613 16026b2-16026c2 610->613 614 16026ad 610->614 621 16026c4 613->621 622 16026c9-16026e3 VirtualAlloc 613->622 615 16027fd-1602801 614->615 617 1602843-1602846 615->617 618 1602803-1602807 615->618 623 1602849-1602850 617->623 619 1602813-1602817 618->619 620 1602809-160280c 618->620 624 1602827-160282b 619->624 625 1602819-1602823 619->625 620->619 621->615 626 16026e5 622->626 627 16026ea-1602701 ReadFile 622->627 628 1602852-160285d 623->628 629 16028a5-16028ba 623->629 632 160283b 624->632 633 160282d-1602837 624->633 625->624 626->615 634 1602703 627->634 635 1602708-1602748 VirtualAlloc 627->635 636 1602861-160286d 628->636 637 160285f 628->637 630 16028ca-16028d2 629->630 631 16028bc-16028c7 VirtualFree 629->631 631->630 632->617 633->632 634->615 638 160274a 635->638 639 160274f-160276a call 1603730 635->639 640 1602881-160288d 636->640 641 160286f-160287f 636->641 637->629 638->615 647 1602775-160277f 639->647 643 160289a-16028a0 640->643 644 160288f-1602898 640->644 642 16028a3 641->642 642->623 643->642 644->642 648 1602781-16027b0 call 1603730 647->648 649 16027b2-16027c6 call 1603540 647->649 648->647 655 16027c8 649->655 656 16027ca-16027ce 649->656 655->615 657 16027d0-16027d4 FindCloseChangeNotification 656->657 658 16027da-16027de 656->658 657->658 659 16027e0-16027eb VirtualFree 658->659 660 16027ee-16027f7 658->660 659->660 660->610 660->615
                      APIs
                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 016026A1
                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 016028C7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849465341.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1600000_shipping doc.jbxd
                      Similarity
                      • API ID: CreateFileFreeVirtual
                      • String ID:
                      • API String ID: 204039940-0
                      • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                      • Instruction ID: faa7aa3edbf0a1a1a196afaead1676f1a6ec29cbb3f5909872261e4ff7c056af
                      • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                      • Instruction Fuzzy Hash: 7DA10874E00209EBDB19CFA4C8A8BEEBBB5BF48305F20855DE501BB2C0D7759A85CB54
                      Function 00FD2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 671 fd2c63-fd2cd3 CreateWindowExW * 2 ShowWindow * 2
                      APIs
                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FD2C91
                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FD2CB2
                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,00FD1CAD,?), ref: 00FD2CC6
                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,00FD1CAD,?), ref: 00FD2CCF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Window$CreateShow
                      • String ID: AutoIt v3$edit
                      • API String ID: 1584632944-3779509399
                      • Opcode ID: 6af094bf6a0cbca682249db23407bd25431b1b282bafe0ca61098e5037ad3c88
                      • Instruction ID: a93a18b714e900f76310d983049d1f86ebff188efbb9c3ffd160354d1955f61a
                      • Opcode Fuzzy Hash: 6af094bf6a0cbca682249db23407bd25431b1b282bafe0ca61098e5037ad3c88
                      • Instruction Fuzzy Hash: 83F0DA765406A07AEB311B17AC0CE772EBDE7C6F60F40805EF980A6554C6BA1850DBB0
                      Function 016023B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 786 16023b0-16024d1 call 1600000 call 16022a0 CreateFileW 793 16024d3 786->793 794 16024d8-16024e8 786->794 795 1602588-160258d 793->795 797 16024ea 794->797 798 16024ef-1602509 VirtualAlloc 794->798 797->795 799 160250b 798->799 800 160250d-1602524 ReadFile 798->800 799->795 801 1602526 800->801 802 1602528-1602562 call 16022e0 call 16012a0 800->802 801->795 807 1602564-1602579 call 1602330 802->807 808 160257e-1602586 ExitProcess 802->808 807->808 808->795
                      APIs
                        • Part of subcall function 016022A0: Sleep.KERNELBASE(000001F4), ref: 016022B1
                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 016024C7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849465341.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1600000_shipping doc.jbxd
                      Similarity
                      • API ID: CreateFileSleep
                      • String ID: YVNXT1BKTR4CH28DDJ
                      • API String ID: 2694422964-2219153102
                      • Opcode ID: 6dea040555e8f458674de1c12276d1eef3282a1741fe2dc36121b3def3031a4e
                      • Instruction ID: b762114ccda1d63747db376ac638e9364c4c5c3257def9c882fb440e9d432d4e
                      • Opcode Fuzzy Hash: 6dea040555e8f458674de1c12276d1eef3282a1741fe2dc36121b3def3031a4e
                      • Instruction Fuzzy Hash: 76515D30D04249DAEF16DBA4CC58BEFBB79AF15300F004199E209BB2C1D6B91B49CB69
                      Function 01042947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01042C05
                      • DeleteFileW.KERNEL32(?), ref: 01042C87
                      • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01042C9D
                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01042CAE
                      • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 01042CC0
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: File$Delete$Copy
                      • String ID:
                      • API String ID: 3226157194-0
                      • Opcode ID: 1e462abc4eec753d68b45c27ee50158bd2bcc68f0940492c82d8a1b5b7e2f11f
                      • Instruction ID: a63eff196d25636b92cb02e95866bdccbf3afe0d9e3892897900dc3ac2b9c6c1
                      • Opcode Fuzzy Hash: 1e462abc4eec753d68b45c27ee50158bd2bcc68f0940492c82d8a1b5b7e2f11f
                      • Instruction Fuzzy Hash: BCB160B1E0011DABDF21DBA4DC85EEE7BBDEF48340F0440A6F649E6151EA359A448FA1
                      Function 00FD3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 952 fd3b1c-fd3b27 953 fd3b99-fd3b9b 952->953 954 fd3b29-fd3b2e 952->954 956 fd3b8c-fd3b8f 953->956 954->953 955 fd3b30-fd3b48 RegOpenKeyExW 954->955 955->953 957 fd3b4a-fd3b69 RegQueryValueExW 955->957 958 fd3b6b-fd3b76 957->958 959 fd3b80-fd3b8b RegCloseKey 957->959 960 fd3b78-fd3b7a 958->960 961 fd3b90-fd3b97 958->961 959->956 962 fd3b7e 960->962 961->962 962->959
                      APIs
                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00FD3B0F,SwapMouseButtons,00000004,?), ref: 00FD3B40
                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00FD3B0F,SwapMouseButtons,00000004,?), ref: 00FD3B61
                      • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00FD3B0F,SwapMouseButtons,00000004,?), ref: 00FD3B83
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CloseOpenQueryValue
                      • String ID: Control Panel\Mouse
                      • API String ID: 3677997916-824357125
                      • Opcode ID: 3eb3e8727deb137a3fa924c0ada26fcd4bdc96114e2067c6e751f1fc54e08ecf
                      • Instruction ID: 39c419590c175170c2e9e2ae6e5a0efa0853f9fd37f2d10228e1dc9b1e5fdf20
                      • Opcode Fuzzy Hash: 3eb3e8727deb137a3fa924c0ada26fcd4bdc96114e2067c6e751f1fc54e08ecf
                      • Instruction Fuzzy Hash: B8115AB5510208FFEB208FA4DC44AAEB7B9EF41750B14446BF941D7214D2319F40A760
                      Function 016012A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessW.KERNELBASE(?,00000000), ref: 01601ACD
                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01601AF1
                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01601B13
                      • TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 01601E1C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849465341.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1600000_shipping doc.jbxd
                      Similarity
                      • API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
                      • String ID:
                      • API String ID: 572931308-0
                      • Opcode ID: 766b881ec6164bc259338bbbecc08836d97cc5066010a81dd887eea552f5ff52
                      • Instruction ID: 3c978401777cc756c1d06623f057357e79f777e7299ba5897445aa7170eb3f6e
                      • Opcode Fuzzy Hash: 766b881ec6164bc259338bbbecc08836d97cc5066010a81dd887eea552f5ff52
                      • Instruction Fuzzy Hash: 6662F930A146589BEB29CBA4CC50BDEB772EF58300F1091A9D20DEB3D0E7759E81CB59
                      Function 00FDDFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                      Download Yara Rule
                      Strings
                      • Variable must be of type 'Object'., xrefs: 010232B7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID: Variable must be of type 'Object'.
                      • API String ID: 0-109567571
                      • Opcode ID: 00305bef91e5bf62c32ced710e1b82651f58400cb8dbededafd20d0d529a9ab9
                      • Instruction ID: c557b984e7b9a1a4709e5d363269930d59b3b08d4c0283b792c959f9de920737
                      • Opcode Fuzzy Hash: 00305bef91e5bf62c32ced710e1b82651f58400cb8dbededafd20d0d529a9ab9
                      • Instruction Fuzzy Hash: 32C26A75E00215CFCB24EF58C880BADB7B2BF09310F28856AE955AF351D379AD41EB91
                      Function 00FDEC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON
                      Download Yara Rule
                      APIs
                      • __Init_thread_footer.LIBCMT ref: 00FDFE66
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Init_thread_footer
                      • String ID:
                      • API String ID: 1385522511-0
                      • Opcode ID: b2980b534699405db839f7321e82b33cd98bcb94f6c18d264958286552c1f28b
                      • Instruction ID: d5e6a3362f5b23b73a5a8354bc748ae57b73567b7578dc8d59c7ddd7e5764e8b
                      • Opcode Fuzzy Hash: b2980b534699405db839f7321e82b33cd98bcb94f6c18d264958286552c1f28b
                      • Instruction Fuzzy Hash: EFB28E75A08341CFCB24DF14C480B2AB7E2BF89310F58496EE8869B351D775ED49EB92
                      Function 00FD3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 010133A2
                        • Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A
                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FD3A04
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: IconLoadNotifyShell_String_wcslen
                      • String ID: Line:
                      • API String ID: 2289894680-1585850449
                      • Opcode ID: 0819f14183202e92ca9cf9f7b575c40fe7aa8258c42864ff5802e564e8bd07a6
                      • Instruction ID: a30fad9011d538f131692e8177828903b99432fb2e9a0dafff3da6383c6931ad
                      • Opcode Fuzzy Hash: 0819f14183202e92ca9cf9f7b575c40fe7aa8258c42864ff5802e564e8bd07a6
                      • Instruction Fuzzy Hash: 9131E272508304AAD325EB20DC45BEFB7DAAF40720F08452FF6D982285DB789A48D7D3
                      Function 00FEFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                      Download Yara Rule
                      APIs
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00FF0668
                        • Part of subcall function 00FF32A4: RaiseException.KERNEL32(?,?,?,00FF068A,?,010A1444,?,?,?,?,?,?,00FF068A,00FD1129,01098738,00FD1129), ref: 00FF3304
                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00FF0685
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Exception@8Throw$ExceptionRaise
                      • String ID: Unknown exception
                      • API String ID: 3476068407-410509341
                      • Opcode ID: 0700ba37a045dc253a34298f4f34ab1782dd6f1988ec7f186b2347b3ccb56b1a
                      • Instruction ID: 6549ce84ff6b2fa1da23615da2e789f0c6d8cd7ba87a70eb96777c81d314ab7b
                      • Opcode Fuzzy Hash: 0700ba37a045dc253a34298f4f34ab1782dd6f1988ec7f186b2347b3ccb56b1a
                      • Instruction Fuzzy Hash: 10F02835D0020D738F10BA65DC46D7E7B6C5E00320B504071BA14C55B2EF74EA29F5C0
                      Function 01043017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                      Download Yara Rule
                      APIs
                      • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0104302F
                      • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 01043044
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Temp$FileNamePath
                      • String ID: aut
                      • API String ID: 3285503233-3010740371
                      • Opcode ID: 5585dc3ee21d4a41873f90b30cb9faeb5af0b6e5912fb292a6e538f054bdcb23
                      • Instruction ID: b0de322f861074c1c4c4526cad7b494af72b2df92950950543181a42fd6af11b
                      • Opcode Fuzzy Hash: 5585dc3ee21d4a41873f90b30cb9faeb5af0b6e5912fb292a6e538f054bdcb23
                      • Instruction Fuzzy Hash: 79D05B7150031467DB309695DD0DFC73A6CD704650F000151BAD5D6095DAB99544CBD0
                      Function 01057F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 010582F5
                      • TerminateProcess.KERNEL32(00000000), ref: 010582FC
                      • FreeLibrary.KERNEL32(?,?,?,?), ref: 010584DD
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Process$CurrentFreeLibraryTerminate
                      • String ID:
                      • API String ID: 146820519-0
                      • Opcode ID: 21749f1d429605b941f6fec2fb5f480f67673cdc6bc0e1eea523795fa915595b
                      • Instruction ID: 0b227fbe29a2293085e8124056c631bc4286e5785783f961b1b12418b94dd0e1
                      • Opcode Fuzzy Hash: 21749f1d429605b941f6fec2fb5f480f67673cdc6bc0e1eea523795fa915595b
                      • Instruction Fuzzy Hash: BE127A71A083419FD754DF29C484B6ABBE5BF88318F04895EEC898B352CB35E945CF92
                      Function 01005AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 44c5428bc4effedf1078349b1bd301cec1e1b94add8360eb92126d15f4a3d872
                      • Instruction ID: 9250ca9235612dbf8b1070ec45a9a7cef95f27818fb606962aa378a9171510bf
                      • Opcode Fuzzy Hash: 44c5428bc4effedf1078349b1bd301cec1e1b94add8360eb92126d15f4a3d872
                      • Instruction Fuzzy Hash: ED519E7190020E9FEB239FA8CD45EFEBFB8AF45314F040199E585A72D1D6759A01CF61
                      Function 00FD10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FD1BF4
                        • Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FD1BFC
                        • Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FD1C07
                        • Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FD1C12
                        • Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FD1C1A
                        • Part of subcall function 00FD1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FD1C22
                        • Part of subcall function 00FD1B4A: RegisterWindowMessageW.USER32(00000004,?,00FD12C4), ref: 00FD1BA2
                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FD136A
                      • OleInitialize.OLE32 ref: 00FD1388
                      • CloseHandle.KERNEL32(00000000,00000000), ref: 010124AB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                      • String ID:
                      • API String ID: 1986988660-0
                      • Opcode ID: e5531d146ff76993f1c0f34f7f04cb78fb2ff16baa0774cf7179cf54554ee1f4
                      • Instruction ID: 030bfdad99d34ac0324d188fe46c93549dcb644099facb2f25f28600ffb19069
                      • Opcode Fuzzy Hash: e5531d146ff76993f1c0f34f7f04cb78fb2ff16baa0774cf7179cf54554ee1f4
                      • Instruction Fuzzy Hash: A271CBB8901A10CFC3A8EF79E5456953AE5FB49384FD8822AD0DAC7389EB3E4401CF51
                      Function 010086AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,010085CC,?,01098CC8,0000000C), ref: 01008704
                      • GetLastError.KERNEL32(?,010085CC,?,01098CC8,0000000C), ref: 0100870E
                      • __dosmaperr.LIBCMT ref: 01008739
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                      • String ID:
                      • API String ID: 490808831-0
                      • Opcode ID: 9625e69e5861983343c146a167b76f0e4a3d6853d0f893a4b9dfbe02df0d183d
                      • Instruction ID: 3e572dd623319e50030c0fa135d6f1f4783bc1fad326ff9ccf954bb002b2149a
                      • Opcode Fuzzy Hash: 9625e69e5861983343c146a167b76f0e4a3d6853d0f893a4b9dfbe02df0d183d
                      • Instruction Fuzzy Hash: 45018232E0426016F6B36238AC4477E2FC96B95734F26819BE9C89B0D7DE65C4818750
                      Function 01042FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,01042CD4,?,?,?,00000004,00000001), ref: 01042FF2
                      • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,01042CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 01043006
                      • CloseHandle.KERNEL32(00000000,?,01042CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0104300D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: File$CloseCreateHandleTime
                      • String ID:
                      • API String ID: 3397143404-0
                      • Opcode ID: f37348d795e27acda81005bb195c02715799a3c537b671903d31fb02512d40c2
                      • Instruction ID: 904ba85e6ae246260efa49a88866bcbedc1f4adf96e287718e23786ad7f5e928
                      • Opcode Fuzzy Hash: f37348d795e27acda81005bb195c02715799a3c537b671903d31fb02512d40c2
                      • Instruction Fuzzy Hash: ADE0863228022077F6302659BD0DF8B3E5CDB86B71F104224F7E9790D086A6250143A8
                      Function 00FE1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                      Download Yara Rule
                      APIs
                      • __Init_thread_footer.LIBCMT ref: 00FE17F6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Init_thread_footer
                      • String ID: CALL
                      • API String ID: 1385522511-4196123274
                      • Opcode ID: 516df20c0cb410a2883221f4cb0f1d79884e09fff36b50e143c176bed816ef2a
                      • Instruction ID: 21eb903e0b337c4cfcd7d80fa3aa37b832fa298c8769b48ce0f4b0675d37913a
                      • Opcode Fuzzy Hash: 516df20c0cb410a2883221f4cb0f1d79884e09fff36b50e143c176bed816ef2a
                      • Instruction Fuzzy Hash: ED227D706083819FC714DF16C880B2ABBF1BF85314F18896DF8968B362D776E945DB92
                      Function 01046EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                      Download Yara Rule
                      APIs
                      • _wcslen.LIBCMT ref: 01046F6B
                        • Part of subcall function 00FD4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4EFD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: LibraryLoad_wcslen
                      • String ID: >>>AUTOIT SCRIPT<<<
                      • API String ID: 3312870042-2806939583
                      • Opcode ID: 0dcc7c8e76f483d8d3b0268ffa537c428adc674922931a22bb0432f14e7970ea
                      • Instruction ID: 8393944ad3275175dd219508259e7fbe9cd9e0de12ba228406f19b2d9296e342
                      • Opcode Fuzzy Hash: 0dcc7c8e76f483d8d3b0268ffa537c428adc674922931a22bb0432f14e7970ea
                      • Instruction Fuzzy Hash: B4B195711082018FCB15EF24C8919AEB7E6AF94300F48496EF5D697362EB34ED49DB92
                      Function 00FD2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                      Download Yara Rule
                      APIs
                      • GetOpenFileNameW.COMDLG32(?), ref: 01012C8C
                        • Part of subcall function 00FD3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD3A97,?,?,00FD2E7F,?,?,?,00000000), ref: 00FD3AC2
                        • Part of subcall function 00FD2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FD2DC4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Name$Path$FileFullLongOpen
                      • String ID: X
                      • API String ID: 779396738-3081909835
                      • Opcode ID: 09c3c4898de44209781de2d079df9bcfd17cf146ff41df96a55a939efef2bbc1
                      • Instruction ID: d88c40635c814e1cb6dde71213d9c3ef727d5bd3fb8b241054bbfeeb2507fd93
                      • Opcode Fuzzy Hash: 09c3c4898de44209781de2d079df9bcfd17cf146ff41df96a55a939efef2bbc1
                      • Instruction Fuzzy Hash: 1A21F371A002489BDF41EF94CC45BEE7BF9AF49304F04805AE544E7345DBB856899BA1
                      Function 01042557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: __fread_nolock
                      • String ID: EA06
                      • API String ID: 2638373210-3962188686
                      • Opcode ID: ff28abbbfcf1955e75fc027889a6de949fbf594463ab02ef2a91e84421e75de8
                      • Instruction ID: 3e101d4962b70f8c7939fbae7ec3d5edf49c9926df9d5d9cd9ebd2d105274bfc
                      • Opcode Fuzzy Hash: ff28abbbfcf1955e75fc027889a6de949fbf594463ab02ef2a91e84421e75de8
                      • Instruction Fuzzy Hash: 2B01B9719442587EDF18D7A8CC56EBE7BF89F05305F00455AF193D6181E5B8E704DB60
                      Function 01602330 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0160238A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849465341.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1600000_shipping doc.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID: D
                      • API String ID: 963392458-2746444292
                      • Opcode ID: 6cb96521d7c40653040d1dd33bb025be60ddcfc4f79d8507ccbbce5ff7b1491f
                      • Instruction ID: c0282099c5e216986ee28fa4fbb49485f1fd411c339546e5560776f59f5c3f73
                      • Opcode Fuzzy Hash: 6cb96521d7c40653040d1dd33bb025be60ddcfc4f79d8507ccbbce5ff7b1491f
                      • Instruction Fuzzy Hash: 5201FF71900308ABDB29DBE0CC5DFEF777CAF44701F40855DA6169A1C0EB7496088B55
                      Function 0160129D Relevance: 3.4, APIs: 2, Instructions: 400processthreadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessW.KERNELBASE(?,00000000), ref: 01601ACD
                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01601AF1
                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01601B13
                      • TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 01601E1C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849465341.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1600000_shipping doc.jbxd
                      Similarity
                      • API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
                      • String ID:
                      • API String ID: 572931308-0
                      • Opcode ID: 0c26ce5ed657937ab7cef85eaaffec4c201bc4c0441aa9bb0c46e3760ea72e56
                      • Instruction ID: d25e878e94a0ec780bb44f49464482272554ad104f9da2d6e8eee65b79ccdbff
                      • Opcode Fuzzy Hash: 0c26ce5ed657937ab7cef85eaaffec4c201bc4c0441aa9bb0c46e3760ea72e56
                      • Instruction Fuzzy Hash: C412CD24E24658C6EB24DF64D8507DEB232FF68300F1094E9910DEB7A5E77A4F81CB5A
                      Function 00FD3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                      Download Yara Rule
                      APIs
                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FD3908
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: IconNotifyShell_
                      • String ID:
                      • API String ID: 1144537725-0
                      • Opcode ID: 8d7d62f0a00c138c72fbc698890493c0259c53978ce34a70fd3f64220eb9c7be
                      • Instruction ID: c3d448abb41be867d5d0b24c8ca225ffe8be12ad6ee3bbb6f6bc5c81f8e8629c
                      • Opcode Fuzzy Hash: 8d7d62f0a00c138c72fbc698890493c0259c53978ce34a70fd3f64220eb9c7be
                      • Instruction Fuzzy Hash: 373193729047019FE720DF24D484797BBE8FB49718F04092EF6DA97340E7B6AA44DB52
                      Function 00FDB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                      Download Yara Rule
                      APIs
                      • __Init_thread_footer.LIBCMT ref: 00FDBB4E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Init_thread_footer
                      • String ID:
                      • API String ID: 1385522511-0
                      • Opcode ID: 45227eac1fbc1206a753151aa8a11ccfbeda003d5a2bda4cf367a90fae922894
                      • Instruction ID: 74f70b8f6bf049271a868a4353392cef63fbf68a4fbe97bab7272c6edcaf19ad
                      • Opcode Fuzzy Hash: 45227eac1fbc1206a753151aa8a11ccfbeda003d5a2bda4cf367a90fae922894
                      • Instruction Fuzzy Hash: 0832EC31A00219DFDB20CF58C894BBEB7BAEF44310F19805AF985AB355C778AD41EB91
                      Function 00FD4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FD4EDD,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E9C
                        • Part of subcall function 00FD4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FD4EAE
                        • Part of subcall function 00FD4E90: FreeLibrary.KERNEL32(00000000,?,?,00FD4EDD,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4EC0
                      • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4EFD
                        • Part of subcall function 00FD4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,01013CDE,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E62
                        • Part of subcall function 00FD4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FD4E74
                        • Part of subcall function 00FD4E59: FreeLibrary.KERNEL32(00000000,?,?,01013CDE,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E87
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Library$Load$AddressFreeProc
                      • String ID:
                      • API String ID: 2632591731-0
                      • Opcode ID: d11dbeee35e29109e1896679d2ccca8c54aece4c1ce260720c677a294205f5c1
                      • Instruction ID: 531c4ac09412a6fc11e8cc4abc51feda5b6f890c6eea477f5dfed4a20dac05b3
                      • Opcode Fuzzy Hash: d11dbeee35e29109e1896679d2ccca8c54aece4c1ce260720c677a294205f5c1
                      • Instruction Fuzzy Hash: DC110A32600205ABDF14FF64DD16FAD77A6AF40B10F14442FF592AB2E1DE78AA05B750
                      Function 01008402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: __wsopen_s
                      • String ID:
                      • API String ID: 3347428461-0
                      • Opcode ID: d374f3d311a6b5af67ddea401336bcd465707ede16adf6be6bbead75dbd26a5f
                      • Instruction ID: 88115d139422b21e92edd4a02dad9b110e91a9222586bb2933ccadbb71cc8f35
                      • Opcode Fuzzy Hash: d374f3d311a6b5af67ddea401336bcd465707ede16adf6be6bbead75dbd26a5f
                      • Instruction Fuzzy Hash: 8211487190410AAFDB06DF58E9409DE7BF9FF48300F01809AF848AB341DB31DA11CBA4
                      Function 01005000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 01004C7D: RtlAllocateHeap.NTDLL(00000008,00FD1129,00000000,?,01002E29,00000001,00000364,?,?,?,00FFF2DE,01003863,010A1444,?,00FEFDF5,?), ref: 01004CBE
                      • _free.LIBCMT ref: 0100506C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: AllocateHeap_free
                      • String ID:
                      • API String ID: 614378929-0
                      • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                      • Instruction ID: 5e8dca7e150cf7d344b10f94ded27be0a59cbca9c17a02b67e705159b1b4137a
                      • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                      • Instruction Fuzzy Hash: 7E012B722043055BF323CE599C4499EFBECFB85270F25051DE1C4872C0EA306805CA74
                      Function 00FFE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                      • Instruction ID: 2870e560871c4e9d6c1568b27c5cd85f9a547272a3a8b62ad37626ae1d7dc924
                      • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                      • Instruction Fuzzy Hash: F6F02D32920E1C96D7333E658C04BBA33989F62330F100716F665D71F0DB74D401A9A5
                      Function 01004C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000008,00FD1129,00000000,?,01002E29,00000001,00000364,?,?,?,00FFF2DE,01003863,010A1444,?,00FEFDF5,?), ref: 01004CBE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: AllocateHeap
                      • String ID:
                      • API String ID: 1279760036-0
                      • Opcode ID: 19164ea08e5f6952d95dc9055c021db33abc34fa1ce1c8905e8a35033fe88cd6
                      • Instruction ID: 807cca69f80908dd42bc034b934ae2fbcc20a3f088263ea11cd351e962c9dfce
                      • Opcode Fuzzy Hash: 19164ea08e5f6952d95dc9055c021db33abc34fa1ce1c8905e8a35033fe88cd6
                      • Instruction Fuzzy Hash: CDF0B43160022C67FBA35E669C09F6B3BC8AF417A0F084161FB99EA1D4CB35D40046E8
                      Function 01003820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlAllocateHeap.NTDLL(00000000,?,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6,?,00FD1129), ref: 01003852
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: AllocateHeap
                      • String ID:
                      • API String ID: 1279760036-0
                      • Opcode ID: d871a61536783a69ec361397fd92ac5da58bf10246a05de0707c7bd82dfcde5d
                      • Instruction ID: d5884f2b058cbf24406a722b06812c2019f863f25db3f4f51ab3928b72c925c2
                      • Opcode Fuzzy Hash: d871a61536783a69ec361397fd92ac5da58bf10246a05de0707c7bd82dfcde5d
                      • Instruction Fuzzy Hash: 77E065311017299EF7732A6A9C05BAB3A89BF426B0F0501E1FED59E5D1DB25EA0183F1
                      Function 00FD4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                      Download Yara Rule
                      APIs
                      • FreeLibrary.KERNEL32(?,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4F6D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: FreeLibrary
                      • String ID:
                      • API String ID: 3664257935-0
                      • Opcode ID: 84347deee13fbdfc610fe230a70d6f23ce87fccfc4c762eb857deefa1d527ec7
                      • Instruction ID: 758da958ad098c2cfab47a6241142af78be3d9bcc26c12b3670cf7f4fd82b309
                      • Opcode Fuzzy Hash: 84347deee13fbdfc610fe230a70d6f23ce87fccfc4c762eb857deefa1d527ec7
                      • Instruction Fuzzy Hash: 4FF03071505751CFDB359F64D490922BBF5AF14329318897FE1EA83630C731A844EF10
                      Function 00FD2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                      Download Yara Rule
                      APIs
                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FD2DC4
                        • Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: LongNamePath_wcslen
                      • String ID:
                      • API String ID: 541455249-0
                      • Opcode ID: f7adc9df84ddb6a63cea3d3a7f8b355fa40f5f813c1b0d66107d0914ac88fd9a
                      • Instruction ID: 48ac6af07303ca716591873c3471a1a5e296cb743c86dd32b97bc22756cb9cfe
                      • Opcode Fuzzy Hash: f7adc9df84ddb6a63cea3d3a7f8b355fa40f5f813c1b0d66107d0914ac88fd9a
                      • Instruction Fuzzy Hash: EFE0CD726041245BC721A2589C05FDA77DDDFC8790F040076FD49D724CD974AD808650
                      Function 01042693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: __fread_nolock
                      • String ID:
                      • API String ID: 2638373210-0
                      • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                      • Instruction ID: a50740272028c7a3aed4e32c4aeaae7153eeca5da09cdb0cb1b0370efab8cc8a
                      • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
                      • Instruction Fuzzy Hash: A6E04FB0609B005FDF396E2CA8917B677E99F4A340F00086EF6DB93262E57268458A4D
                      Function 00FD2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FD3908
                        • Part of subcall function 00FDD730: GetInputState.USER32 ref: 00FDD807
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00FD2B6B
                        • Part of subcall function 00FD30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00FD314E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: IconNotifyShell_$CurrentDirectoryInputState
                      • String ID:
                      • API String ID: 3667716007-0
                      • Opcode ID: b9c7237d75664cf6294cf017ec8e1053299bb3ed901c9283dcf6f0a676ff0094
                      • Instruction ID: 79fa7a0aa32b944c6d4863f1f671b04a94e653d01f646aca1beb22feb4051445
                      • Opcode Fuzzy Hash: b9c7237d75664cf6294cf017ec8e1053299bb3ed901c9283dcf6f0a676ff0094
                      • Instruction Fuzzy Hash: 7FE0263270420402CA04BB74AC1246DB74B9BD1351F88053FF28283353CE7D4A456352
                      Function 0101039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNELBASE(00000000,00000000,?,01010704,?,?,00000000,?,01010704,00000000,0000000C), ref: 010103B7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: 4e3a0b452ff7ccdb9f1555dc64106fe0bf60d66870a336a6f127f754342134f5
                      • Instruction ID: d6fb79117f2053f2d6affabce41156853937d56249e1fc94309cdac6f161e810
                      • Opcode Fuzzy Hash: 4e3a0b452ff7ccdb9f1555dc64106fe0bf60d66870a336a6f127f754342134f5
                      • Instruction Fuzzy Hash: 50D06C3204010DFBDF128F84DD06EDA3BAAFB48714F014000FE5856020C736E821AB90
                      Function 00FD1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                      Download Yara Rule
                      APIs
                      • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00FD1CBC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: InfoParametersSystem
                      • String ID:
                      • API String ID: 3098949447-0
                      • Opcode ID: 3303c62dd2069b02f761bdd6db85cdfd646d25b76e500510769427ee9d2f6209
                      • Instruction ID: 8b1f48b39f199d850f188b09c2e32a8d2087fcdb776cedf2e376f5d70f0e50e9
                      • Opcode Fuzzy Hash: 3303c62dd2069b02f761bdd6db85cdfd646d25b76e500510769427ee9d2f6209
                      • Instruction Fuzzy Hash: EFC09B36280704DFF2344A90BD4AF107755B348B10F448001F6C9555D7C3B71450DB50
                      Function 00FEFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                      • Instruction ID: 058c9a025ae5baf8904e757122ea37850947b6cd739bb39bdb1a4f095e395d93
                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                      • Instruction Fuzzy Hash: D9311A75A00149DBD728CF5AD480A69FBA1FF49310B7486A5E809CF651E731EEC5EBC0
                      Function 0160229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNELBASE(000001F4), ref: 016022B1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849465341.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1600000_shipping doc.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                      • Instruction ID: 3ac28135fc14c1bca78346b4f75d8e8a13eb3b6a3d966f21e993d3848d2da1b9
                      • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                      • Instruction Fuzzy Hash: CBE09A7494010EAFDB00EFA4D94969E7BB4EF04711F1045A5FD0596681DA309A548A62
                      Function 016022A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNELBASE(000001F4), ref: 016022B1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849465341.0000000001600000.00000040.00001000.00020000.00000000.sdmp, Offset: 01600000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1600000_shipping doc.jbxd
                      Similarity
                      • API ID: Sleep
                      • String ID:
                      • API String ID: 3472027048-0
                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                      • Instruction ID: 557cfce181db8990187c9e325dbf5365c631d5da8c5a67f6af0228ce1bd93913
                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                      • Instruction Fuzzy Hash: F4E0BF7494010E9FDB00EFA4D94969E7BB4EF04701F104565FD0592281D63099508A62

                      Non-executed Functions

                      Function 01069576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2
                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0106961A
                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0106965B
                      • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0106969F
                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010696C9
                      • SendMessageW.USER32 ref: 010696F2
                      • GetKeyState.USER32(00000011), ref: 0106978B
                      • GetKeyState.USER32(00000009), ref: 01069798
                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 010697AE
                      • GetKeyState.USER32(00000010), ref: 010697B8
                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 010697E9
                      • SendMessageW.USER32 ref: 01069810
                      • SendMessageW.USER32(?,00001030,?,01067E95), ref: 01069918
                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0106992E
                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 01069941
                      • SetCapture.USER32(?), ref: 0106994A
                      • ClientToScreen.USER32(?,?), ref: 010699AF
                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 010699BC
                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010699D6
                      • ReleaseCapture.USER32 ref: 010699E1
                      • GetCursorPos.USER32(?), ref: 01069A19
                      • ScreenToClient.USER32(?,?), ref: 01069A26
                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 01069A80
                      • SendMessageW.USER32 ref: 01069AAE
                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 01069AEB
                      • SendMessageW.USER32 ref: 01069B1A
                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 01069B3B
                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 01069B4A
                      • GetCursorPos.USER32(?), ref: 01069B68
                      • ScreenToClient.USER32(?,?), ref: 01069B75
                      • GetParent.USER32(?), ref: 01069B93
                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 01069BFA
                      • SendMessageW.USER32 ref: 01069C2B
                      • ClientToScreen.USER32(?,?), ref: 01069C84
                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 01069CB4
                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 01069CDE
                      • SendMessageW.USER32 ref: 01069D01
                      • ClientToScreen.USER32(?,?), ref: 01069D4E
                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 01069D82
                        • Part of subcall function 00FE9944: GetWindowLongW.USER32(?,000000EB), ref: 00FE9952
                      • GetWindowLongW.USER32(?,000000F0), ref: 01069E05
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                      • String ID: @GUI_DRAGID$F
                      • API String ID: 3429851547-4164748364
                      • Opcode ID: b96ec53b55a4f4320d20e15ca76bdc34b4ee4f318efdc167f5292175f96d7965
                      • Instruction ID: bc1c309c7c99d1527d03c21140360d2bbec3afd5f6d5a80b944bc77a6a8719f8
                      • Opcode Fuzzy Hash: b96ec53b55a4f4320d20e15ca76bdc34b4ee4f318efdc167f5292175f96d7965
                      • Instruction Fuzzy Hash: 75428B34204341AFEB25CF28C944AAABBE9FF4D318F040659F6D9876A1D776E850CF51
                      Function 01064873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 010648F3
                      • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 01064908
                      • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 01064927
                      • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0106494B
                      • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0106495C
                      • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0106497B
                      • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 010649AE
                      • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 010649D4
                      • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 01064A0F
                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01064A56
                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 01064A7E
                      • IsMenu.USER32(?), ref: 01064A97
                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01064AF2
                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01064B20
                      • GetWindowLongW.USER32(?,000000F0), ref: 01064B94
                      • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 01064BE3
                      • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 01064C82
                      • wsprintfW.USER32 ref: 01064CAE
                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01064CC9
                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 01064CF1
                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01064D13
                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 01064D33
                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 01064D5A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                      • String ID: %d/%02d/%02d
                      • API String ID: 4054740463-328681919
                      • Opcode ID: c7ce1532f21a24f9cbbc66d6f1a10a6d83eb2d68c93817030f9a609da1276672
                      • Instruction ID: 57353563de1f34de50c8b69ba6af0bedbc1eb7c933b3c4bc2ba3d66ba378ea6d
                      • Opcode Fuzzy Hash: c7ce1532f21a24f9cbbc66d6f1a10a6d83eb2d68c93817030f9a609da1276672
                      • Instruction Fuzzy Hash: 56122331600244ABFB259F28DC49FAE7BF8EF49710F044169F695DB2E1DB78A940CB50
                      Function 00FEF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00FEF998
                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0102F474
                      • IsIconic.USER32(00000000), ref: 0102F47D
                      • ShowWindow.USER32(00000000,00000009), ref: 0102F48A
                      • SetForegroundWindow.USER32(00000000), ref: 0102F494
                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0102F4AA
                      • GetCurrentThreadId.KERNEL32 ref: 0102F4B1
                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0102F4BD
                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 0102F4CE
                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 0102F4D6
                      • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0102F4DE
                      • SetForegroundWindow.USER32(00000000), ref: 0102F4E1
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0102F4F6
                      • keybd_event.USER32(00000012,00000000), ref: 0102F501
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0102F50B
                      • keybd_event.USER32(00000012,00000000), ref: 0102F510
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0102F519
                      • keybd_event.USER32(00000012,00000000), ref: 0102F51E
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0102F528
                      • keybd_event.USER32(00000012,00000000), ref: 0102F52D
                      • SetForegroundWindow.USER32(00000000), ref: 0102F530
                      • AttachThreadInput.USER32(?,000000FF,00000000), ref: 0102F557
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                      • String ID: Shell_TrayWnd
                      • API String ID: 4125248594-2988720461
                      • Opcode ID: 9dfd5b79de74c415b44c299c254640a8633fa5de87b095c9fe1564f5b2e1e952
                      • Instruction ID: 096a6e357637c802f38b52a7af85cca28bd3472e33fbe5221648045364ae3665
                      • Opcode Fuzzy Hash: 9dfd5b79de74c415b44c299c254640a8633fa5de87b095c9fe1564f5b2e1e952
                      • Instruction Fuzzy Hash: 26316371A40228BBFB316BB55D4AFBF7EBCEB48B50F100056F681E61D1C6B65940AB60
                      Function 01031201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 010316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0103170D
                        • Part of subcall function 010316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0103173A
                        • Part of subcall function 010316C3: GetLastError.KERNEL32 ref: 0103174A
                      • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 01031286
                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 010312A8
                      • CloseHandle.KERNEL32(?), ref: 010312B9
                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 010312D1
                      • GetProcessWindowStation.USER32 ref: 010312EA
                      • SetProcessWindowStation.USER32(00000000), ref: 010312F4
                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 01031310
                        • Part of subcall function 010310BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,010311FC), ref: 010310D4
                        • Part of subcall function 010310BF: CloseHandle.KERNEL32(?,?,010311FC), ref: 010310E9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                      • String ID: $default$winsta0
                      • API String ID: 22674027-1027155976
                      • Opcode ID: b20e61d5e0acca270d958f48aa92c20072b8e7c498940ae72fe2c825d25bc17d
                      • Instruction ID: 2609fc78dde7f0251200bb50a70782f0b8686f62661bd66ae53c4ac1f914204d
                      • Opcode Fuzzy Hash: b20e61d5e0acca270d958f48aa92c20072b8e7c498940ae72fe2c825d25bc17d
                      • Instruction Fuzzy Hash: 24819F71900309AFEF219FA9DD49BEE7FBDEF48700F044159FA90A61A0CB799944CB20
                      Function 01030B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 010310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01031114
                        • Part of subcall function 010310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031120
                        • Part of subcall function 010310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 0103112F
                        • Part of subcall function 010310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031136
                        • Part of subcall function 010310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0103114D
                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01030BCC
                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01030C00
                      • GetLengthSid.ADVAPI32(?), ref: 01030C17
                      • GetAce.ADVAPI32(?,00000000,?), ref: 01030C51
                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01030C6D
                      • GetLengthSid.ADVAPI32(?), ref: 01030C84
                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 01030C8C
                      • HeapAlloc.KERNEL32(00000000), ref: 01030C93
                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 01030CB4
                      • CopySid.ADVAPI32(00000000), ref: 01030CBB
                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01030CEA
                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01030D0C
                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 01030D1E
                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030D45
                      • HeapFree.KERNEL32(00000000), ref: 01030D4C
                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030D55
                      • HeapFree.KERNEL32(00000000), ref: 01030D5C
                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030D65
                      • HeapFree.KERNEL32(00000000), ref: 01030D6C
                      • GetProcessHeap.KERNEL32(00000000,?), ref: 01030D78
                      • HeapFree.KERNEL32(00000000), ref: 01030D7F
                        • Part of subcall function 01031193: GetProcessHeap.KERNEL32(00000008,01030BB1,?,00000000,?,01030BB1,?), ref: 010311A1
                        • Part of subcall function 01031193: HeapAlloc.KERNEL32(00000000,?,00000000,?,01030BB1,?), ref: 010311A8
                        • Part of subcall function 01031193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,01030BB1,?), ref: 010311B7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                      • String ID:
                      • API String ID: 4175595110-0
                      • Opcode ID: f191ae0be6679eaf95594140cd64876761de90e14391edd78a59a53da82e9900
                      • Instruction ID: 7632634019419939cc80d93b6df0b354d9cc76cb34c90178d721eb90b6b9ebb8
                      • Opcode Fuzzy Hash: f191ae0be6679eaf95594140cd64876761de90e14391edd78a59a53da82e9900
                      • Instruction Fuzzy Hash: CF719D7590120AABEF20EFA8DD48BEEBBFCBF45300F044195FA94A6194D775A905CB60
                      Function 0104EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                      Download Yara Rule
                      APIs
                      • OpenClipboard.USER32(0106CC08), ref: 0104EB29
                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 0104EB37
                      • GetClipboardData.USER32(0000000D), ref: 0104EB43
                      • CloseClipboard.USER32 ref: 0104EB4F
                      • GlobalLock.KERNEL32(00000000), ref: 0104EB87
                      • CloseClipboard.USER32 ref: 0104EB91
                      • GlobalUnlock.KERNEL32(00000000,00000000), ref: 0104EBBC
                      • IsClipboardFormatAvailable.USER32(00000001), ref: 0104EBC9
                      • GetClipboardData.USER32(00000001), ref: 0104EBD1
                      • GlobalLock.KERNEL32(00000000), ref: 0104EBE2
                      • GlobalUnlock.KERNEL32(00000000,?), ref: 0104EC22
                      • IsClipboardFormatAvailable.USER32(0000000F), ref: 0104EC38
                      • GetClipboardData.USER32(0000000F), ref: 0104EC44
                      • GlobalLock.KERNEL32(00000000), ref: 0104EC55
                      • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0104EC77
                      • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0104EC94
                      • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0104ECD2
                      • GlobalUnlock.KERNEL32(00000000,?,?), ref: 0104ECF3
                      • CountClipboardFormats.USER32 ref: 0104ED14
                      • CloseClipboard.USER32 ref: 0104ED59
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                      • String ID:
                      • API String ID: 420908878-0
                      • Opcode ID: af356c85b48413c976a48fa90e705547dd5df30db7f98e805ecb1a454da7077f
                      • Instruction ID: dc144dbfdbe9f37e9a226ad207f2f95fd2f0d7d0f292ce05aa7a27932d7e13a5
                      • Opcode Fuzzy Hash: af356c85b48413c976a48fa90e705547dd5df30db7f98e805ecb1a454da7077f
                      • Instruction Fuzzy Hash: BF61E7742043019FE310EF68D984F6A7BE5BF88704F08456EF5D6872A5CB79E905CBA2
                      Function 0104698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?), ref: 010469BE
                      • FindClose.KERNEL32(00000000), ref: 01046A12
                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01046A4E
                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 01046A75
                        • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 01046AB2
                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 01046ADF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                      • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                      • API String ID: 3830820486-3289030164
                      • Opcode ID: d2897cdda3c0a8ed2d6f077d6997730080498010f80e12a23759c15c75b9832f
                      • Instruction ID: c2462a4eba1ff1fe58e52217705736c6a41ae610ff6f0fb6f58c86b3779731f6
                      • Opcode Fuzzy Hash: d2897cdda3c0a8ed2d6f077d6997730080498010f80e12a23759c15c75b9832f
                      • Instruction Fuzzy Hash: 56D182B1508301AFD310EBA4CC91EABB7EDAF88704F44491EF585C7291EB79DA44DB62
                      Function 01049642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 01049663
                      • GetFileAttributesW.KERNEL32(?), ref: 010496A1
                      • SetFileAttributesW.KERNEL32(?,?), ref: 010496BB
                      • FindNextFileW.KERNEL32(00000000,?), ref: 010496D3
                      • FindClose.KERNEL32(00000000), ref: 010496DE
                      • FindFirstFileW.KERNEL32(*.*,?), ref: 010496FA
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0104974A
                      • SetCurrentDirectoryW.KERNEL32(01096B7C), ref: 01049768
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 01049772
                      • FindClose.KERNEL32(00000000), ref: 0104977F
                      • FindClose.KERNEL32(00000000), ref: 0104978F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                      • String ID: *.*
                      • API String ID: 1409584000-438819550
                      • Opcode ID: e7db8a943ca896582cc0f0f290626e527696af3a06519484add0e040ee69e412
                      • Instruction ID: 112e0817df21845b71b3b9eac424a0878e539b204562aa302986fcf9e0a82482
                      • Opcode Fuzzy Hash: e7db8a943ca896582cc0f0f290626e527696af3a06519484add0e040ee69e412
                      • Instruction Fuzzy Hash: 2231B6715006196BEF24EEB9DD48ADF77ECAF4D224F0041B5EAD5E20A0D735D9408B14
                      Function 0104979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 010497BE
                      • FindNextFileW.KERNEL32(00000000,?), ref: 01049819
                      • FindClose.KERNEL32(00000000), ref: 01049824
                      • FindFirstFileW.KERNEL32(*.*,?), ref: 01049840
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 01049890
                      • SetCurrentDirectoryW.KERNEL32(01096B7C), ref: 010498AE
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 010498B8
                      • FindClose.KERNEL32(00000000), ref: 010498C5
                      • FindClose.KERNEL32(00000000), ref: 010498D5
                        • Part of subcall function 0103DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0103DB00
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                      • String ID: *.*
                      • API String ID: 2640511053-438819550
                      • Opcode ID: 300fffc29bf62bb474ec6c112401c5cb9edea566bc8f60dde96dd2bf2f37406f
                      • Instruction ID: 8ea3abe6c2c480cb9199e4cb4a518c3476eecbab5eb55209a7902f1bb266969a
                      • Opcode Fuzzy Hash: 300fffc29bf62bb474ec6c112401c5cb9edea566bc8f60dde96dd2bf2f37406f
                      • Instruction Fuzzy Hash: B831C971500619ABFF20EEBDDC849DF77AC9F49224F1041B9E9D4A2090D735D9458B20
                      Function 01048195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetLocalTime.KERNEL32(?), ref: 01048257
                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 01048267
                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 01048273
                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01048310
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 01048324
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 01048356
                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0104838C
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 01048395
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CurrentDirectoryTime$File$Local$System
                      • String ID: *.*
                      • API String ID: 1464919966-438819550
                      • Opcode ID: 50c228fe0ce6fb6d992c7b7460577c18d8f9591c53aa6803462a05983567cf86
                      • Instruction ID: 89c388f2d129912c32cfb226af37599b023e3ba6269f36bcfb1e4eb5fddcac56
                      • Opcode Fuzzy Hash: 50c228fe0ce6fb6d992c7b7460577c18d8f9591c53aa6803462a05983567cf86
                      • Instruction Fuzzy Hash: D9616BB25043059FD710EF64C8849AEB3E9FF89310F08896EF9C997261DB35E945CB92
                      Function 0103D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD3A97,?,?,00FD2E7F,?,?,?,00000000), ref: 00FD3AC2
                        • Part of subcall function 0103E199: GetFileAttributesW.KERNEL32(?,0103CF95), ref: 0103E19A
                      • FindFirstFileW.KERNEL32(?,?), ref: 0103D122
                      • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0103D1DD
                      • MoveFileW.KERNEL32(?,?), ref: 0103D1F0
                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 0103D20D
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0103D237
                        • Part of subcall function 0103D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0103D21C,?,?), ref: 0103D2B2
                      • FindClose.KERNEL32(00000000,?,?,?), ref: 0103D253
                      • FindClose.KERNEL32(00000000), ref: 0103D264
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                      • String ID: \*.*
                      • API String ID: 1946585618-1173974218
                      • Opcode ID: b34dc27b3d8c0b190049897ee193e3ee4390024ece62ea5156013a2ca5faf892
                      • Instruction ID: cb7a299331571eeeea31f0c4053f359cb4add79073c826cd9ce061643095210b
                      • Opcode Fuzzy Hash: b34dc27b3d8c0b190049897ee193e3ee4390024ece62ea5156013a2ca5faf892
                      • Instruction Fuzzy Hash: 5261BF31D0510DABCF05EBE0DE929EDB7BAAF51300F6841A6E48173291EB359F09DB61
                      Function 0104ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                      • String ID:
                      • API String ID: 1737998785-0
                      • Opcode ID: acc108c61bb502c0bc0e3cfc348f11cc846743caf7719085ecf126eaceb278a1
                      • Instruction ID: babc42bac95da38c92b3c6a7831d4689abbd8c5e7e65a190700bbaa6f69c7313
                      • Opcode Fuzzy Hash: acc108c61bb502c0bc0e3cfc348f11cc846743caf7719085ecf126eaceb278a1
                      • Instruction Fuzzy Hash: F4418D75204611AFE721DF19D488B19BBE5FF48318F04C0A9E89A8B662C77AFC41CB90
                      Function 0103E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 010316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0103170D
                        • Part of subcall function 010316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0103173A
                        • Part of subcall function 010316C3: GetLastError.KERNEL32 ref: 0103174A
                      • ExitWindowsEx.USER32(?,00000000), ref: 0103E932
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                      • String ID: $ $@$SeShutdownPrivilege
                      • API String ID: 2234035333-3163812486
                      • Opcode ID: c697a9bc40abe1edfb24679dc2e8d04462e1e722006086ddf00d1c9cf9cfc56e
                      • Instruction ID: 80ebed5fcc2eead0c79f8891104191edd3015d95d09cba3b71592ab51d7080a8
                      • Opcode Fuzzy Hash: c697a9bc40abe1edfb24679dc2e8d04462e1e722006086ddf00d1c9cf9cfc56e
                      • Instruction Fuzzy Hash: BE01D672610211ABFB6426B8DD85BFF729C9798750F054A23FDC2E21D1D5A55C4083A0
                      Function 01051204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                      Download Yara Rule
                      APIs
                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 01051276
                      • WSAGetLastError.WSOCK32 ref: 01051283
                      • bind.WSOCK32(00000000,?,00000010), ref: 010512BA
                      • WSAGetLastError.WSOCK32 ref: 010512C5
                      • closesocket.WSOCK32(00000000), ref: 010512F4
                      • listen.WSOCK32(00000000,00000005), ref: 01051303
                      • WSAGetLastError.WSOCK32 ref: 0105130D
                      • closesocket.WSOCK32(00000000), ref: 0105133C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ErrorLast$closesocket$bindlistensocket
                      • String ID:
                      • API String ID: 540024437-0
                      • Opcode ID: cae4d2e9538f350e8f9fdc23fdcb886fddb3963f877289bc5ed0b1689bee2ed5
                      • Instruction ID: 6bd6cf47d1d41ae6da3d8f58b29fcfd5446e1f2e5a536ac13f0bd75c587de4d4
                      • Opcode Fuzzy Hash: cae4d2e9538f350e8f9fdc23fdcb886fddb3963f877289bc5ed0b1689bee2ed5
                      • Instruction Fuzzy Hash: 9B41A5716001019FE760DF28C584B2ABBE6BF46314F188189D9968F397C775ED81CBE1
                      Function 0103D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD3A97,?,?,00FD2E7F,?,?,?,00000000), ref: 00FD3AC2
                        • Part of subcall function 0103E199: GetFileAttributesW.KERNEL32(?,0103CF95), ref: 0103E19A
                      • FindFirstFileW.KERNEL32(?,?), ref: 0103D420
                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 0103D470
                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0103D481
                      • FindClose.KERNEL32(00000000), ref: 0103D498
                      • FindClose.KERNEL32(00000000), ref: 0103D4A1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                      • String ID: \*.*
                      • API String ID: 2649000838-1173974218
                      • Opcode ID: 642066ebba6c1707c525a0e53e183fd752b39e0f8f5c97d5435ba314c550e5ce
                      • Instruction ID: f8a2c329f6c347e5d1c3292750eedae073c95b678d16646283525312ea0b205c
                      • Opcode Fuzzy Hash: 642066ebba6c1707c525a0e53e183fd752b39e0f8f5c97d5435ba314c550e5ce
                      • Instruction Fuzzy Hash: 553180710083419BC311EFA4D9918EFB7EDAE91304F884A1EF4D593291EB29AA09D763
                      Function 0100E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: __floor_pentium4
                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                      • API String ID: 4168288129-2761157908
                      • Opcode ID: 8645c4c026ade8bb86fcab9077ade6cbf3269ae5d4e726b4c2ac3319c353c8fa
                      • Instruction ID: 01aa5b001b67852e293d4770672c739603a912062382d8945df2a8df8f19695e
                      • Opcode Fuzzy Hash: 8645c4c026ade8bb86fcab9077ade6cbf3269ae5d4e726b4c2ac3319c353c8fa
                      • Instruction Fuzzy Hash: 54C25B71E046298FEB76CE28DD407EAB7B5EB44304F1445EAD58DE7281E778AE818F40
                      Function 0104648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                      Download Yara Rule
                      APIs
                      • _wcslen.LIBCMT ref: 010464DC
                      • CoInitialize.OLE32(00000000), ref: 01046639
                      • CoCreateInstance.OLE32(0106FCF8,00000000,00000001,0106FB68,?), ref: 01046650
                      • CoUninitialize.OLE32 ref: 010468D4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CreateInitializeInstanceUninitialize_wcslen
                      • String ID: .lnk
                      • API String ID: 886957087-24824748
                      • Opcode ID: 770ff7b04fa12457afd9275f8d781dc196aa5a72acb6287cc458275b8fb9dd2c
                      • Instruction ID: a3e33251b70a73d90e4e002b2839a3dc012b42eb9f9258247a73c9c30c2a09be
                      • Opcode Fuzzy Hash: 770ff7b04fa12457afd9275f8d781dc196aa5a72acb6287cc458275b8fb9dd2c
                      • Instruction Fuzzy Hash: 7ED16AB1508301AFD310EF24C88196BB7E9FF89704F44496DF5958B2A1EB71E905CBA2
                      Function 01049B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                      • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 01049B78
                      • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 01049C8B
                        • Part of subcall function 01043874: GetInputState.USER32 ref: 010438CB
                        • Part of subcall function 01043874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01043966
                      • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 01049BA8
                      • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 01049C75
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                      • String ID: *.*
                      • API String ID: 1972594611-438819550
                      • Opcode ID: b534d96892717337a7fb92a004027f068efdd58263be26c9114206c85ec17b51
                      • Instruction ID: 3ed46a6230afd2151efb2499bec2f99cb6a902b37ae10ceacc6ebae57e08e29b
                      • Opcode Fuzzy Hash: b534d96892717337a7fb92a004027f068efdd58263be26c9114206c85ec17b51
                      • Instruction Fuzzy Hash: 6741B1B190020E9FDF54DFA4C985AEE7BF8EF09304F1440B6E985A2290EB319E44CF64
                      Function 00FE997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2
                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 00FE9A4E
                      • GetSysColor.USER32(0000000F), ref: 00FE9B23
                      • SetBkColor.GDI32(?,00000000), ref: 00FE9B36
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Color$LongProcWindow
                      • String ID:
                      • API String ID: 3131106179-0
                      • Opcode ID: c9e7560634d675298f5bb6e60cc5bc140cfc63612620c679b50f42c7da806d23
                      • Instruction ID: 50fe7357a8a512e8e93114149e42e3a1089d47edc89b2529df5cf4f490a4f851
                      • Opcode Fuzzy Hash: c9e7560634d675298f5bb6e60cc5bc140cfc63612620c679b50f42c7da806d23
                      • Instruction Fuzzy Hash: 35A14D7110C5A0BEF7389A3E8C48EBF3A9DEF56714F144119F182C6685CAB98D01E371
                      Function 01051806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0105304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0105307A
                        • Part of subcall function 0105304E: _wcslen.LIBCMT ref: 0105309B
                      • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0105185D
                      • WSAGetLastError.WSOCK32 ref: 01051884
                      • bind.WSOCK32(00000000,?,00000010), ref: 010518DB
                      • WSAGetLastError.WSOCK32 ref: 010518E6
                      • closesocket.WSOCK32(00000000), ref: 01051915
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                      • String ID:
                      • API String ID: 1601658205-0
                      • Opcode ID: 7fb4898a1d0427d8872c53030e9722397f912825c708b3b8d81768075b5f00c2
                      • Instruction ID: 61f91d1e300eb151520e5d8140a8bcb67db5c724ceb241338f05f4720b2ac74d
                      • Opcode Fuzzy Hash: 7fb4898a1d0427d8872c53030e9722397f912825c708b3b8d81768075b5f00c2
                      • Instruction Fuzzy Hash: 9751B471A00200AFEB20EF24C886F6A77E5AB44718F088099F9459F3C7D779AD41CBE1
                      Function 0104CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                      Download Yara Rule
                      APIs
                      • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0104CF38
                      • InternetReadFile.WININET(?,00000000,?,?), ref: 0104CF6F
                      • GetLastError.KERNEL32(?,00000000,?,?,?,0104C21E,00000000), ref: 0104CFB4
                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,0104C21E,00000000), ref: 0104CFC8
                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,0104C21E,00000000), ref: 0104CFF2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                      • String ID:
                      • API String ID: 3191363074-0
                      • Opcode ID: bec99e34b29e23b4b27b7868dbb3594547d5a20e8e130855aeca7f46d8c67935
                      • Instruction ID: b086ef5dfcb26dfb66ec7399bad82915cdb9e3a546caa9321f874dd2907b71ea
                      • Opcode Fuzzy Hash: bec99e34b29e23b4b27b7868dbb3594547d5a20e8e130855aeca7f46d8c67935
                      • Instruction Fuzzy Hash: 53317FB1601205AFFB20DFA9CAC4AAFBBF8EF14210B10447EF586D2101D739AA419B60
                      Function 01061C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                      • String ID:
                      • API String ID: 292994002-0
                      • Opcode ID: 3e56b25972ef08b2e1a490719495e14bb93a715c99d24ea4261d62b07183b578
                      • Instruction ID: ebf2981708eebd97008696d552f99e13faef89fdffe65a7c345b7ad25a8b491e
                      • Opcode Fuzzy Hash: 3e56b25972ef08b2e1a490719495e14bb93a715c99d24ea4261d62b07183b578
                      • Instruction Fuzzy Hash: E321A3317002055FE7609F1AC844B6E7BE9EFD9325F1980A9E8C6CB355CB76E842CB90
                      Function 00FD8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                      • API String ID: 0-1546025612
                      • Opcode ID: 192ba38198a8c9cb1e85ce42f9d698afb3c011f5dee5118c574f066f44e5d7c2
                      • Instruction ID: fd783ea7e3aa4f714c8c15afa0282784ae64bfd26ab31c23cb88333f00fc1a15
                      • Opcode Fuzzy Hash: 192ba38198a8c9cb1e85ce42f9d698afb3c011f5dee5118c574f066f44e5d7c2
                      • Instruction Fuzzy Hash: F2A26071E0021ACBDF25CF58C8407AEB7B2BF44354F28819AE855AB389DB759D82DF50
                      Function 0105A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32 ref: 0105A6AC
                      • Process32FirstW.KERNEL32(00000000,?), ref: 0105A6BA
                        • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                      • Process32NextW.KERNEL32(00000000,?), ref: 0105A79C
                      • CloseHandle.KERNEL32(00000000), ref: 0105A7AB
                        • Part of subcall function 00FECE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,01013303,?), ref: 00FECE8A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                      • String ID:
                      • API String ID: 1991900642-0
                      • Opcode ID: 3dbaa299f28bdf1736292122c8af98e6fd3b8c7d310e4ee9d2696a808ebd111c
                      • Instruction ID: fc991e07acde005aba084862bffa114540eb76c8dd8c06c6d3b8c0b66457e0b8
                      • Opcode Fuzzy Hash: 3dbaa299f28bdf1736292122c8af98e6fd3b8c7d310e4ee9d2696a808ebd111c
                      • Instruction Fuzzy Hash: 52518C71608300AFD710EF24CC85A6BBBE9FF89714F04891EF98597291EB34D904DB92
                      Function 0103AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0103ABF1
                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 0103AC0D
                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 0103AC74
                      • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0103ACC6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: KeyboardState$InputMessagePostSend
                      • String ID:
                      • API String ID: 432972143-0
                      • Opcode ID: 193165305aa3b43e39188de519a2615257efd2876c212a6602e79eb8c4d7d178
                      • Instruction ID: 9dd1878bdabc5d9ed73ff7b1dc56508a41f4d07f91573ae32e669b6efcb5c30c
                      • Opcode Fuzzy Hash: 193165305aa3b43e39188de519a2615257efd2876c212a6602e79eb8c4d7d178
                      • Instruction Fuzzy Hash: F331E330B2461CEFFB358A6988087FE7AADABC9320F08425AE4C5D71D1C37989858B51
                      Function 0100BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 0100BB7F
                        • Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
                        • Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0
                      • GetTimeZoneInformation.KERNEL32 ref: 0100BB91
                      • WideCharToMultiByte.KERNEL32(00000000,?,010A121C,000000FF,?,0000003F,?,?), ref: 0100BC09
                      • WideCharToMultiByte.KERNEL32(00000000,?,010A1270,000000FF,?,0000003F,?,?,?,010A121C,000000FF,?,0000003F,?,?), ref: 0100BC36
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                      • String ID:
                      • API String ID: 806657224-0
                      • Opcode ID: fb3b70ee6746ffeca20b90bf640eb2a0fac534f0b6a3063eca4241652253f263
                      • Instruction ID: 776a72e08e34659c273bb9586f5483fbc8714895e03d535ad6a00bb9e4d55716
                      • Opcode Fuzzy Hash: fb3b70ee6746ffeca20b90bf640eb2a0fac534f0b6a3063eca4241652253f263
                      • Instruction Fuzzy Hash: 9C31D2B4904645EFEB22DFA9C88086DBBF8FF56250F1442AAE1E0DB2E5D7319950CB50
                      Function 01038298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                      Download Yara Rule
                      APIs
                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 010382AA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: lstrlen
                      • String ID: ($|
                      • API String ID: 1659193697-1631851259
                      • Opcode ID: 4f31b55d1c75a0d44e37bf76a0ff14a522b919d2d4faae6b6a600bb77854dedd
                      • Instruction ID: 3738ef1e401efcb0a3ce044447e9a183072cdbd71548fd124967628aac65165d
                      • Opcode Fuzzy Hash: 4f31b55d1c75a0d44e37bf76a0ff14a522b919d2d4faae6b6a600bb77854dedd
                      • Instruction Fuzzy Hash: 21322575A006059FDB28CF69C480A6AB7F5FF88310B15C5AEE59ADB3A1E770E941CB40
                      Function 01045C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?), ref: 01045CC1
                      • FindNextFileW.KERNEL32(00000000,?), ref: 01045D17
                      • FindClose.KERNEL32(?), ref: 01045D5F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Find$File$CloseFirstNext
                      • String ID:
                      • API String ID: 3541575487-0
                      • Opcode ID: f3305cc5143db0a347c9507ce3092a95c938d8442e92aa6c2fe9cec887e0ff9e
                      • Instruction ID: 449fb7bc8f65adadd29aafe9ee658e15228dae67a86d2c9f4ba653a94ccad7e9
                      • Opcode Fuzzy Hash: f3305cc5143db0a347c9507ce3092a95c938d8442e92aa6c2fe9cec887e0ff9e
                      • Instruction Fuzzy Hash: F151AD746046019FD724DF28C8D4A9AB7E4FF49314F1485AEE99A8B3A2CB34E905CB91
                      Function 01002622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsDebuggerPresent.KERNEL32 ref: 0100271A
                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 01002724
                      • UnhandledExceptionFilter.KERNEL32(?), ref: 01002731
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                      • String ID:
                      • API String ID: 3906539128-0
                      • Opcode ID: 68c5080cd64def85ba0612e18e2e0994427c7958af4e46bce5ace890e79fdb7b
                      • Instruction ID: e92bec0c1fb3faf21c503902753ac48cea94c07c993f014aafdfa27a68dd1101
                      • Opcode Fuzzy Hash: 68c5080cd64def85ba0612e18e2e0994427c7958af4e46bce5ace890e79fdb7b
                      • Instruction Fuzzy Hash: 9B31D67491122C9BDB61DF68DD887DCBBB8BF08310F5041EAE94CA7261EB749B818F44
                      Function 010451CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 010451DA
                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 01045238
                      • SetErrorMode.KERNEL32(00000000), ref: 010452A1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ErrorMode$DiskFreeSpace
                      • String ID:
                      • API String ID: 1682464887-0
                      • Opcode ID: ec2eae5b0fab865c891787b37efc1c73b83e8fe76f3affd69aca3efbb8fe6423
                      • Instruction ID: 5ed4d6fe5819f208ea5802754aca3d7c655328ab165b85b238b606712e0ee09a
                      • Opcode Fuzzy Hash: ec2eae5b0fab865c891787b37efc1c73b83e8fe76f3affd69aca3efbb8fe6423
                      • Instruction Fuzzy Hash: 18316B75A00109DFDB00DF94D884EADBBB5FF49314F08809AE845AB356DB36E845CBA0
                      Function 010316C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FEFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00FF0668
                        • Part of subcall function 00FEFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00FF0685
                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0103170D
                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0103173A
                      • GetLastError.KERNEL32 ref: 0103174A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                      • String ID:
                      • API String ID: 577356006-0
                      • Opcode ID: 2a4242ad1952b20da8fc139a43cff9c1e5d9fd6935b7dd92a422749179300082
                      • Instruction ID: f964b78c303dbee9335a1beda1e03718c44e122da94b89684b45e6fe405e8af9
                      • Opcode Fuzzy Hash: 2a4242ad1952b20da8fc139a43cff9c1e5d9fd6935b7dd92a422749179300082
                      • Instruction Fuzzy Hash: 4211C1B2404305AFE7289F54DC86D6ABBFDFB48754B24852EF09653241EB75BC428B20
                      Function 0103D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0103D608
                      • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0103D645
                      • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0103D650
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CloseControlCreateDeviceFileHandle
                      • String ID:
                      • API String ID: 33631002-0
                      • Opcode ID: 4bd35dd99f60740a3a61c32ba26c9daf40a86caffeb58cbf74624a028db5296f
                      • Instruction ID: 8d801ab79489189a67e4651672e8530663e5453eae8e1d0a26dfcc5e7899954f
                      • Opcode Fuzzy Hash: 4bd35dd99f60740a3a61c32ba26c9daf40a86caffeb58cbf74624a028db5296f
                      • Instruction Fuzzy Hash: 59118E71E01228BFEB208F99DC44FAFBFBCEB89B50F108151F954E7290C2704A058BA1
                      Function 01031663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                      Download Yara Rule
                      APIs
                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0103168C
                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 010316A1
                      • FreeSid.ADVAPI32(?), ref: 010316B1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: AllocateCheckFreeInitializeMembershipToken
                      • String ID:
                      • API String ID: 3429775523-0
                      • Opcode ID: 6685a54fedf5f2e0fd73911b7d918dd6e068f3e98fa515b8ef98c9572a659bec
                      • Instruction ID: d282448011c609ac5500226286ed6c9a9df300e199acfe9ba5d70c70ea3946fe
                      • Opcode Fuzzy Hash: 6685a54fedf5f2e0fd73911b7d918dd6e068f3e98fa515b8ef98c9572a659bec
                      • Instruction Fuzzy Hash: 34F0177195030DBBEF00DFE4DA89EAEBBBCFB08604F5045A5F541E2181E775AA449B50
                      Function 00FF4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(010028E9,?,00FF4CBE,010028E9,010988B8,0000000C,00FF4E15,010028E9,00000002,00000000,?,010028E9), ref: 00FF4D09
                      • TerminateProcess.KERNEL32(00000000,?,00FF4CBE,010028E9,010988B8,0000000C,00FF4E15,010028E9,00000002,00000000,?,010028E9), ref: 00FF4D10
                      • ExitProcess.KERNEL32 ref: 00FF4D22
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Process$CurrentExitTerminate
                      • String ID:
                      • API String ID: 1703294689-0
                      • Opcode ID: 3d583b95afa7975b521004411a0061bb8632b6ec4b028626c8c94a5c0039d040
                      • Instruction ID: dd3bd8d5f315e177d6ac8e20d6974adf0ad38c3c727fa31433ea9090adfb0977
                      • Opcode Fuzzy Hash: 3d583b95afa7975b521004411a0061bb8632b6ec4b028626c8c94a5c0039d040
                      • Instruction Fuzzy Hash: E4E0BF31400149AFEF216F54DE09A593F69FF45751F104014FD958A236DB3AED41DB40
                      Function 0102D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                      Download Yara Rule
                      APIs
                      • GetUserNameW.ADVAPI32(?,?), ref: 0102D28C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: NameUser
                      • String ID: X64
                      • API String ID: 2645101109-893830106
                      • Opcode ID: 5f94aea65c0b685a248f10e8288d9915435c0d418f71aaff50318ace63582436
                      • Instruction ID: 59a85cd1df27af151765ae17e854bbb383f90df89072e7b44d204ffd8565e3d5
                      • Opcode Fuzzy Hash: 5f94aea65c0b685a248f10e8288d9915435c0d418f71aaff50318ace63582436
                      • Instruction Fuzzy Hash: E9D0C9B580112DEADB90CA90D888DDDB37CBB15305F000151F146A2000D73495488F20
                      Function 00FFCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                      • Instruction ID: 4ccd1399953d85e68ea14bdf8b2d6f38a22597120b58525ae0aca02e08702fef
                      • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                      • Instruction Fuzzy Hash: 28023D72E0012D9BDF14CFA9C9806ADFBF1EF88324F254169DA19E7394D731A941DB90
                      Function 010468EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                      Download Yara Rule
                      APIs
                      • FindFirstFileW.KERNEL32(?,?), ref: 01046918
                      • FindClose.KERNEL32(00000000), ref: 01046961
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Find$CloseFileFirst
                      • String ID:
                      • API String ID: 2295610775-0
                      • Opcode ID: 33f6bc739d6e0e6040e88bd3cf443cc8c522db5d483faa0318e622abebe544f5
                      • Instruction ID: bf955dceeef3292fb1fcfb25510a8fff74e69a5a633faee7a4625c2f320c9eb8
                      • Opcode Fuzzy Hash: 33f6bc739d6e0e6040e88bd3cf443cc8c522db5d483faa0318e622abebe544f5
                      • Instruction Fuzzy Hash: 9311D3756042019FD710DF29D4C4A16BBE5FF85328F08C6A9E8A98F3A2D775EC05CB91
                      Function 010437B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,01054891,?,?,00000035,?), ref: 010437E4
                      • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,01054891,?,?,00000035,?), ref: 010437F4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ErrorFormatLastMessage
                      • String ID:
                      • API String ID: 3479602957-0
                      • Opcode ID: 86c2e27cee6cfdecd89f24863a318f6c7161f90904989d33d39595d166f991c1
                      • Instruction ID: 37e316932e0f150dfc82f71920b8bb106174abebf1a071f8fdeb886f7b6a3530
                      • Opcode Fuzzy Hash: 86c2e27cee6cfdecd89f24863a318f6c7161f90904989d33d39595d166f991c1
                      • Instruction Fuzzy Hash: 53F0E5B06052392BE77056B68C8DFEB3AAEFFC4761F0001B5F589D2285D9609904C7B0
                      Function 0103B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0103B25D
                      • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0103B270
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: InputSendkeybd_event
                      • String ID:
                      • API String ID: 3536248340-0
                      • Opcode ID: 58e7e495833f451f595b6e69007f24fa3fbd01c813750e9a5f15e952e3591158
                      • Instruction ID: 109d915899253d661e65cb9c25f1823e78611c1380bbf9237e9071a817a73bc7
                      • Opcode Fuzzy Hash: 58e7e495833f451f595b6e69007f24fa3fbd01c813750e9a5f15e952e3591158
                      • Instruction Fuzzy Hash: 4BF01D7180428DABEB159FA5C806BAE7FB4FF04309F00804AF9A5A5192C77D82119F94
                      Function 010310BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                      Download Yara Rule
                      APIs
                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,010311FC), ref: 010310D4
                      • CloseHandle.KERNEL32(?,?,010311FC), ref: 010310E9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: AdjustCloseHandlePrivilegesToken
                      • String ID:
                      • API String ID: 81990902-0
                      • Opcode ID: ff5116fb3551957c23380a2b391b0367c5e67823fe34866f20382d60e43a882c
                      • Instruction ID: 30ede0a4d6451eaf9f9fec9155c1929e1377e5ca66c3c1f399178656af0fa2bb
                      • Opcode Fuzzy Hash: ff5116fb3551957c23380a2b391b0367c5e67823fe34866f20382d60e43a882c
                      • Instruction Fuzzy Hash: 6BE04F32008650AEF7352B12FC05E777BE9EB04310B10882EF5E5804B5DB666C90EB10
                      Function 00FDCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                      Download Yara Rule
                      Strings
                      • Variable is not of type 'Object'., xrefs: 01020C40
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID: Variable is not of type 'Object'.
                      • API String ID: 0-1840281001
                      • Opcode ID: a7ab2715577ffda52bd982f53ab0b9586634b46846ef5cd1787d72a32b2d490e
                      • Instruction ID: 4a5577ef427f9febae2b49f1e80bb5e10da1266156668357bba5ea86bbf3da2f
                      • Opcode Fuzzy Hash: a7ab2715577ffda52bd982f53ab0b9586634b46846ef5cd1787d72a32b2d490e
                      • Instruction Fuzzy Hash: EF32AE71900219DBDF14DF94CC80BEDB7B6FF04304F18809AE846AB396D775AA45EBA0
                      Function 0100676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,01006766,?,?,00000008,?,?,0100FEFE,00000000), ref: 01006998
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ExceptionRaise
                      • String ID:
                      • API String ID: 3997070919-0
                      • Opcode ID: c97c5bbbb96ba30ff39b352161982393451a679cf4c731aebb2414e4727daaab
                      • Instruction ID: 99526bc5fcd4f79117a5c95f39e5193694568e23f0510e5416f9ba47d5fcf900
                      • Opcode Fuzzy Hash: c97c5bbbb96ba30ff39b352161982393451a679cf4c731aebb2414e4727daaab
                      • Instruction Fuzzy Hash: 84B127715106088FE756CF28C486BA57BE1FB45364F258698E9D9CF2E2C336DAA1CB40
                      Function 00FEB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID: 0-3916222277
                      • Opcode ID: 71776bdce07a31d2ea9ba8e4498756646a99d2076ecad04391e8e292dd1b230f
                      • Instruction ID: 7db1adb3b5331bb495decdfa863fe0bc1e92d8dd02ec9553e9aa346f8f2e8c75
                      • Opcode Fuzzy Hash: 71776bdce07a31d2ea9ba8e4498756646a99d2076ecad04391e8e292dd1b230f
                      • Instruction Fuzzy Hash: C1126D75E002299FDB64CF59C8807EEB7F5FF48310F1481AAE849EB255E7349A81DB90
                      Function 0104EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • BlockInput.USER32(00000001), ref: 0104EABD
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: BlockInput
                      • String ID:
                      • API String ID: 3456056419-0
                      • Opcode ID: 54025ea59407de34651efe8f09bfcdfb05e8182cc7e32413509749a45a110a39
                      • Instruction ID: 4d1aac7f34563379c58b5edebf32929b05adc75eea9791c17a8f02b0563446dc
                      • Opcode Fuzzy Hash: 54025ea59407de34651efe8f09bfcdfb05e8182cc7e32413509749a45a110a39
                      • Instruction Fuzzy Hash: 5CE01A752002059FD710EF59D844E9AB7E9BF98760F048426FD89C7361DA78B8408BA0
                      Function 0103E355 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                      Download Yara Rule
                      APIs
                      • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 0103E37E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: mouse_event
                      • String ID:
                      • API String ID: 2434400541-0
                      • Opcode ID: bea9f07d9111ced970e9fef2ae11e3f770ce8fed831e919e95e78262694d6245
                      • Instruction ID: f5bb6715def672c96469aac6b50a97fd8419349b1a6def3e97f7b910dbfd277d
                      • Opcode Fuzzy Hash: bea9f07d9111ced970e9fef2ae11e3f770ce8fed831e919e95e78262694d6245
                      • Instruction Fuzzy Hash: 71D05EF21902017DFABD0A3CCE2FF7A298CE381580F40D789B2C189599DA91A4444021
                      Function 00FF09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00FF03EE), ref: 00FF09DA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: ba17940a342e1df17bcee826ae40dc776b804be279516fb59e6b21fe1a91d5d6
                      • Instruction ID: 1f02813f8fd5385b5077cc27e466e65b2bec5508b0c3db8b4cf9d54d2827a163
                      • Opcode Fuzzy Hash: ba17940a342e1df17bcee826ae40dc776b804be279516fb59e6b21fe1a91d5d6
                      • Instruction Fuzzy Hash:
                      Function 00FF781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID: 0
                      • API String ID: 0-4108050209
                      • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                      • Instruction ID: 5544599811cfa79770dc1e8201303a8d8bad75a87c85acc80163a15476ae8a42
                      • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                      • Instruction Fuzzy Hash: DB514862E0C70D56DB38796888997BFE3959F123E0F280509DB82C72B2C659DE06F355
                      Function 01006DD9 Relevance: .6, Instructions: 637COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1a2e3f57e5c1641b8acfce6e048a3178e8d20b868e7bfa4eb4b9f88fc87ae372
                      • Instruction ID: 24b8b2a91277d4fcbdafa379be8684007cdff0da658c5e8c0854939043b5d9c9
                      • Opcode Fuzzy Hash: 1a2e3f57e5c1641b8acfce6e048a3178e8d20b868e7bfa4eb4b9f88fc87ae372
                      • Instruction Fuzzy Hash: 5C323431D29F414DE7639538C822335B689AFB73C5F15C737E89AB599AEB2ED4834200
                      Function 00FECC39 Relevance: .6, Instructions: 635COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 72a607b19cbd2964af8c784064f45735b2c5a98ba77ab0c8923dcec083d23ef3
                      • Instruction ID: 70b038e4bef0bc05348cef1d8273fb8f30093a7e613815df0eacb75598c94ab8
                      • Opcode Fuzzy Hash: 72a607b19cbd2964af8c784064f45735b2c5a98ba77ab0c8923dcec083d23ef3
                      • Instruction Fuzzy Hash: 2C321A31A001E58BFF34CE2DC694A7D7BE1FB45314F2881A6E6D9DB291D234D982DB41
                      Function 00FD7920 Relevance: .6, Instructions: 563COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5e2e867e459391d8ea65f3338bd200bd167372ee5236301e2acc6646f6e4c233
                      • Instruction ID: 317fde71dcc11131a820f6772c7c8e0207fac548c400601210bd9a2ae7617dbd
                      • Opcode Fuzzy Hash: 5e2e867e459391d8ea65f3338bd200bd167372ee5236301e2acc6646f6e4c233
                      • Instruction Fuzzy Hash: A622C270A042099FDF14DF64DC41AAEB7F6FF85300F14462AE852AB395EB3AA914DB50
                      Function 00FD91C0 Relevance: .5, Instructions: 475COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 23a59ef3d4fa00bad00f7918c0bbb5b6ab42f113cdb8931d06da94cb37c30eb5
                      • Instruction ID: 0faa497818f2ef4ab7d635ebafa68bba130f5ed522d46faccb1d57dcc2515940
                      • Opcode Fuzzy Hash: 23a59ef3d4fa00bad00f7918c0bbb5b6ab42f113cdb8931d06da94cb37c30eb5
                      • Instruction Fuzzy Hash: A70208B1E00209EBDB05DF64DC81AAEBBB1FF44300F548165E846DB395EB79E910DB90
                      Function 00FF1C77 Relevance: .3, Instructions: 254COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                      • Instruction ID: f2098679692de4a8190f33a787f3f96a71c518a4a0d481fe43ea04d2bc8a21d6
                      • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                      • Instruction Fuzzy Hash: D4918733A080A78ADB29463A857417EFFF16E923B131A079DD5F2CA1E5FE10D954F620
                      Function 00FF19B0 Relevance: .2, Instructions: 240COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                      • Instruction ID: f6a8aaabbb977991276218e8b1d81ed9c15d4a5e06c0fdbae832a9987a5e9524
                      • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                      • Instruction Fuzzy Hash: A89143726090A789DB29467A857403EFFE16E923B131A079DD5F2CA1E1FD14C564B620
                      Function 00FF7A4A Relevance: .2, Instructions: 237COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c9709589cb8283b9647f1568d198ae612a879dc13ef1dee5fe304c155cce2aa3
                      • Instruction ID: dc02e6e86b2565d12a880328d41a5d04ab8587fe5a3cbf09d84c374eedb58cfd
                      • Opcode Fuzzy Hash: c9709589cb8283b9647f1568d198ae612a879dc13ef1dee5fe304c155cce2aa3
                      • Instruction Fuzzy Hash: 1C618B32A0C70D96EA34792C8C95BBEF394DF82364F100959EB42CB2B5D9599E43F315
                      Function 00FF7CA7 Relevance: .2, Instructions: 237COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 11553f0c69f3b7b1bc255ed1dddd193d7fbcf316b7b9f37a820e80550faccee2
                      • Instruction ID: dc47338a7b956606dc2dd45e7da18ba914708ae38f93af1ad1c4332aa14c5062
                      • Opcode Fuzzy Hash: 11553f0c69f3b7b1bc255ed1dddd193d7fbcf316b7b9f37a820e80550faccee2
                      • Instruction Fuzzy Hash: 87619A32E0870D52DE3879285C91BBFF388DF42764F90085AEB42DB2B1DA56AD42F315
                      Function 00FF1706 Relevance: .2, Instructions: 232COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                      • Instruction ID: 90993b1cc7899954c10c90672605173a2062aa95cfd0c6962a9596a3e2b8d29c
                      • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                      • Instruction Fuzzy Hash: 98818533A080A789EB2D423A857403EFFE17E923B131A079DD5F6CB1E1EE649554F660
                      Function 01042046 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7c95f7cf2df7b625a7b0573be3ced746f1f61936de28eeccd6f9f451b6549263
                      • Instruction ID: 4f67654b7a043678e26b65c3e2c5e2f829bae330111f77e0e1c4c20638664efc
                      • Opcode Fuzzy Hash: 7c95f7cf2df7b625a7b0573be3ced746f1f61936de28eeccd6f9f451b6549263
                      • Instruction Fuzzy Hash: 7221D5723216158BD728CE79C82267A73E5A754210F54863EF4E7C77C1DE3AA904CB80
                      Function 01052ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteObject.GDI32(00000000), ref: 01052B30
                      • DeleteObject.GDI32(00000000), ref: 01052B43
                      • DestroyWindow.USER32 ref: 01052B52
                      • GetDesktopWindow.USER32 ref: 01052B6D
                      • GetWindowRect.USER32(00000000), ref: 01052B74
                      • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 01052CA3
                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 01052CB1
                      • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052CF8
                      • GetClientRect.USER32(00000000,?), ref: 01052D04
                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01052D40
                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052D62
                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052D75
                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052D80
                      • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052D89
                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052D98
                      • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052DA1
                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052DA8
                      • GlobalFree.KERNEL32(00000000), ref: 01052DB3
                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052DC5
                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,0106FC38,00000000), ref: 01052DDB
                      • GlobalFree.KERNEL32(00000000), ref: 01052DEB
                      • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 01052E11
                      • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 01052E30
                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01052E52
                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0105303F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                      • String ID: $AutoIt v3$DISPLAY$static
                      • API String ID: 2211948467-2373415609
                      • Opcode ID: b298e345b099385fc7e3b7562d9cdc17a4e6a52c2a00a8c74cca2ae9e3550d9f
                      • Instruction ID: 9b77dd510a6a82686d86d67bb73d1fa96cca34699dccd04ebc3eaefa7b5c80cf
                      • Opcode Fuzzy Hash: b298e345b099385fc7e3b7562d9cdc17a4e6a52c2a00a8c74cca2ae9e3550d9f
                      • Instruction Fuzzy Hash: 75028E71500205EFEB24DF64DD89EAE7BB9FF48310F048159F995AB2A5C779AD00CB60
                      Function 010670D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                      Download Yara Rule
                      APIs
                      • SetTextColor.GDI32(?,00000000), ref: 0106712F
                      • GetSysColorBrush.USER32(0000000F), ref: 01067160
                      • GetSysColor.USER32(0000000F), ref: 0106716C
                      • SetBkColor.GDI32(?,000000FF), ref: 01067186
                      • SelectObject.GDI32(?,?), ref: 01067195
                      • InflateRect.USER32(?,000000FF,000000FF), ref: 010671C0
                      • GetSysColor.USER32(00000010), ref: 010671C8
                      • CreateSolidBrush.GDI32(00000000), ref: 010671CF
                      • FrameRect.USER32(?,?,00000000), ref: 010671DE
                      • DeleteObject.GDI32(00000000), ref: 010671E5
                      • InflateRect.USER32(?,000000FE,000000FE), ref: 01067230
                      • FillRect.USER32(?,?,?), ref: 01067262
                      • GetWindowLongW.USER32(?,000000F0), ref: 01067284
                        • Part of subcall function 010673E8: GetSysColor.USER32(00000012), ref: 01067421
                        • Part of subcall function 010673E8: SetTextColor.GDI32(?,?), ref: 01067425
                        • Part of subcall function 010673E8: GetSysColorBrush.USER32(0000000F), ref: 0106743B
                        • Part of subcall function 010673E8: GetSysColor.USER32(0000000F), ref: 01067446
                        • Part of subcall function 010673E8: GetSysColor.USER32(00000011), ref: 01067463
                        • Part of subcall function 010673E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 01067471
                        • Part of subcall function 010673E8: SelectObject.GDI32(?,00000000), ref: 01067482
                        • Part of subcall function 010673E8: SetBkColor.GDI32(?,00000000), ref: 0106748B
                        • Part of subcall function 010673E8: SelectObject.GDI32(?,?), ref: 01067498
                        • Part of subcall function 010673E8: InflateRect.USER32(?,000000FF,000000FF), ref: 010674B7
                        • Part of subcall function 010673E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010674CE
                        • Part of subcall function 010673E8: GetWindowLongW.USER32(00000000,000000F0), ref: 010674DB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                      • String ID:
                      • API String ID: 4124339563-0
                      • Opcode ID: d9365c4abffce37d90a2837adf53087b8754be5d4b01b1333eaf09d99e66d67b
                      • Instruction ID: 8da13c21c10b3f6e4d728019516f6136fe5dcbbb2e1b427b7f13b812474e4751
                      • Opcode Fuzzy Hash: d9365c4abffce37d90a2837adf53087b8754be5d4b01b1333eaf09d99e66d67b
                      • Instruction Fuzzy Hash: 3EA18072008301EFE7219F64DD48A5B7BE9FB49324F100A19FAE2961E4D77AD944CB51
                      Function 00FE8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(?,?), ref: 00FE8E14
                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 01026AC5
                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 01026AFE
                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 01026F43
                        • Part of subcall function 00FE8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FE8BE8,?,00000000,?,?,?,?,00FE8BBA,00000000,?), ref: 00FE8FC5
                      • SendMessageW.USER32(?,00001053), ref: 01026F7F
                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 01026F96
                      • ImageList_Destroy.COMCTL32(00000000,?), ref: 01026FAC
                      • ImageList_Destroy.COMCTL32(00000000,?), ref: 01026FB7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                      • String ID: 0
                      • API String ID: 2760611726-4108050209
                      • Opcode ID: ab4f3fedc18391296773d8f8d45b0fc9016b28a71bf6f8926ae9ba1ed94eb7ed
                      • Instruction ID: 21859283a6d864f675cad6f2e71377f5ca167c457d49190ab5b78ce7b56a31cb
                      • Opcode Fuzzy Hash: ab4f3fedc18391296773d8f8d45b0fc9016b28a71bf6f8926ae9ba1ed94eb7ed
                      • Instruction Fuzzy Hash: 2012E130500261EFEB65EF18C944BAABBE5FF44300F5440A9F9D98B251CB37E892DB91
                      Function 01052711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(00000000), ref: 0105273E
                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0105286A
                      • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 010528A9
                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 010528B9
                      • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 01052900
                      • GetClientRect.USER32(00000000,?), ref: 0105290C
                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 01052955
                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 01052964
                      • GetStockObject.GDI32(00000011), ref: 01052974
                      • SelectObject.GDI32(00000000,00000000), ref: 01052978
                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 01052988
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 01052991
                      • DeleteDC.GDI32(00000000), ref: 0105299A
                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 010529C6
                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 010529DD
                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 01052A1D
                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 01052A31
                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 01052A42
                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 01052A77
                      • GetStockObject.GDI32(00000011), ref: 01052A82
                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 01052A8D
                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 01052A97
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                      • API String ID: 2910397461-517079104
                      • Opcode ID: 012b8629689e56df49f105a73240deaabfec823fb1038365e50160bad4d3f2ac
                      • Instruction ID: b0cabe63f3f54d8e32ccda6f9547ad5010c9e16992c3cb2e97d3c8536ea89e44
                      • Opcode Fuzzy Hash: 012b8629689e56df49f105a73240deaabfec823fb1038365e50160bad4d3f2ac
                      • Instruction Fuzzy Hash: F2B16EB2A00215AFEB24DFA8DD45FAF7BA9EF08710F048155F994EB290D779AD40CB50
                      Function 01044ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 01044AED
                      • GetDriveTypeW.KERNEL32(?,0106CB68,?,\\.\,0106CC08), ref: 01044BCA
                      • SetErrorMode.KERNEL32(00000000,0106CB68,?,\\.\,0106CC08), ref: 01044D36
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ErrorMode$DriveType
                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                      • API String ID: 2907320926-4222207086
                      • Opcode ID: 9cb6fb7bcf4f2bf0d15c6d93913defd8969c43befe488502580df0044ee9a344
                      • Instruction ID: cfaef0f1c7f03ea917a6479f34bb3816c143fe7d9ceacac0f51f1a388583ad93
                      • Opcode Fuzzy Hash: 9cb6fb7bcf4f2bf0d15c6d93913defd8969c43befe488502580df0044ee9a344
                      • Instruction Fuzzy Hash: FF61D5B0A0410ADBCF44EF68CAD1A7C77E2AB04241B18406AF8D6EF251DB76DD85EB45
                      Function 010673E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetSysColor.USER32(00000012), ref: 01067421
                      • SetTextColor.GDI32(?,?), ref: 01067425
                      • GetSysColorBrush.USER32(0000000F), ref: 0106743B
                      • GetSysColor.USER32(0000000F), ref: 01067446
                      • CreateSolidBrush.GDI32(?), ref: 0106744B
                      • GetSysColor.USER32(00000011), ref: 01067463
                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 01067471
                      • SelectObject.GDI32(?,00000000), ref: 01067482
                      • SetBkColor.GDI32(?,00000000), ref: 0106748B
                      • SelectObject.GDI32(?,?), ref: 01067498
                      • InflateRect.USER32(?,000000FF,000000FF), ref: 010674B7
                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 010674CE
                      • GetWindowLongW.USER32(00000000,000000F0), ref: 010674DB
                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0106752A
                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 01067554
                      • InflateRect.USER32(?,000000FD,000000FD), ref: 01067572
                      • DrawFocusRect.USER32(?,?), ref: 0106757D
                      • GetSysColor.USER32(00000011), ref: 0106758E
                      • SetTextColor.GDI32(?,00000000), ref: 01067596
                      • DrawTextW.USER32(?,010670F5,000000FF,?,00000000), ref: 010675A8
                      • SelectObject.GDI32(?,?), ref: 010675BF
                      • DeleteObject.GDI32(?), ref: 010675CA
                      • SelectObject.GDI32(?,?), ref: 010675D0
                      • DeleteObject.GDI32(?), ref: 010675D5
                      • SetTextColor.GDI32(?,?), ref: 010675DB
                      • SetBkColor.GDI32(?,?), ref: 010675E5
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                      • String ID:
                      • API String ID: 1996641542-0
                      • Opcode ID: 0a4ef75a107a784d129a8fd041f448b3ebf0d5eca20b6c6dcde631f9d9c8e4cb
                      • Instruction ID: 8e78d7ad5342581a897270f0432aa8f6843bdaaab09612780098533d301358aa
                      • Opcode Fuzzy Hash: 0a4ef75a107a784d129a8fd041f448b3ebf0d5eca20b6c6dcde631f9d9c8e4cb
                      • Instruction Fuzzy Hash: A7618172900218AFEF119FA4DD48EEE7FB9EF09320F104151FA91AB2A1D7799940CF90
                      Function 01060FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetCursorPos.USER32(?), ref: 01061128
                      • GetDesktopWindow.USER32 ref: 0106113D
                      • GetWindowRect.USER32(00000000), ref: 01061144
                      • GetWindowLongW.USER32(?,000000F0), ref: 01061199
                      • DestroyWindow.USER32(?), ref: 010611B9
                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 010611ED
                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0106120B
                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0106121D
                      • SendMessageW.USER32(00000000,00000421,?,?), ref: 01061232
                      • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 01061245
                      • IsWindowVisible.USER32(00000000), ref: 010612A1
                      • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 010612BC
                      • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 010612D0
                      • GetWindowRect.USER32(00000000,?), ref: 010612E8
                      • MonitorFromPoint.USER32(?,?,00000002), ref: 0106130E
                      • GetMonitorInfoW.USER32(00000000,?), ref: 01061328
                      • CopyRect.USER32(?,?), ref: 0106133F
                      • SendMessageW.USER32(00000000,00000412,00000000), ref: 010613AA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                      • String ID: ($0$tooltips_class32
                      • API String ID: 698492251-4156429822
                      • Opcode ID: 69baf75ee4878a0067be2de018a4ee51aeb96b612f08853d38c5a71045a34dc8
                      • Instruction ID: d6cac30011fa5b3781491f003455b88b33fa9e297ab5b86eb59f99e050780ed8
                      • Opcode Fuzzy Hash: 69baf75ee4878a0067be2de018a4ee51aeb96b612f08853d38c5a71045a34dc8
                      • Instruction Fuzzy Hash: F7B1AE71604341AFE750DF64C984B6ABBE9FF88310F048919F9D99B261C775E804CB91
                      Function 00FE8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FE8968
                      • GetSystemMetrics.USER32(00000007), ref: 00FE8970
                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00FE899B
                      • GetSystemMetrics.USER32(00000008), ref: 00FE89A3
                      • GetSystemMetrics.USER32(00000004), ref: 00FE89C8
                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00FE89E5
                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00FE89F5
                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00FE8A28
                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00FE8A3C
                      • GetClientRect.USER32(00000000,000000FF), ref: 00FE8A5A
                      • GetStockObject.GDI32(00000011), ref: 00FE8A76
                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00FE8A81
                        • Part of subcall function 00FE912D: GetCursorPos.USER32(?), ref: 00FE9141
                        • Part of subcall function 00FE912D: ScreenToClient.USER32(00000000,?), ref: 00FE915E
                        • Part of subcall function 00FE912D: GetAsyncKeyState.USER32(00000001), ref: 00FE9183
                        • Part of subcall function 00FE912D: GetAsyncKeyState.USER32(00000002), ref: 00FE919D
                      • SetTimer.USER32(00000000,00000000,00000028,00FE90FC), ref: 00FE8AA8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                      • String ID: AutoIt v3 GUI
                      • API String ID: 1458621304-248962490
                      • Opcode ID: d12f93b8e39db3b9f19fcbc79a5bdad6fbec09333fa5fb118325a56213f03e93
                      • Instruction ID: 41490ee076fb3da37e1ba7acbfe40458069257e9faec2b6a7bd32e07b6e2ca8d
                      • Opcode Fuzzy Hash: d12f93b8e39db3b9f19fcbc79a5bdad6fbec09333fa5fb118325a56213f03e93
                      • Instruction Fuzzy Hash: E6B1A075A0024AAFDF14DFA8DD45BAE3BB4FB48310F004229FA95A7294DB79D941CF50
                      Function 01030D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 010310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01031114
                        • Part of subcall function 010310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031120
                        • Part of subcall function 010310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 0103112F
                        • Part of subcall function 010310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031136
                        • Part of subcall function 010310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0103114D
                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 01030DF5
                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 01030E29
                      • GetLengthSid.ADVAPI32(?), ref: 01030E40
                      • GetAce.ADVAPI32(?,00000000,?), ref: 01030E7A
                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 01030E96
                      • GetLengthSid.ADVAPI32(?), ref: 01030EAD
                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 01030EB5
                      • HeapAlloc.KERNEL32(00000000), ref: 01030EBC
                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 01030EDD
                      • CopySid.ADVAPI32(00000000), ref: 01030EE4
                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 01030F13
                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01030F35
                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 01030F47
                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030F6E
                      • HeapFree.KERNEL32(00000000), ref: 01030F75
                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030F7E
                      • HeapFree.KERNEL32(00000000), ref: 01030F85
                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01030F8E
                      • HeapFree.KERNEL32(00000000), ref: 01030F95
                      • GetProcessHeap.KERNEL32(00000000,?), ref: 01030FA1
                      • HeapFree.KERNEL32(00000000), ref: 01030FA8
                        • Part of subcall function 01031193: GetProcessHeap.KERNEL32(00000008,01030BB1,?,00000000,?,01030BB1,?), ref: 010311A1
                        • Part of subcall function 01031193: HeapAlloc.KERNEL32(00000000,?,00000000,?,01030BB1,?), ref: 010311A8
                        • Part of subcall function 01031193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,01030BB1,?), ref: 010311B7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                      • String ID:
                      • API String ID: 4175595110-0
                      • Opcode ID: 702ca66c9a2a8f01bc8cae3c0c93fcf803ec147bf6671a5ca34ff184eb63c867
                      • Instruction ID: ac70894b7f71885295e8db43a5edd818989a79e8ed9ba1056220e8e878cfd0f2
                      • Opcode Fuzzy Hash: 702ca66c9a2a8f01bc8cae3c0c93fcf803ec147bf6671a5ca34ff184eb63c867
                      • Instruction Fuzzy Hash: 94717D7290120AAFEF209FA8DD44FEEBBBCBF46300F044155FA99E6194D7359905CB60
                      Function 0105C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0105C4BD
                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,0106CC08,00000000,?,00000000,?,?), ref: 0105C544
                      • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0105C5A4
                      • _wcslen.LIBCMT ref: 0105C5F4
                      • _wcslen.LIBCMT ref: 0105C66F
                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0105C6B2
                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0105C7C1
                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0105C84D
                      • RegCloseKey.ADVAPI32(?), ref: 0105C881
                      • RegCloseKey.ADVAPI32(00000000), ref: 0105C88E
                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0105C960
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                      • API String ID: 9721498-966354055
                      • Opcode ID: 1f58b8c7e579966eb5d2ae66f6d806e183e5ab7c9929bbe7b00950c9d0338f88
                      • Instruction ID: 59057bb9cb61483ffeb1a057f444c47820baa0703fec2e80c740737b15a4a1c5
                      • Opcode Fuzzy Hash: 1f58b8c7e579966eb5d2ae66f6d806e183e5ab7c9929bbe7b00950c9d0338f88
                      • Instruction Fuzzy Hash: 58125C356043019FE754DF18C981B2AB7E5EF88714F08889DF98A9B3A2DB35ED41DB81
                      Function 0106091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?), ref: 010609C6
                      • _wcslen.LIBCMT ref: 01060A01
                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01060A54
                      • _wcslen.LIBCMT ref: 01060A8A
                      • _wcslen.LIBCMT ref: 01060B06
                      • _wcslen.LIBCMT ref: 01060B81
                        • Part of subcall function 00FEF9F2: _wcslen.LIBCMT ref: 00FEF9FD
                        • Part of subcall function 01032BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 01032BFA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _wcslen$MessageSend$BuffCharUpper
                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                      • API String ID: 1103490817-4258414348
                      • Opcode ID: 20da5db7dd9c3565ff92320b3d7dc691928e7c7ba8647c1575e3d53f94252eb4
                      • Instruction ID: a0a25b00d1f9e5556df84346574735ccf133f36db106403c23cebda246eae950
                      • Opcode Fuzzy Hash: 20da5db7dd9c3565ff92320b3d7dc691928e7c7ba8647c1575e3d53f94252eb4
                      • Instruction Fuzzy Hash: 54E1AF322483018FCB14EF29C85096EB7E6BF98354B048A9DF8D69B366D735ED45CB81
                      Function 0105C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _wcslen$BuffCharUpper
                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                      • API String ID: 1256254125-909552448
                      • Opcode ID: 1c6bb14ccbd5e4042b39d3dde9fab7c3a8aae7d6cb4af9f7c7dc04268749db2d
                      • Instruction ID: 1fb0249d2e73d02096c703647264d4d3a506943e1761f9eadcc8db54e42e8096
                      • Opcode Fuzzy Hash: 1c6bb14ccbd5e4042b39d3dde9fab7c3a8aae7d6cb4af9f7c7dc04268749db2d
                      • Instruction Fuzzy Hash: 4871053360022A8BEFA1DE6CCE505BF3BD9AF50654F140168FCD297286E635CD44E7A0
                      Function 0106833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                      Download Yara Rule
                      APIs
                      • _wcslen.LIBCMT ref: 0106835A
                      • _wcslen.LIBCMT ref: 0106836E
                      • _wcslen.LIBCMT ref: 01068391
                      • _wcslen.LIBCMT ref: 010683B4
                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 010683F2
                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0106361A,?), ref: 0106844E
                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01068487
                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 010684CA
                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 01068501
                      • FreeLibrary.KERNEL32(?), ref: 0106850D
                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0106851D
                      • DestroyIcon.USER32(?), ref: 0106852C
                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 01068549
                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 01068555
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                      • String ID: .dll$.exe$.icl
                      • API String ID: 799131459-1154884017
                      • Opcode ID: 94b7ae3f8f264c1053f4565b0ffb5bc597a0200c227bba9868062ac86299d2fd
                      • Instruction ID: 44eb02f3ced6b39efe73b25b60a81a4ef62f1dd783f3b0ea91d8aad2b5696b58
                      • Opcode Fuzzy Hash: 94b7ae3f8f264c1053f4565b0ffb5bc597a0200c227bba9868062ac86299d2fd
                      • Instruction Fuzzy Hash: CB61E271540319BAEB24DF64CC41BBF77ACBF08710F10864AF995DA1D1DBB9AA80D7A0
                      Function 00FD7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                      • API String ID: 0-1645009161
                      • Opcode ID: e98333593cc589612a3020a6cd12cec6420949c524af1117fea92db4f44d5302
                      • Instruction ID: dd11e5ed71e435b8aae832455fc88c422948806204761bce0584e702a4dd8a6f
                      • Opcode Fuzzy Hash: e98333593cc589612a3020a6cd12cec6420949c524af1117fea92db4f44d5302
                      • Instruction Fuzzy Hash: B9811771A04305BBDB21BF64DC42FBE3BA9AF45300F084426F945AE256FB78D901E791
                      Function 01035A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • LoadIconW.USER32(00000063), ref: 01035A2E
                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 01035A40
                      • SetWindowTextW.USER32(?,?), ref: 01035A57
                      • GetDlgItem.USER32(?,000003EA), ref: 01035A6C
                      • SetWindowTextW.USER32(00000000,?), ref: 01035A72
                      • GetDlgItem.USER32(?,000003E9), ref: 01035A82
                      • SetWindowTextW.USER32(00000000,?), ref: 01035A88
                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 01035AA9
                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 01035AC3
                      • GetWindowRect.USER32(?,?), ref: 01035ACC
                      • _wcslen.LIBCMT ref: 01035B33
                      • SetWindowTextW.USER32(?,?), ref: 01035B6F
                      • GetDesktopWindow.USER32 ref: 01035B75
                      • GetWindowRect.USER32(00000000), ref: 01035B7C
                      • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 01035BD3
                      • GetClientRect.USER32(?,?), ref: 01035BE0
                      • PostMessageW.USER32(?,00000005,00000000,?), ref: 01035C05
                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 01035C2F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                      • String ID:
                      • API String ID: 895679908-0
                      • Opcode ID: 113402875e02e104cd8f5a1eed3da1268f02e1da423e8116e87155fe975016fc
                      • Instruction ID: b2f1008970219e2be72f684e72127cab97b2ff0df8c440435f1442c60cd2b07b
                      • Opcode Fuzzy Hash: 113402875e02e104cd8f5a1eed3da1268f02e1da423e8116e87155fe975016fc
                      • Instruction Fuzzy Hash: 03717F31900709AFDB24DFA8CE85AAEBBF9FF88704F104558E5C2A25A4D779E940CF50
                      Function 00FF00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                      Download Yara Rule
                      APIs
                      • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00FF00C6
                        • Part of subcall function 00FF00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(010A070C,00000FA0,5201A9BA,?,?,?,?,010123B3,000000FF), ref: 00FF011C
                        • Part of subcall function 00FF00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,010123B3,000000FF), ref: 00FF0127
                        • Part of subcall function 00FF00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,010123B3,000000FF), ref: 00FF0138
                        • Part of subcall function 00FF00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00FF014E
                        • Part of subcall function 00FF00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00FF015C
                        • Part of subcall function 00FF00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00FF016A
                        • Part of subcall function 00FF00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FF0195
                        • Part of subcall function 00FF00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00FF01A0
                      • ___scrt_fastfail.LIBCMT ref: 00FF00E7
                        • Part of subcall function 00FF00A3: __onexit.LIBCMT ref: 00FF00A9
                      Strings
                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00FF0122
                      • SleepConditionVariableCS, xrefs: 00FF0154
                      • kernel32.dll, xrefs: 00FF0133
                      • WakeAllConditionVariable, xrefs: 00FF0162
                      • InitializeConditionVariable, xrefs: 00FF0148
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                      • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                      • API String ID: 66158676-1714406822
                      • Opcode ID: eae3c32527f0dbe6551159c1c393ca96b6560d3ea3fdaba258cfade685f6a03a
                      • Instruction ID: 4c5f070fd86c93ff83d2e660dae58817f1397c531e44ce5170d22ef8fd53fe0f
                      • Opcode Fuzzy Hash: eae3c32527f0dbe6551159c1c393ca96b6560d3ea3fdaba258cfade685f6a03a
                      • Instruction Fuzzy Hash: 26213E32E45719ABE7306BA5AD05B7E3799EF05B60F00012AF9C1AB265DF799C009B50
                      Function 010330F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _wcslen
                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                      • API String ID: 176396367-1603158881
                      • Opcode ID: cb1c7a7c7eb0ac5628ad9e20d27ee0ed61f66e6120bd5e4a89971c95b3defbdc
                      • Instruction ID: 66f52825b4d4eb2556f94318b223c249ab64bcb22e0424c09669a07da256d8a3
                      • Opcode Fuzzy Hash: cb1c7a7c7eb0ac5628ad9e20d27ee0ed61f66e6120bd5e4a89971c95b3defbdc
                      • Instruction Fuzzy Hash: 9BE10632A001169BCF199F68C8917FEFBB8BF84710F14815AE5D6EB241DF30A945DB90
                      Function 010444C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                      Download Yara Rule
                      APIs
                      • CharLowerBuffW.USER32(00000000,00000000,0106CC08), ref: 01044527
                      • _wcslen.LIBCMT ref: 0104453B
                      • _wcslen.LIBCMT ref: 01044599
                      • _wcslen.LIBCMT ref: 010445F4
                      • _wcslen.LIBCMT ref: 0104463F
                      • _wcslen.LIBCMT ref: 010446A7
                        • Part of subcall function 00FEF9F2: _wcslen.LIBCMT ref: 00FEF9FD
                      • GetDriveTypeW.KERNEL32(?,01096BF0,00000061), ref: 01044743
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _wcslen$BuffCharDriveLowerType
                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                      • API String ID: 2055661098-1000479233
                      • Opcode ID: 373dc7b2df3e4d5f7a4dedbfd6fcc2656b9688c630b6e54a63389acd5afc9642
                      • Instruction ID: 3897bfe768af297ce158af8cb069bb4f11746d9a6f5dfe128e48b595aade8441
                      • Opcode Fuzzy Hash: 373dc7b2df3e4d5f7a4dedbfd6fcc2656b9688c630b6e54a63389acd5afc9642
                      • Instruction Fuzzy Hash: 35B1FEB16083029BC710DF28C8D0A6EB7E5BF99760F44496DF5D6C7292E734D845CBA2
                      Function 0105AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                      Download Yara Rule
                      APIs
                      • _wcslen.LIBCMT ref: 0105B198
                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0105B1B0
                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0105B1D4
                      • _wcslen.LIBCMT ref: 0105B200
                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0105B214
                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0105B236
                      • _wcslen.LIBCMT ref: 0105B332
                        • Part of subcall function 010405A7: GetStdHandle.KERNEL32(000000F6), ref: 010405C6
                      • _wcslen.LIBCMT ref: 0105B34B
                      • _wcslen.LIBCMT ref: 0105B366
                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0105B3B6
                      • GetLastError.KERNEL32(00000000), ref: 0105B407
                      • CloseHandle.KERNEL32(?), ref: 0105B439
                      • CloseHandle.KERNEL32(00000000), ref: 0105B44A
                      • CloseHandle.KERNEL32(00000000), ref: 0105B45C
                      • CloseHandle.KERNEL32(00000000), ref: 0105B46E
                      • CloseHandle.KERNEL32(?), ref: 0105B4E3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                      • String ID:
                      • API String ID: 2178637699-0
                      • Opcode ID: d992b3542a1697c712530edc688e74063208f04db55a87c703ff3b5cc537329f
                      • Instruction ID: e278f3b778e2b693059f0bca699bd4089db9f516256ab12c1244da96791a6096
                      • Opcode Fuzzy Hash: d992b3542a1697c712530edc688e74063208f04db55a87c703ff3b5cc537329f
                      • Instruction Fuzzy Hash: B2F19D716043409FD764EF28C881B6FBBE6AF85310F18855EF9D59B2A2DB35E804CB52
                      Function 00FD326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenuItemCount.USER32(010A1990), ref: 01012F8D
                      • GetMenuItemCount.USER32(010A1990), ref: 0101303D
                      • GetCursorPos.USER32(?), ref: 01013081
                      • SetForegroundWindow.USER32(00000000), ref: 0101308A
                      • TrackPopupMenuEx.USER32(010A1990,00000000,?,00000000,00000000,00000000), ref: 0101309D
                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 010130A9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                      • String ID: 0
                      • API String ID: 36266755-4108050209
                      • Opcode ID: 5f2aeaac9e9ca696e6b89aa38991d48d9d5ab56f14979e9a2abc6c85f55628f9
                      • Instruction ID: 6cfa76654f6a1f831faecb9aaea601050190b2bc413876d748d78d9f3ce0db24
                      • Opcode Fuzzy Hash: 5f2aeaac9e9ca696e6b89aa38991d48d9d5ab56f14979e9a2abc6c85f55628f9
                      • Instruction Fuzzy Hash: 25714B31640209BEFB319F28CC49FAABFA9FF05324F244217F6946A2D4C7B5A850DB51
                      Function 01066CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(?,?), ref: 01066DEB
                        • Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A
                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 01066E5F
                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 01066E81
                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01066E94
                      • DestroyWindow.USER32(?), ref: 01066EB5
                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FD0000,00000000), ref: 01066EE4
                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01066EFD
                      • GetDesktopWindow.USER32 ref: 01066F16
                      • GetWindowRect.USER32(00000000), ref: 01066F1D
                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 01066F35
                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 01066F4D
                        • Part of subcall function 00FE9944: GetWindowLongW.USER32(?,000000EB), ref: 00FE9952
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                      • String ID: 0$tooltips_class32
                      • API String ID: 2429346358-3619404913
                      • Opcode ID: 425636902746d9bb75210c8a1f41bcc4c1ed97d79adbc6c06adcb4f216309c0d
                      • Instruction ID: 7dc5190c4b6550edc25dd9f1593d53c40e546bfd0c9db9639aeb50c85c65af19
                      • Opcode Fuzzy Hash: 425636902746d9bb75210c8a1f41bcc4c1ed97d79adbc6c06adcb4f216309c0d
                      • Instruction Fuzzy Hash: B8717670104244AFEB21CF1CC844EAABBE9FB89304F84045EFADA87261C776E906DB15
                      Function 0106911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2
                      • DragQueryPoint.SHELL32(?,?), ref: 01069147
                        • Part of subcall function 01067674: ClientToScreen.USER32(?,?), ref: 0106769A
                        • Part of subcall function 01067674: GetWindowRect.USER32(?,?), ref: 01067710
                        • Part of subcall function 01067674: PtInRect.USER32(?,?,01068B89), ref: 01067720
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 010691B0
                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 010691BB
                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 010691DE
                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 01069225
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0106923E
                      • SendMessageW.USER32(?,000000B1,?,?), ref: 01069255
                      • SendMessageW.USER32(?,000000B1,?,?), ref: 01069277
                      • DragFinish.SHELL32(?), ref: 0106927E
                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 01069371
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                      • API String ID: 221274066-3440237614
                      • Opcode ID: 7d2a8afae115f81893474596dbdb97d5cfb7de4911806192281b1de2e1c03bc2
                      • Instruction ID: 08a3cc4d85e15daa0544c5205a7a6b72b7feb42fc46311021e80bffcce3216e4
                      • Opcode Fuzzy Hash: 7d2a8afae115f81893474596dbdb97d5cfb7de4911806192281b1de2e1c03bc2
                      • Instruction Fuzzy Hash: A5618871108302AFD701DFA0DC85DAFBBE9EF88750F40091EF5D5922A0DB759A48CB62
                      Function 0104C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0104C4B0
                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0104C4C3
                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0104C4D7
                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0104C4F0
                      • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0104C533
                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0104C549
                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0104C554
                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0104C584
                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0104C5DC
                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0104C5F0
                      • InternetCloseHandle.WININET(00000000), ref: 0104C5FB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                      • String ID:
                      • API String ID: 3800310941-3916222277
                      • Opcode ID: 133f62c79c8051774763b1ff7d9784254f43eef04b1090390cdbee67f52394bf
                      • Instruction ID: 2c5e97e0db1465ef6c33940033df444e73322b13ffa59dcbfa0f3245b9d19c04
                      • Opcode Fuzzy Hash: 133f62c79c8051774763b1ff7d9784254f43eef04b1090390cdbee67f52394bf
                      • Instruction Fuzzy Hash: DF513FB1501605BFFB219F65CA88AAF7BFCFF08754F008429F9C696150DB39E9449BA0
                      Function 0106856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 01068592
                      • GetFileSize.KERNEL32(00000000,00000000), ref: 010685A2
                      • GlobalAlloc.KERNEL32(00000002,00000000), ref: 010685AD
                      • CloseHandle.KERNEL32(00000000), ref: 010685BA
                      • GlobalLock.KERNEL32(00000000), ref: 010685C8
                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 010685D7
                      • GlobalUnlock.KERNEL32(00000000), ref: 010685E0
                      • CloseHandle.KERNEL32(00000000), ref: 010685E7
                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 010685F8
                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,0106FC38,?), ref: 01068611
                      • GlobalFree.KERNEL32(00000000), ref: 01068621
                      • GetObjectW.GDI32(?,00000018,000000FF), ref: 01068641
                      • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 01068671
                      • DeleteObject.GDI32(00000000), ref: 01068699
                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 010686AF
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                      • String ID:
                      • API String ID: 3840717409-0
                      • Opcode ID: 2afcfd496e45bcedcbbc5e9e2a9571e3039aa916ea6a9778ef31fd26513e416c
                      • Instruction ID: 381731c07dbf9b1b6bd5ef29cf878481826be3b9ae0c107988d71b44e5bafb2e
                      • Opcode Fuzzy Hash: 2afcfd496e45bcedcbbc5e9e2a9571e3039aa916ea6a9778ef31fd26513e416c
                      • Instruction Fuzzy Hash: DF412B75600205AFEB219FA9CD48EAE7BBCEF89711F008059F989EB264D7359901CB20
                      Function 010414BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(00000000), ref: 01041502
                      • VariantCopy.OLEAUT32(?,?), ref: 0104150B
                      • VariantClear.OLEAUT32(?), ref: 01041517
                      • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 010415FB
                      • VarR8FromDec.OLEAUT32(?,?), ref: 01041657
                      • VariantInit.OLEAUT32(?), ref: 01041708
                      • SysFreeString.OLEAUT32(?), ref: 0104178C
                      • VariantClear.OLEAUT32(?), ref: 010417D8
                      • VariantClear.OLEAUT32(?), ref: 010417E7
                      • VariantInit.OLEAUT32(00000000), ref: 01041823
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                      • String ID: %4d%02d%02d%02d%02d%02d$Default
                      • API String ID: 1234038744-3931177956
                      • Opcode ID: 4a5aba84edf031df09bd6891f1191b38be19da804575b1836c1ca3df7af9b91a
                      • Instruction ID: d3173a3c65ca477d726e559941d04a0c35780443d6593e9cba3ae12d9e6ef2fd
                      • Opcode Fuzzy Hash: 4a5aba84edf031df09bd6891f1191b38be19da804575b1836c1ca3df7af9b91a
                      • Instruction Fuzzy Hash: 8CD1D5B1600219DBDB10DF65D8C5BBDBBF5BF05700F0880A6E9969B280DB35F885DBA1
                      Function 0105B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                        • Part of subcall function 0105C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0105B6AE,?,?), ref: 0105C9B5
                        • Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105C9F1
                        • Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA68
                        • Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA9E
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0105B6F4
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0105B772
                      • RegDeleteValueW.ADVAPI32(?,?), ref: 0105B80A
                      • RegCloseKey.ADVAPI32(?), ref: 0105B87E
                      • RegCloseKey.ADVAPI32(?), ref: 0105B89C
                      • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0105B8F2
                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0105B904
                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 0105B922
                      • FreeLibrary.KERNEL32(00000000), ref: 0105B983
                      • RegCloseKey.ADVAPI32(00000000), ref: 0105B994
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                      • String ID: RegDeleteKeyExW$advapi32.dll
                      • API String ID: 146587525-4033151799
                      • Opcode ID: de34fa4445113de9bbda7053546e1b94d6bc0cceaa6be09157573c7a800124ad
                      • Instruction ID: c7bf221b8c651a94c59af0b9a54b8657daabf23e8fdc9eead26fd8ec05e55f83
                      • Opcode Fuzzy Hash: de34fa4445113de9bbda7053546e1b94d6bc0cceaa6be09157573c7a800124ad
                      • Instruction Fuzzy Hash: 17C17E34204201AFE750DF18C495F2ABBE2FF85308F18859DF9968B3A2CB75E945CB91
                      Function 0105255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32(00000000), ref: 010525D8
                      • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 010525E8
                      • CreateCompatibleDC.GDI32(?), ref: 010525F4
                      • SelectObject.GDI32(00000000,?), ref: 01052601
                      • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0105266D
                      • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 010526AC
                      • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 010526D0
                      • SelectObject.GDI32(?,?), ref: 010526D8
                      • DeleteObject.GDI32(?), ref: 010526E1
                      • DeleteDC.GDI32(?), ref: 010526E8
                      • ReleaseDC.USER32(00000000,?), ref: 010526F3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                      • String ID: (
                      • API String ID: 2598888154-3887548279
                      • Opcode ID: 972e01ad3652986d784d36cc3ad87e64ddedd4be176f1ba84c4e44ed9134a7ba
                      • Instruction ID: 340f1eca7a52e99a22fad7b9326b7bdb71da08aa298bf5e0b8b468b35ab1a18a
                      • Opcode Fuzzy Hash: 972e01ad3652986d784d36cc3ad87e64ddedd4be176f1ba84c4e44ed9134a7ba
                      • Instruction Fuzzy Hash: DA611375D00209EFDF15CFA8C984AAEBBF5FF48310F20852AE995A7250D775A940CFA0
                      Function 0100DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___free_lconv_mon.LIBCMT ref: 0100DAA1
                        • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D659
                        • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D66B
                        • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D67D
                        • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D68F
                        • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6A1
                        • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6B3
                        • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6C5
                        • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6D7
                        • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6E9
                        • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D6FB
                        • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D70D
                        • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D71F
                        • Part of subcall function 0100D63C: _free.LIBCMT ref: 0100D731
                      • _free.LIBCMT ref: 0100DA96
                        • Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
                        • Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0
                      • _free.LIBCMT ref: 0100DAB8
                      • _free.LIBCMT ref: 0100DACD
                      • _free.LIBCMT ref: 0100DAD8
                      • _free.LIBCMT ref: 0100DAFA
                      • _free.LIBCMT ref: 0100DB0D
                      • _free.LIBCMT ref: 0100DB1B
                      • _free.LIBCMT ref: 0100DB26
                      • _free.LIBCMT ref: 0100DB5E
                      • _free.LIBCMT ref: 0100DB65
                      • _free.LIBCMT ref: 0100DB82
                      • _free.LIBCMT ref: 0100DB9A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                      • String ID:
                      • API String ID: 161543041-0
                      • Opcode ID: 9f2ac2bbc661ef493700b1d973b439b5028659a318c79e99af8c616188ee2662
                      • Instruction ID: cac6e923f02d539fe2cac0ffb1567042a6e23e09fd8a78abda6c82cc4b0169af
                      • Opcode Fuzzy Hash: 9f2ac2bbc661ef493700b1d973b439b5028659a318c79e99af8c616188ee2662
                      • Instruction Fuzzy Hash: 463139316046069FFB63AAB9E848B9A7BE9FF11250F244459E4C9D71D1DE35E880CB30
                      Function 0103365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetClassNameW.USER32(?,?,00000100), ref: 0103369C
                      • _wcslen.LIBCMT ref: 010336A7
                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 01033797
                      • GetClassNameW.USER32(?,?,00000400), ref: 0103380C
                      • GetDlgCtrlID.USER32(?), ref: 0103385D
                      • GetWindowRect.USER32(?,?), ref: 01033882
                      • GetParent.USER32(?), ref: 010338A0
                      • ScreenToClient.USER32(00000000), ref: 010338A7
                      • GetClassNameW.USER32(?,?,00000100), ref: 01033921
                      • GetWindowTextW.USER32(?,?,00000400), ref: 0103395D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                      • String ID: %s%u
                      • API String ID: 4010501982-679674701
                      • Opcode ID: 9ce791be66b255f20b664ed96d02188ea400c0aa6850e23976d63df9a956c123
                      • Instruction ID: 4b09bec1805f56015a79183c4c2ff7c88d6124fe231a6e9e81ba8dd5ad769c7b
                      • Opcode Fuzzy Hash: 9ce791be66b255f20b664ed96d02188ea400c0aa6850e23976d63df9a956c123
                      • Instruction Fuzzy Hash: BA91A271204606EFE715DF28C884BAAF7ECFF84310F00851AFAD9DA150DB34A945CB91
                      Function 01034954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                      Download Yara Rule
                      APIs
                      • GetClassNameW.USER32(?,?,00000400), ref: 01034994
                      • GetWindowTextW.USER32(?,?,00000400), ref: 010349DA
                      • _wcslen.LIBCMT ref: 010349EB
                      • CharUpperBuffW.USER32(?,00000000), ref: 010349F7
                      • _wcsstr.LIBVCRUNTIME ref: 01034A2C
                      • GetClassNameW.USER32(00000018,?,00000400), ref: 01034A64
                      • GetWindowTextW.USER32(?,?,00000400), ref: 01034A9D
                      • GetClassNameW.USER32(00000018,?,00000400), ref: 01034AE6
                      • GetClassNameW.USER32(?,?,00000400), ref: 01034B20
                      • GetWindowRect.USER32(?,?), ref: 01034B8B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                      • String ID: ThumbnailClass
                      • API String ID: 1311036022-1241985126
                      • Opcode ID: 907ff7ef1d06aaa36869c5c7fbe512c484ab155caa90cc8e81bc720c9b713c01
                      • Instruction ID: fff677af2c5f0cf1fdda20fef021db7c635eb97b86451075a83163b9b47b721f
                      • Opcode Fuzzy Hash: 907ff7ef1d06aaa36869c5c7fbe512c484ab155caa90cc8e81bc720c9b713c01
                      • Instruction Fuzzy Hash: 1791B2311042099FEB59DE18C980BAA7BECFF84314F0484AAFEC5DA196DB34E945CB61
                      Function 0105CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                      Download Yara Rule
                      APIs
                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0105CC64
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0105CC8D
                      • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0105CD48
                        • Part of subcall function 0105CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0105CCAA
                        • Part of subcall function 0105CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0105CCBD
                        • Part of subcall function 0105CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0105CCCF
                        • Part of subcall function 0105CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0105CD05
                        • Part of subcall function 0105CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0105CD28
                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 0105CCF3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                      • String ID: RegDeleteKeyExW$advapi32.dll
                      • API String ID: 2734957052-4033151799
                      • Opcode ID: 69cb81728a295e0f50b27ee51d6f368a22280173c442c3e26add7315b30d1251
                      • Instruction ID: f5e96165b0138220b36fd5be6cf96240fc96f36f4a1a2f70d5875dbaea50a758
                      • Opcode Fuzzy Hash: 69cb81728a295e0f50b27ee51d6f368a22280173c442c3e26add7315b30d1251
                      • Instruction Fuzzy Hash: 0B318071901229BBFB719A95DD88EFFBFBCEF06640F0001A5F981E6104D6749A459BB0
                      Function 01043D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                      Download Yara Rule
                      APIs
                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 01043D40
                      • _wcslen.LIBCMT ref: 01043D6D
                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 01043D9D
                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 01043DBE
                      • RemoveDirectoryW.KERNEL32(?), ref: 01043DCE
                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 01043E55
                      • CloseHandle.KERNEL32(00000000), ref: 01043E60
                      • CloseHandle.KERNEL32(00000000), ref: 01043E6B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                      • String ID: :$\$\??\%s
                      • API String ID: 1149970189-3457252023
                      • Opcode ID: 6be8108e2e1807ccd1d898f9c52942e9bfab2cd62c7548e236327033b083f11b
                      • Instruction ID: b4515ca8d423a0e003af067910e4bb8a3bdef0fc4e2020f934110745a3045348
                      • Opcode Fuzzy Hash: 6be8108e2e1807ccd1d898f9c52942e9bfab2cd62c7548e236327033b083f11b
                      • Instruction Fuzzy Hash: 3031B6B150011AABEB21ABA4DC85FEF37BDFF89700F1040B5F689D6064E77493448B24
                      Function 0103E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • timeGetTime.WINMM ref: 0103E6B4
                        • Part of subcall function 00FEE551: timeGetTime.WINMM(?,?,0103E6D4), ref: 00FEE555
                      • Sleep.KERNEL32(0000000A), ref: 0103E6E1
                      • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0103E705
                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0103E727
                      • SetActiveWindow.USER32 ref: 0103E746
                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0103E754
                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 0103E773
                      • Sleep.KERNEL32(000000FA), ref: 0103E77E
                      • IsWindow.USER32 ref: 0103E78A
                      • EndDialog.USER32(00000000), ref: 0103E79B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                      • String ID: BUTTON
                      • API String ID: 1194449130-3405671355
                      • Opcode ID: 159acb4b7854506dc50eb0f415f04db544434a07a6e4dab3a7499d643ed290df
                      • Instruction ID: 73bbbab3a8739232e80f8e073159035e43f0ed4a1ba82a423c30b190694cab99
                      • Opcode Fuzzy Hash: 159acb4b7854506dc50eb0f415f04db544434a07a6e4dab3a7499d643ed290df
                      • Instruction Fuzzy Hash: CE21C670240601AFFB315F24EDD8A293B6DF788348F400635F5D182655DBBBAC109B24
                      Function 0103E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0103EA5D
                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0103EA73
                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0103EA84
                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0103EA96
                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0103EAA7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: SendString$_wcslen
                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                      • API String ID: 2420728520-1007645807
                      • Opcode ID: 4cff909ac196c2cbf192a9652b25c6a7185f2ce3b4745350f81234447c2ddf0f
                      • Instruction ID: 7e8d7395fed4943e46cf1b3aa92c6e7f52fc4df30f901876d61543b22529a505
                      • Opcode Fuzzy Hash: 4cff909ac196c2cbf192a9652b25c6a7185f2ce3b4745350f81234447c2ddf0f
                      • Instruction Fuzzy Hash: D1110630A5026979EB20A3A6DC5AEFF7ABCEFC1F00F04052AB441A60D0EEB11905D5B0
                      Function 01035CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,00000001), ref: 01035CE2
                      • GetWindowRect.USER32(00000000,?), ref: 01035CFB
                      • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 01035D59
                      • GetDlgItem.USER32(?,00000002), ref: 01035D69
                      • GetWindowRect.USER32(00000000,?), ref: 01035D7B
                      • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 01035DCF
                      • GetDlgItem.USER32(?,000003E9), ref: 01035DDD
                      • GetWindowRect.USER32(00000000,?), ref: 01035DEF
                      • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 01035E31
                      • GetDlgItem.USER32(?,000003EA), ref: 01035E44
                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 01035E5A
                      • InvalidateRect.USER32(?,00000000,00000001), ref: 01035E67
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Window$ItemMoveRect$Invalidate
                      • String ID:
                      • API String ID: 3096461208-0
                      • Opcode ID: 7d1e1dbac669655208b6e01807b80330de2b54028122d9333ed32c726d59d58a
                      • Instruction ID: ab1fdaeb50aac960dffe0fcc62d6c3248a261345997e642c7c37925b21d4314d
                      • Opcode Fuzzy Hash: 7d1e1dbac669655208b6e01807b80330de2b54028122d9333ed32c726d59d58a
                      • Instruction Fuzzy Hash: C3510FB1B00205AFDB18DF68DD89AAE7BF9FB88301F548129F555E7294D774AE00CB60
                      Function 00FE8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FE8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00FE8BE8,?,00000000,?,?,?,?,00FE8BBA,00000000,?), ref: 00FE8FC5
                      • DestroyWindow.USER32(?), ref: 00FE8C81
                      • KillTimer.USER32(00000000,?,?,?,?,00FE8BBA,00000000,?), ref: 00FE8D1B
                      • DestroyAcceleratorTable.USER32(00000000), ref: 01026973
                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00FE8BBA,00000000,?), ref: 010269A1
                      • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00FE8BBA,00000000,?), ref: 010269B8
                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00FE8BBA,00000000), ref: 010269D4
                      • DeleteObject.GDI32(00000000), ref: 010269E6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                      • String ID:
                      • API String ID: 641708696-0
                      • Opcode ID: 770f3c135e2d4c3e10bd5506ac6aaa519b7bd814e30be99fa2328159bd5360a4
                      • Instruction ID: 46a70a4684300cc1d7daed2a75ef3594b895eb91c482c81359e4d08613c4299e
                      • Opcode Fuzzy Hash: 770f3c135e2d4c3e10bd5506ac6aaa519b7bd814e30be99fa2328159bd5360a4
                      • Instruction Fuzzy Hash: F2610131502A90DFDB32AF1ACA08B2577F1FB41352F60451DE4C687564CB3BA882EF90
                      Function 00FE9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FE9944: GetWindowLongW.USER32(?,000000EB), ref: 00FE9952
                      • GetSysColor.USER32(0000000F), ref: 00FE9862
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ColorLongWindow
                      • String ID:
                      • API String ID: 259745315-0
                      • Opcode ID: 67442add0da4ff573bc5dfaf1b248eca4855983e9acce0545cb9f1a310be6bf4
                      • Instruction ID: b71d5038156ed4ebeb2425349f0a8477bed2b3f7ea6b168712c6d8d68790a3ba
                      • Opcode Fuzzy Hash: 67442add0da4ff573bc5dfaf1b248eca4855983e9acce0545cb9f1a310be6bf4
                      • Instruction Fuzzy Hash: D7412231504690EFEB305F399884BB93BA5EB06330F544205FAE28B2F5C3B58941EB22
                      Function 010396E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0101F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 01039717
                      • LoadStringW.USER32(00000000,?,0101F7F8,00000001), ref: 01039720
                        • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                      • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0101F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 01039742
                      • LoadStringW.USER32(00000000,?,0101F7F8,00000001), ref: 01039745
                      • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 01039866
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: HandleLoadModuleString$Message_wcslen
                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                      • API String ID: 747408836-2268648507
                      • Opcode ID: 28e1f637e6b07b02fe31f63d826a20bbabec22bcd3b30c8c7a8ac43a4835182a
                      • Instruction ID: 3e492ba19b259f37995f14b3e69e0e58ef3a98f69a4a43a14ed997b2b4e59dd6
                      • Opcode Fuzzy Hash: 28e1f637e6b07b02fe31f63d826a20bbabec22bcd3b30c8c7a8ac43a4835182a
                      • Instruction Fuzzy Hash: 42418E7290420AAADF04FBE0DE92DEE777EAF54344F540026F24172191EB796F48EB61
                      Function 010306DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A
                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 010307A2
                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 010307BE
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 010307DA
                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 01030804
                      • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0103082C
                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 01030837
                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0103083C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                      • API String ID: 323675364-22481851
                      • Opcode ID: 9fd11368a3debfca0f990a768ae6be19b9497bfdfe535b380c51213caa5ed1ad
                      • Instruction ID: 4e74a3b76e9702790861cccf68629b6cac8d1c814e8848dbc908c02c701a256a
                      • Opcode Fuzzy Hash: 9fd11368a3debfca0f990a768ae6be19b9497bfdfe535b380c51213caa5ed1ad
                      • Instruction Fuzzy Hash: D7413C75C10229ABDF21EB94DC95CEDB7B9FF44750F08416AF981A3261EB349E04DB90
                      Function 01053C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(?), ref: 01053C5C
                      • CoInitialize.OLE32(00000000), ref: 01053C8A
                      • CoUninitialize.OLE32 ref: 01053C94
                      • _wcslen.LIBCMT ref: 01053D2D
                      • GetRunningObjectTable.OLE32(00000000,?), ref: 01053DB1
                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 01053ED5
                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 01053F0E
                      • CoGetObject.OLE32(?,00000000,0106FB98,?), ref: 01053F2D
                      • SetErrorMode.KERNEL32(00000000), ref: 01053F40
                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01053FC4
                      • VariantClear.OLEAUT32(?), ref: 01053FD8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                      • String ID:
                      • API String ID: 429561992-0
                      • Opcode ID: 4573aed08976f2051c3ab09bf84247ae44d647abccb7fcf68f8e6ada5dd9daa7
                      • Instruction ID: 38d8868d918ad06d7424d2265e4dd713579cf7a68c5c88ceb22459602b3508db
                      • Opcode Fuzzy Hash: 4573aed08976f2051c3ab09bf84247ae44d647abccb7fcf68f8e6ada5dd9daa7
                      • Instruction Fuzzy Hash: 2FC133716083059FD790DF68C88492BBBE9FF89788F04495DF98A9B250DB31ED05CB62
                      Function 01047A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                      Download Yara Rule
                      APIs
                      • CoInitialize.OLE32(00000000), ref: 01047AF3
                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 01047B8F
                      • SHGetDesktopFolder.SHELL32(?), ref: 01047BA3
                      • CoCreateInstance.OLE32(0106FD08,00000000,00000001,01096E6C,?), ref: 01047BEF
                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 01047C74
                      • CoTaskMemFree.OLE32(?,?), ref: 01047CCC
                      • SHBrowseForFolderW.SHELL32(?), ref: 01047D57
                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 01047D7A
                      • CoTaskMemFree.OLE32(00000000), ref: 01047D81
                      • CoTaskMemFree.OLE32(00000000), ref: 01047DD6
                      • CoUninitialize.OLE32 ref: 01047DDC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                      • String ID:
                      • API String ID: 2762341140-0
                      • Opcode ID: 553b08bf9f74906bbd37fd7ec875ed9c2e6a0496312fb6dcc8364f4e0323967f
                      • Instruction ID: b02c312fb952edcc46bb8a4467b5a8d98ecebf644c30d9c1ad74f83ec67a0673
                      • Opcode Fuzzy Hash: 553b08bf9f74906bbd37fd7ec875ed9c2e6a0496312fb6dcc8364f4e0323967f
                      • Instruction Fuzzy Hash: 84C15A75A00209AFDB14DFA4C8C4DAEBBF9FF48304B1484A9E9599B361DB35ED41CB90
                      Function 0106541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01065504
                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01065515
                      • CharNextW.USER32(00000158), ref: 01065544
                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01065585
                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0106559B
                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 010655AC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessageSend$CharNext
                      • String ID:
                      • API String ID: 1350042424-0
                      • Opcode ID: bdab0f53e297447e517ae88e007bf26ae61de5e2cb9bd9d856adf9c4f8ea8e25
                      • Instruction ID: 0879dc71b458274840148f66b6edbc495daf107eadc9db55c7eee95fa1ca746c
                      • Opcode Fuzzy Hash: bdab0f53e297447e517ae88e007bf26ae61de5e2cb9bd9d856adf9c4f8ea8e25
                      • Instruction Fuzzy Hash: 54617434900209AFEF209F54CC849FE7BBDEF0A7A4F004185F6E5A7290D7759A41CB61
                      Function 0102FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                      Download Yara Rule
                      APIs
                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0102FAAF
                      • SafeArrayAllocData.OLEAUT32(?), ref: 0102FB08
                      • VariantInit.OLEAUT32(?), ref: 0102FB1A
                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 0102FB3A
                      • VariantCopy.OLEAUT32(?,?), ref: 0102FB8D
                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 0102FBA1
                      • VariantClear.OLEAUT32(?), ref: 0102FBB6
                      • SafeArrayDestroyData.OLEAUT32(?), ref: 0102FBC3
                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0102FBCC
                      • VariantClear.OLEAUT32(?), ref: 0102FBDE
                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0102FBE9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                      • String ID:
                      • API String ID: 2706829360-0
                      • Opcode ID: b4856c262fb3f87e80bfbd3b28bcc72a593619cb9bc11f05d360a65af377211f
                      • Instruction ID: acb5d94c334da6ae43d22e2211c79b573e55b20e53aff5ea7a075165a7cb86d7
                      • Opcode Fuzzy Hash: b4856c262fb3f87e80bfbd3b28bcc72a593619cb9bc11f05d360a65af377211f
                      • Instruction Fuzzy Hash: A8416375A0021ADFDF11DF68C8549EDBBB9FF48384F008065E985A7261CB35E945CFA0
                      Function 01039C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?), ref: 01039CA1
                      • GetAsyncKeyState.USER32(000000A0), ref: 01039D22
                      • GetKeyState.USER32(000000A0), ref: 01039D3D
                      • GetAsyncKeyState.USER32(000000A1), ref: 01039D57
                      • GetKeyState.USER32(000000A1), ref: 01039D6C
                      • GetAsyncKeyState.USER32(00000011), ref: 01039D84
                      • GetKeyState.USER32(00000011), ref: 01039D96
                      • GetAsyncKeyState.USER32(00000012), ref: 01039DAE
                      • GetKeyState.USER32(00000012), ref: 01039DC0
                      • GetAsyncKeyState.USER32(0000005B), ref: 01039DD8
                      • GetKeyState.USER32(0000005B), ref: 01039DEA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: State$Async$Keyboard
                      • String ID:
                      • API String ID: 541375521-0
                      • Opcode ID: f1986d121c2b0499c81e568c8a95325c4fd21af2abfd17b741e8d5930ab44014
                      • Instruction ID: 8ddbc0a7a3485ff44324ce7747d7175fbc25d3aca39f0146376ede1111906efa
                      • Opcode Fuzzy Hash: f1986d121c2b0499c81e568c8a95325c4fd21af2abfd17b741e8d5930ab44014
                      • Instruction Fuzzy Hash: 3A41F9345047C969FFB2666885093B6BEE86F81308F0480DED6C6562C3DBE595C4CBA2
                      Function 0105055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                      Download Yara Rule
                      APIs
                      • WSAStartup.WSOCK32(00000101,?), ref: 010505BC
                      • inet_addr.WSOCK32(?), ref: 0105061C
                      • gethostbyname.WSOCK32(?), ref: 01050628
                      • IcmpCreateFile.IPHLPAPI ref: 01050636
                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 010506C6
                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 010506E5
                      • IcmpCloseHandle.IPHLPAPI(?), ref: 010507B9
                      • WSACleanup.WSOCK32 ref: 010507BF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                      • String ID: Ping
                      • API String ID: 1028309954-2246546115
                      • Opcode ID: 0b33ea4e26d1102717f8595607549cbb6a0a152d33411f1ab415640f3dae622c
                      • Instruction ID: 530c88217615c81d873a2bbb035197678a15986a1affd996b3cd17d89c99e3f5
                      • Opcode Fuzzy Hash: 0b33ea4e26d1102717f8595607549cbb6a0a152d33411f1ab415640f3dae622c
                      • Instruction Fuzzy Hash: 35918E759042019FD360CF19C988B1BBBE0BF44318F0885A9F9A98B7A6C735ED45CF91
                      Function 01058CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _wcslen$BuffCharLower
                      • String ID: cdecl$none$stdcall$winapi
                      • API String ID: 707087890-567219261
                      • Opcode ID: b934d34037c45b8cc22cdb644634b6aa4a9d0ca2efdcb7013ecbadc9748b6a22
                      • Instruction ID: ced4025b4cc7a960c84c0658319db679311b62e2dd4e9f970ef330f5e9854e8a
                      • Opcode Fuzzy Hash: b934d34037c45b8cc22cdb644634b6aa4a9d0ca2efdcb7013ecbadc9748b6a22
                      • Instruction Fuzzy Hash: AD51C032A000169BCFA4DF6DC8508BFB7F6AF54324B24825AEDA6E7285D735DD40D790
                      Function 0105372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                      Download Yara Rule
                      APIs
                      • CoInitialize.OLE32 ref: 01053774
                      • CoUninitialize.OLE32 ref: 0105377F
                      • CoCreateInstance.OLE32(?,00000000,00000017,0106FB78,?), ref: 010537D9
                      • IIDFromString.OLE32(?,?), ref: 0105384C
                      • VariantInit.OLEAUT32(?), ref: 010538E4
                      • VariantClear.OLEAUT32(?), ref: 01053936
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                      • API String ID: 636576611-1287834457
                      • Opcode ID: f58d95cb8e51fe0938d72d46c68d6b6da90a5e4f534589811711fa6b8a962d49
                      • Instruction ID: c7cd3c74ee59b6bc1d673b338ded1d3d687f7a53860054f1f9dcfc2e21b1cb09
                      • Opcode Fuzzy Hash: f58d95cb8e51fe0938d72d46c68d6b6da90a5e4f534589811711fa6b8a962d49
                      • Instruction Fuzzy Hash: 2C618E71608301AFD361DF55C888B6BBBE8FF88754F040859F9C59B291D774E948CB92
                      Function 01043388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                      Download Yara Rule
                      APIs
                      • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 010433CF
                        • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                      • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 010433F0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: LoadString$_wcslen
                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                      • API String ID: 4099089115-3080491070
                      • Opcode ID: 53c2cbbf596e216b62ee677718ca8426f73758998bf3b5a8b2041ff0c0595603
                      • Instruction ID: 3dc49e6d6bda82776387202897097a35a439c1a051a68de7117b61b076f3d4d2
                      • Opcode Fuzzy Hash: 53c2cbbf596e216b62ee677718ca8426f73758998bf3b5a8b2041ff0c0595603
                      • Instruction Fuzzy Hash: 2B51F17290021AABDF14EBE0CE42EEEB77AAF14340F144066F14576151EB7A2F58EF61
                      Function 0103B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _wcslen$BuffCharUpper
                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                      • API String ID: 1256254125-769500911
                      • Opcode ID: ea03d93c8856da25cf8c31e846d548aa488444c3e406de2a32b4b09308fa92f0
                      • Instruction ID: f88ba4f06b81986e45942c1912d805af8ea06d391b0fb513294f003d6634ddc5
                      • Opcode Fuzzy Hash: ea03d93c8856da25cf8c31e846d548aa488444c3e406de2a32b4b09308fa92f0
                      • Instruction Fuzzy Hash: BC412832B000268BCB205F7DCC905BEBBE9BFD4658B144169E5A1DB286F639C881E390
                      Function 01045393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 010453A0
                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 01045416
                      • GetLastError.KERNEL32 ref: 01045420
                      • SetErrorMode.KERNEL32(00000000,READY), ref: 010454A7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Error$Mode$DiskFreeLastSpace
                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                      • API String ID: 4194297153-14809454
                      • Opcode ID: b159bba315553b762215af167254b20cbd942381428c2feb545358d30205a2fd
                      • Instruction ID: 6f0f1b6f41f6c25da1d5f4b4afc45378b3d490dc5f705b32a4d3efe5887d6535
                      • Opcode Fuzzy Hash: b159bba315553b762215af167254b20cbd942381428c2feb545358d30205a2fd
                      • Instruction Fuzzy Hash: 6D319FB5A002059FDB11DF68C8C4AAA7BF4FB85309F0880A5F585CF292EB75D942CB90
                      Function 01063C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                      Download Yara Rule
                      APIs
                      • CreateMenu.USER32 ref: 01063C79
                      • SetMenu.USER32(?,00000000), ref: 01063C88
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01063D10
                      • IsMenu.USER32(?), ref: 01063D24
                      • CreatePopupMenu.USER32 ref: 01063D2E
                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01063D5B
                      • DrawMenuBar.USER32 ref: 01063D63
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Menu$CreateItem$DrawInfoInsertPopup
                      • String ID: 0$F
                      • API String ID: 161812096-3044882817
                      • Opcode ID: 30cc3d6934ce14de08e3147ed5d15d82301b3f802858a79698059384d908a2d5
                      • Instruction ID: 70519c22da2a8c197c2e1518116ccd74c1c0fd156e53bb0e30968d13112c347f
                      • Opcode Fuzzy Hash: 30cc3d6934ce14de08e3147ed5d15d82301b3f802858a79698059384d908a2d5
                      • Instruction Fuzzy Hash: 5B417F75A01209EFEB24DF64E844ADA7BF9FF49350F040069FA8A9B360D735A910CF94
                      Function 01063A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01063A9D
                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01063AA0
                      • GetWindowLongW.USER32(?,000000F0), ref: 01063AC7
                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01063AEA
                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01063B62
                      • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 01063BAC
                      • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 01063BC7
                      • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 01063BE2
                      • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 01063BF6
                      • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 01063C13
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessageSend$LongWindow
                      • String ID:
                      • API String ID: 312131281-0
                      • Opcode ID: 112352f5b5d9f57dc255ff36c71ad05ebcb93d5e7ef2fe5a1632e29163a87830
                      • Instruction ID: a4b2639126ca93b18287cfb6cb409277444c8c7072372c39bc72030e27ee7cae
                      • Opcode Fuzzy Hash: 112352f5b5d9f57dc255ff36c71ad05ebcb93d5e7ef2fe5a1632e29163a87830
                      • Instruction Fuzzy Hash: F7616A75900208AFDB20DFA8CC81EEE77F8FF09714F10019AFA95AB291D775A945DB90
                      Function 0103B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThreadId.KERNEL32 ref: 0103B151
                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B165
                      • GetWindowThreadProcessId.USER32(00000000), ref: 0103B16C
                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B17B
                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0103B18D
                      • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B1A6
                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B1B8
                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B1FD
                      • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B212
                      • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0103A1E1,?,00000001), ref: 0103B21D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                      • String ID:
                      • API String ID: 2156557900-0
                      • Opcode ID: 3b1db2c314b246af02284a4ac496ec88b6c38791e87dc866b3545890ad93e05d
                      • Instruction ID: b68c108820f56959957790cc2f2022563ecd9121f45f1d76a645ba33c96314be
                      • Opcode Fuzzy Hash: 3b1db2c314b246af02284a4ac496ec88b6c38791e87dc866b3545890ad93e05d
                      • Instruction Fuzzy Hash: FB31FD71180604BFEB359F28D849F6DBBEDBB86319F504104FAC2CA185C7BAA8008F24
                      Function 01002C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 01002C94
                        • Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
                        • Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0
                      • _free.LIBCMT ref: 01002CA0
                      • _free.LIBCMT ref: 01002CAB
                      • _free.LIBCMT ref: 01002CB6
                      • _free.LIBCMT ref: 01002CC1
                      • _free.LIBCMT ref: 01002CCC
                      • _free.LIBCMT ref: 01002CD7
                      • _free.LIBCMT ref: 01002CE2
                      • _free.LIBCMT ref: 01002CED
                      • _free.LIBCMT ref: 01002CFB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: aa965520425a5ba993a18b61e1943a9391fb2edffb4ca5ebf3ae278adad05b08
                      • Instruction ID: c4a5c549467f4ce043041e07c10291093d6a69478084efb5f7e8131261c4af66
                      • Opcode Fuzzy Hash: aa965520425a5ba993a18b61e1943a9391fb2edffb4ca5ebf3ae278adad05b08
                      • Instruction Fuzzy Hash: 1511B676500109BFEB03EF94D885CDD3BA9FF15390F6144A5FA889F2A1DA31EE509B90
                      Function 00FD1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                      Download Yara Rule
                      APIs
                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FD1459
                      • OleUninitialize.OLE32(?,00000000), ref: 00FD14F8
                      • UnregisterHotKey.USER32(?), ref: 00FD16DD
                      • DestroyWindow.USER32(?), ref: 010124B9
                      • FreeLibrary.KERNEL32(?), ref: 0101251E
                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0101254B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                      • String ID: close all
                      • API String ID: 469580280-3243417748
                      • Opcode ID: cd5410b40ea7ee027a6844bf4af4cda483d3cca344f4f92eb9f92941775e90ea
                      • Instruction ID: b29d196f10a7134eb2b10cb37aa3a24d4482faf95ff0c8e222f882915fb08ab3
                      • Opcode Fuzzy Hash: cd5410b40ea7ee027a6844bf4af4cda483d3cca344f4f92eb9f92941775e90ea
                      • Instruction Fuzzy Hash: DAD19931701212DFDB29EF15C998B28F7A5BF05700F2842AEE58A6B365CB34AC12DF50
                      Function 01047DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01047FAD
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 01047FC1
                      • GetFileAttributesW.KERNEL32(?), ref: 01047FEB
                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 01048005
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 01048017
                      • SetCurrentDirectoryW.KERNEL32(?), ref: 01048060
                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 010480B0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CurrentDirectory$AttributesFile
                      • String ID: *.*
                      • API String ID: 769691225-438819550
                      • Opcode ID: cd5334f080d820bed8b8acbd0f583eafe605d2b41772794a6e612810d659e189
                      • Instruction ID: a3c9cd633eb68de918236dc879005afd26d3c815c9e65bf6e997972653ae80ba
                      • Opcode Fuzzy Hash: cd5334f080d820bed8b8acbd0f583eafe605d2b41772794a6e612810d659e189
                      • Instruction Fuzzy Hash: 4981C1B25042019BDB74EF59C884AAEB7E9BF88310F084D6EF9C5C7250E735D945CB92
                      Function 00FD5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                      Download Yara Rule
                      APIs
                      • SetWindowLongW.USER32(?,000000EB), ref: 00FD5C7A
                        • Part of subcall function 00FD5D0A: GetClientRect.USER32(?,?), ref: 00FD5D30
                        • Part of subcall function 00FD5D0A: GetWindowRect.USER32(?,?), ref: 00FD5D71
                        • Part of subcall function 00FD5D0A: ScreenToClient.USER32(?,?), ref: 00FD5D99
                      • GetDC.USER32 ref: 010146F5
                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 01014708
                      • SelectObject.GDI32(00000000,00000000), ref: 01014716
                      • SelectObject.GDI32(00000000,00000000), ref: 0101472B
                      • ReleaseDC.USER32(?,00000000), ref: 01014733
                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 010147C4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                      • String ID: U
                      • API String ID: 4009187628-3372436214
                      • Opcode ID: e819c201679f4b7518b39605973d6faef0c5f1c5fb4255aa69893ffc96ed1ba2
                      • Instruction ID: 0860b4c19cc7d5986dcfc46463849bf5723e87a7579a31f5ee21f49d859e25ba
                      • Opcode Fuzzy Hash: e819c201679f4b7518b39605973d6faef0c5f1c5fb4255aa69893ffc96ed1ba2
                      • Instruction Fuzzy Hash: EA71E331500205DFDF218F68C984ABE3BB6FF49365F1842A6EED59A26AC3399841DF50
                      Function 0104359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                      Download Yara Rule
                      APIs
                      • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 010435E4
                        • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                      • LoadStringW.USER32(010A2390,?,00000FFF,?), ref: 0104360A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: LoadString$_wcslen
                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                      • API String ID: 4099089115-2391861430
                      • Opcode ID: 2cd4508b1b4f43b1a04efce96fd2e8cd860d7da88741543a6f84e3e57df22335
                      • Instruction ID: 488dbfe35c086e19e2f0d7c94c0fd133af2cf962acb7cc4183f90513b992caa6
                      • Opcode Fuzzy Hash: 2cd4508b1b4f43b1a04efce96fd2e8cd860d7da88741543a6f84e3e57df22335
                      • Instruction Fuzzy Hash: 0D51A27280021ABBDF15EBE0CD81EEDBB7ABF14300F484126F14576251DB751A98EF61
                      Function 0104C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0104C272
                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0104C29A
                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0104C2CA
                      • GetLastError.KERNEL32 ref: 0104C322
                      • SetEvent.KERNEL32(?), ref: 0104C336
                      • InternetCloseHandle.WININET(00000000), ref: 0104C341
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                      • String ID:
                      • API String ID: 3113390036-3916222277
                      • Opcode ID: 7a7dc09a089ac3c8bd2660e1c96d0a3f78e68be3e3c750da4e8c5038aa4d45d1
                      • Instruction ID: 28d8cdb07ef70945c986e1488bf6a296edbc66dfca4314240e920f69311193f9
                      • Opcode Fuzzy Hash: 7a7dc09a089ac3c8bd2660e1c96d0a3f78e68be3e3c750da4e8c5038aa4d45d1
                      • Instruction Fuzzy Hash: 073171B1601244AFF7319FA58AC4AAF7BFCEF49645B04856DE4C6D2210DB39DA048B60
                      Function 0103989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,01013AAF,?,?,Bad directive syntax error,0106CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 010398BC
                      • LoadStringW.USER32(00000000,?,01013AAF,?), ref: 010398C3
                        • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 01039987
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: HandleLoadMessageModuleString_wcslen
                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                      • API String ID: 858772685-4153970271
                      • Opcode ID: d900e94fe707eff630bf387001ad72b8240154ff68150ddb63832ab17e6b0bca
                      • Instruction ID: 6345a1127c76205edf7a9b9056ac330a0d1a70d8ceb908ea840c01dc811b9459
                      • Opcode Fuzzy Hash: d900e94fe707eff630bf387001ad72b8240154ff68150ddb63832ab17e6b0bca
                      • Instruction Fuzzy Hash: 1921D03190021EEBDF11AF90CC06EEE377ABF18304F08441AF65566061EB7A9A28EB11
                      Function 0103209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32 ref: 010320AB
                      • GetClassNameW.USER32(00000000,?,00000100), ref: 010320C0
                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0103214D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ClassMessageNameParentSend
                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                      • API String ID: 1290815626-3381328864
                      • Opcode ID: 7e9b1bf0809f86d16e1aa8952e7e469cd16d04b7753fbeafb2a7c7083ee340ce
                      • Instruction ID: 21f54509c4581e72a8296e8d99d2ee75b73ecf682fa9df996834551f5e637591
                      • Opcode Fuzzy Hash: 7e9b1bf0809f86d16e1aa8952e7e469cd16d04b7753fbeafb2a7c7083ee340ce
                      • Instruction Fuzzy Hash: 7B110A7A68830AB9FB122526DD16DBB379CCF55724B20015AF784A90A2FAB978016A14
                      Function 0100CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                      • String ID:
                      • API String ID: 1282221369-0
                      • Opcode ID: 1ee7eff62ad01f277eea606da96a92ba99b82b1be0cc8ef7da01a95c0274133c
                      • Instruction ID: 58456d234c6cb2d02f96d3b9b5e715a7124b16f558e63c8d123ff1a35081b8e2
                      • Opcode Fuzzy Hash: 1ee7eff62ad01f277eea606da96a92ba99b82b1be0cc8ef7da01a95c0274133c
                      • Instruction Fuzzy Hash: B2614972904205AFFB23AFB89984ABD7FE4AF01350F0442EDFAC4972C5D736990587A1
                      Function 010650D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 01065186
                      • ShowWindow.USER32(?,00000000), ref: 010651C7
                      • ShowWindow.USER32(?,00000005,?,00000000), ref: 010651CD
                      • SetFocus.USER32(?,?,00000005,?,00000000), ref: 010651D1
                        • Part of subcall function 01066FBA: DeleteObject.GDI32(00000000), ref: 01066FE6
                      • GetWindowLongW.USER32(?,000000F0), ref: 0106520D
                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0106521A
                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0106524D
                      • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 01065287
                      • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 01065296
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                      • String ID:
                      • API String ID: 3210457359-0
                      • Opcode ID: 45c56fef8ada4fe8d6e18c3aa9064f3e62c7848ca151203b3cd41da7666c3deb
                      • Instruction ID: ac35a38895cde480c7e852350b133ef4f124679a7804b3221cfab87a067b3902
                      • Opcode Fuzzy Hash: 45c56fef8ada4fe8d6e18c3aa9064f3e62c7848ca151203b3cd41da7666c3deb
                      • Instruction Fuzzy Hash: 4F51C470A4020AFFFF309F28CC45BD83BA9FB463A1F144152F6959A2E0D3B9A590DB51
                      Function 00FE8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 01026890
                      • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 010268A9
                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 010268B9
                      • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 010268D1
                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 010268F2
                      • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00FE8874,00000000,00000000,00000000,000000FF,00000000), ref: 01026901
                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0102691E
                      • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00FE8874,00000000,00000000,00000000,000000FF,00000000), ref: 0102692D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Icon$DestroyExtractImageLoadMessageSend
                      • String ID:
                      • API String ID: 1268354404-0
                      • Opcode ID: f1a154aeba12fb1890d103ae59a0cf0d6988fdb1b93ff57a202a72aaa18c3d69
                      • Instruction ID: c9f8aa5137c2875dffb99097cafd85f3a852c5e8b6d8851880593741f11f4258
                      • Opcode Fuzzy Hash: f1a154aeba12fb1890d103ae59a0cf0d6988fdb1b93ff57a202a72aaa18c3d69
                      • Instruction Fuzzy Hash: 0651AE70600645EFEB20DF25CC41FAA7BF5FB88350F104618F996972A0DBB6E991EB50
                      Function 0104C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0104C182
                      • GetLastError.KERNEL32 ref: 0104C195
                      • SetEvent.KERNEL32(?), ref: 0104C1A9
                        • Part of subcall function 0104C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0104C272
                        • Part of subcall function 0104C253: GetLastError.KERNEL32 ref: 0104C322
                        • Part of subcall function 0104C253: SetEvent.KERNEL32(?), ref: 0104C336
                        • Part of subcall function 0104C253: InternetCloseHandle.WININET(00000000), ref: 0104C341
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                      • String ID:
                      • API String ID: 337547030-0
                      • Opcode ID: ffbe7c3b0d012973f3a46a118fa097a6e715a8e199554fe7851939e05949692c
                      • Instruction ID: 5ea08834ba652fd1c64b1b9c14f067cdd0380a099a3e12143f21e4c0e5511c3b
                      • Opcode Fuzzy Hash: ffbe7c3b0d012973f3a46a118fa097a6e715a8e199554fe7851939e05949692c
                      • Instruction Fuzzy Hash: 663183B1502641BFFB219FB5DB84A6A7BF8FF14200B04442DF9DA82624D775E4149B60
                      Function 010325A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 01033A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01033A57
                        • Part of subcall function 01033A3D: GetCurrentThreadId.KERNEL32 ref: 01033A5E
                        • Part of subcall function 01033A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010325B3), ref: 01033A65
                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 010325BD
                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 010325DB
                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 010325DF
                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 010325E9
                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 01032601
                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 01032605
                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 0103260F
                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 01032623
                      • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 01032627
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                      • String ID:
                      • API String ID: 2014098862-0
                      • Opcode ID: e3fe75068930df16e1f5a3bf67cecf61145b31438d232c42754c469bb12ebf41
                      • Instruction ID: a922baef9f9ff51c80b84c6404d31512fd2013c71746be5143616ed0767c744a
                      • Opcode Fuzzy Hash: e3fe75068930df16e1f5a3bf67cecf61145b31438d232c42754c469bb12ebf41
                      • Instruction Fuzzy Hash: 8401D830790610BBFB2076689C8AF593F5DDF8EB11F100001F394AE0D4C9F224458B69
                      Function 01031803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,01031449,?,?,00000000), ref: 0103180C
                      • HeapAlloc.KERNEL32(00000000,?,01031449,?,?,00000000), ref: 01031813
                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01031449,?,?,00000000), ref: 01031828
                      • GetCurrentProcess.KERNEL32(?,00000000,?,01031449,?,?,00000000), ref: 01031830
                      • DuplicateHandle.KERNEL32(00000000,?,01031449,?,?,00000000), ref: 01031833
                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,01031449,?,?,00000000), ref: 01031843
                      • GetCurrentProcess.KERNEL32(01031449,00000000,?,01031449,?,?,00000000), ref: 0103184B
                      • DuplicateHandle.KERNEL32(00000000,?,01031449,?,?,00000000), ref: 0103184E
                      • CreateThread.KERNEL32(00000000,00000000,01031874,00000000,00000000,00000000), ref: 01031868
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                      • String ID:
                      • API String ID: 1957940570-0
                      • Opcode ID: f05c1ab3934ec78a07636650c0765e73c4546375e0666cae92870035b328b0db
                      • Instruction ID: da59f13c231daa53d467d9427a1e4ad1374f97c6c3c58e86aeb843908d71d8d0
                      • Opcode Fuzzy Hash: f05c1ab3934ec78a07636650c0765e73c4546375e0666cae92870035b328b0db
                      • Instruction Fuzzy Hash: 8001A8B5240348FFF620ABA5DD49F6B3BACEB8AB11F004411FA85DB1A5CA7598008B20
                      Function 0105A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0103D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0103D501
                        • Part of subcall function 0103D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0103D50F
                        • Part of subcall function 0103D4DC: CloseHandle.KERNEL32(00000000), ref: 0103D5DC
                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0105A16D
                      • GetLastError.KERNEL32 ref: 0105A180
                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0105A1B3
                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 0105A268
                      • GetLastError.KERNEL32(00000000), ref: 0105A273
                      • CloseHandle.KERNEL32(00000000), ref: 0105A2C4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                      • String ID: SeDebugPrivilege
                      • API String ID: 2533919879-2896544425
                      • Opcode ID: 779dc2add59615fb39076b2afe229bce6a0e18df3419f52d1c4df6010c39de8a
                      • Instruction ID: 778f9c987f13c35cea4a2278e8a5a057e3e7a7d90d40510e123a6f882fc919a7
                      • Opcode Fuzzy Hash: 779dc2add59615fb39076b2afe229bce6a0e18df3419f52d1c4df6010c39de8a
                      • Instruction Fuzzy Hash: A961B130204242DFE760DF18C495F5ABBE1AF44358F18858CE9968F7A3C776E945CB91
                      Function 01063886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01063925
                      • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0106393A
                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01063954
                      • _wcslen.LIBCMT ref: 01063999
                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 010639C6
                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 010639F4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessageSend$Window_wcslen
                      • String ID: SysListView32
                      • API String ID: 2147712094-78025650
                      • Opcode ID: 2c4c18d4858603874de5404b69870de033aad146bbdb60bd97c31a8a31c39d68
                      • Instruction ID: 7ab82b93cc7e284cbdcdf5a8c3f74da0305a57b280f274b1d05bcfef347be60f
                      • Opcode Fuzzy Hash: 2c4c18d4858603874de5404b69870de033aad146bbdb60bd97c31a8a31c39d68
                      • Instruction Fuzzy Hash: B5418271A00319ABEF219F64CC45FEA7BADFF08350F10056AF998EB291D7759980CB90
                      Function 0103BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0103BCFD
                      • IsMenu.USER32(00000000), ref: 0103BD1D
                      • CreatePopupMenu.USER32 ref: 0103BD53
                      • GetMenuItemCount.USER32(01685578), ref: 0103BDA4
                      • InsertMenuItemW.USER32(01685578,?,00000001,00000030), ref: 0103BDCC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Menu$Item$CountCreateInfoInsertPopup
                      • String ID: 0$2
                      • API String ID: 93392585-3793063076
                      • Opcode ID: ad3b182be783f6f02e0d0de015f5bb7be362fd56707670eb68e1b3b37f370b4d
                      • Instruction ID: 621e5d99bd9eea538b941377ad26c45b01d1b7b09b54f9a86efebc18ca4d2e46
                      • Opcode Fuzzy Hash: ad3b182be783f6f02e0d0de015f5bb7be362fd56707670eb68e1b3b37f370b4d
                      • Instruction Fuzzy Hash: B551B270A002099BEF21EFACD988BADBFFCBF85318F144199E581DB291E7709541CB52
                      Function 0103C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                      Download Yara Rule
                      APIs
                      • LoadIconW.USER32(00000000,00007F03), ref: 0103C913
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: IconLoad
                      • String ID: blank$info$question$stop$warning
                      • API String ID: 2457776203-404129466
                      • Opcode ID: 00caf5ffd17d8e8e0a75de1baeea8e4e8e40bd548610bb3890630716c461cd9a
                      • Instruction ID: 470ae78f8959afaea8e1818a7093fdecc666b8fd75ee9272e6f8c4ca1babfc9d
                      • Opcode Fuzzy Hash: 00caf5ffd17d8e8e0a75de1baeea8e4e8e40bd548610bb3890630716c461cd9a
                      • Instruction Fuzzy Hash: 3911EB3668930BBAFB019B559D86CAF77DCDF45360B1100AFF580FA182E7A96F006264
                      Function 0103ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _wcslen$LocalTime
                      • String ID:
                      • API String ID: 952045576-0
                      • Opcode ID: c5f406a3f56e1af55ce3ac0e89f022617a788e225b013364e96d467846d05838
                      • Instruction ID: 3b231c6da6320ea9afb113cf2ef356134a5dcf7375903c5d491b94028f099d67
                      • Opcode Fuzzy Hash: c5f406a3f56e1af55ce3ac0e89f022617a788e225b013364e96d467846d05838
                      • Instruction Fuzzy Hash: 33419F65D1021C65CB21EBB4CC8A9DFB7ACAF85710F408566E618E3122FB38E255C3E5
                      Function 00FEF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                      Download Yara Rule
                      APIs
                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0102682C,00000004,00000000,00000000), ref: 00FEF953
                      • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0102682C,00000004,00000000,00000000), ref: 0102F3D1
                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0102682C,00000004,00000000,00000000), ref: 0102F454
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ShowWindow
                      • String ID:
                      • API String ID: 1268545403-0
                      • Opcode ID: bc346db4eb060e702fd9b603a39f7053719e90a9221be7a047a66e6c7124e483
                      • Instruction ID: a5b28658de1d1bdc9629fa5511fafb76d3b4b3f74f271ef21e6fbded320916ec
                      • Opcode Fuzzy Hash: bc346db4eb060e702fd9b603a39f7053719e90a9221be7a047a66e6c7124e483
                      • Instruction Fuzzy Hash: D9415A31A086C0BAD7398B2FCD8872E7FA1AB46360F15802DE0C757562C67AA588E711
                      Function 01062D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                      Download Yara Rule
                      APIs
                      • DeleteObject.GDI32(00000000), ref: 01062D1B
                      • GetDC.USER32(00000000), ref: 01062D23
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 01062D2E
                      • ReleaseDC.USER32(00000000,00000000), ref: 01062D3A
                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01062D76
                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01062D87
                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,01065A65,?,?,000000FF,00000000,?,000000FF,?), ref: 01062DC2
                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01062DE1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                      • String ID:
                      • API String ID: 3864802216-0
                      • Opcode ID: 58973c690e37be8eaba8b4d869e18e1f96a5d222a962799a103443942544d8e7
                      • Instruction ID: 045e96b28ae87bbd34d8627fc2a8f10d220145d33d6dbcba0da19db67519903a
                      • Opcode Fuzzy Hash: 58973c690e37be8eaba8b4d869e18e1f96a5d222a962799a103443942544d8e7
                      • Instruction Fuzzy Hash: FA318B72201214BBFB218F548C8AFEB3FADEF09715F044055FE889A291C6BA9840C7A4
                      Function 01035622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _memcmp
                      • String ID:
                      • API String ID: 2931989736-0
                      • Opcode ID: a301a688d76f2037b4d60cdc687cc3421fae333726dfb61ff0c819696e7e5c6c
                      • Instruction ID: fe6f2512886ca7cc0a4abe80bbe5e296e1759b29bd300b355bf0cddc5cf51c4a
                      • Opcode Fuzzy Hash: a301a688d76f2037b4d60cdc687cc3421fae333726dfb61ff0c819696e7e5c6c
                      • Instruction Fuzzy Hash: 1B21F9B174420AB7E2155926BE92FFE339DBFA4294F040014FE859F561F724ED10D1E5
                      Function 01054FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID: NULL Pointer assignment$Not an Object type
                      • API String ID: 0-572801152
                      • Opcode ID: 3a26896c03c5c756711a05e97b68bd8b8cc81ef87b6fc242c6aec8deb37fba1f
                      • Instruction ID: 8c2adcff9855073ed26317a6315ff6b900c54d909c4b88ce66d4d18e782113e0
                      • Opcode Fuzzy Hash: 3a26896c03c5c756711a05e97b68bd8b8cc81ef87b6fc242c6aec8deb37fba1f
                      • Instruction Fuzzy Hash: 15D1A275A0020A9FDF90CF98CC80AAEBBF5BF48354F148469ED95AB281E771D945CB50
                      Function 01011522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                      Download Yara Rule
                      APIs
                      • GetCPInfo.KERNEL32(?,?), ref: 010115CE
                      • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 01011651
                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 010116E4
                      • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 010116FB
                        • Part of subcall function 01003820: RtlAllocateHeap.NTDLL(00000000,?,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6,?,00FD1129), ref: 01003852
                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 01011777
                      • __freea.LIBCMT ref: 010117A2
                      • __freea.LIBCMT ref: 010117AE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                      • String ID:
                      • API String ID: 2829977744-0
                      • Opcode ID: 7707fe4eeab04668799703d158c5c3ebae37751c5823b9ee323c4ab061d23d1a
                      • Instruction ID: e7fdcba3b2615d9e30818f9b71ea2be4599d568b9f1cba52e1ba6a314bce97da
                      • Opcode Fuzzy Hash: 7707fe4eeab04668799703d158c5c3ebae37751c5823b9ee323c4ab061d23d1a
                      • Instruction Fuzzy Hash: 6A91CC71E042169FEB298E78C841AEE7BF5AF09710F1C4599EB81E7288D73DD940C7A0
                      Function 01054523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Variant$ClearInit
                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                      • API String ID: 2610073882-625585964
                      • Opcode ID: 9db8ecff194df3ae8ec39cd104be291cfd10ffe0c7dbbe88d24199375dca4406
                      • Instruction ID: 89c1fed37558b0c52e7f854895ce081f7e4af0a7c86d280fe371321246e3fa21
                      • Opcode Fuzzy Hash: 9db8ecff194df3ae8ec39cd104be291cfd10ffe0c7dbbe88d24199375dca4406
                      • Instruction Fuzzy Hash: B7915D71A00219EBDF64CFA5C884FEFBBB8EF45714F008559E945EB281E7709985CBA0
                      Function 01041187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                      Download Yara Rule
                      APIs
                      • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0104125C
                      • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 01041284
                      • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 010412A8
                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 010412D8
                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0104135F
                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 010413C4
                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 01041430
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ArraySafe$Data$Access$UnaccessVartype
                      • String ID:
                      • API String ID: 2550207440-0
                      • Opcode ID: 3bf412820e07a1ffe3112f69108e494683325cd3ffa689dd4670deff46e331b9
                      • Instruction ID: 69e08e32beeb3ac7854d5b409c17d5e9f1a90399f4e235503337a3ffd8522481
                      • Opcode Fuzzy Hash: 3bf412820e07a1ffe3112f69108e494683325cd3ffa689dd4670deff46e331b9
                      • Instruction Fuzzy Hash: BB91A1B5A00209AFEB11DF98C8C4BBE77B5FF45315F144079E680EB291DB79A981CB90
                      Function 00FE948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ObjectSelect$BeginCreatePath
                      • String ID:
                      • API String ID: 3225163088-0
                      • Opcode ID: b42b90b3e78f2d888db7c36582d0caf3c8039fef3b6af53c0054a15c334768e1
                      • Instruction ID: 811b37544c199333d590c4ab2563f325d86e7c220103c41c736b336682199125
                      • Opcode Fuzzy Hash: b42b90b3e78f2d888db7c36582d0caf3c8039fef3b6af53c0054a15c334768e1
                      • Instruction Fuzzy Hash: 52916871D04219EFDB10CFAACC84AEEBBB8FF49320F148449E555B7251D3B8AA41DB60
                      Function 01053947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(?), ref: 0105396B
                      • CharUpperBuffW.USER32(?,?), ref: 01053A7A
                      • _wcslen.LIBCMT ref: 01053A8A
                      • VariantClear.OLEAUT32(?), ref: 01053C1F
                        • Part of subcall function 01040CDF: VariantInit.OLEAUT32(00000000), ref: 01040D1F
                        • Part of subcall function 01040CDF: VariantCopy.OLEAUT32(?,?), ref: 01040D28
                        • Part of subcall function 01040CDF: VariantClear.OLEAUT32(?), ref: 01040D34
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                      • API String ID: 4137639002-1221869570
                      • Opcode ID: 32746f60092c6a3515a0677a5619c18ef9b4c0cd4a46b0d300d32fd14a019c37
                      • Instruction ID: c6795db04b5f77a381133ffc3403ce27d3a29ede6da26cf33a1d5dd1e5c231fd
                      • Opcode Fuzzy Hash: 32746f60092c6a3515a0677a5619c18ef9b4c0cd4a46b0d300d32fd14a019c37
                      • Instruction Fuzzy Hash: E5915775A083059FCB40DF28C88096ABBE5BF88354F04896EF9899B351DB35ED45CB92
                      Function 01054BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0103000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?,?,0103035E), ref: 0103002B
                        • Part of subcall function 0103000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?), ref: 01030046
                        • Part of subcall function 0103000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?), ref: 01030054
                        • Part of subcall function 0103000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?), ref: 01030064
                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 01054C51
                      • _wcslen.LIBCMT ref: 01054D59
                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 01054DCF
                      • CoTaskMemFree.OLE32(?), ref: 01054DDA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                      • String ID: NULL Pointer assignment
                      • API String ID: 614568839-2785691316
                      • Opcode ID: bde510c4b02b68f38242f0a54d021c507ed9eeded5cc2d98757ca16cd1043d9c
                      • Instruction ID: 9800d67f19fda851104d9cb3db59c05eb471f059b2c1ae28cce22a8ba8247cb0
                      • Opcode Fuzzy Hash: bde510c4b02b68f38242f0a54d021c507ed9eeded5cc2d98757ca16cd1043d9c
                      • Instruction Fuzzy Hash: 77914771D0021DAFDF20DFA4DC90AEEBBB9BF48310F10816AE955A7251EB749A44DF60
                      Function 010620FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenu.USER32(?), ref: 01062183
                      • GetMenuItemCount.USER32(00000000), ref: 010621B5
                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 010621DD
                      • _wcslen.LIBCMT ref: 01062213
                      • GetMenuItemID.USER32(?,?), ref: 0106224D
                      • GetSubMenu.USER32(?,?), ref: 0106225B
                        • Part of subcall function 01033A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01033A57
                        • Part of subcall function 01033A3D: GetCurrentThreadId.KERNEL32 ref: 01033A5E
                        • Part of subcall function 01033A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010325B3), ref: 01033A65
                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 010622E3
                        • Part of subcall function 0103E97B: Sleep.KERNEL32 ref: 0103E9F3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                      • String ID:
                      • API String ID: 4196846111-0
                      • Opcode ID: ddf2a0ef65b6d1ab8137a0ea7128d1654b4cbfcc626b13d8a6c96e284d9e5319
                      • Instruction ID: 1bacc85326933825c6ed706574697fdb211d4470e83537e660c48c8a70184506
                      • Opcode Fuzzy Hash: ddf2a0ef65b6d1ab8137a0ea7128d1654b4cbfcc626b13d8a6c96e284d9e5319
                      • Instruction Fuzzy Hash: 65717075E00206EFCB10DF68C845AAEBBF9EF88310F148499E996EB351D735E9418B90
                      Function 0103AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32(?), ref: 0103AEF9
                      • GetKeyboardState.USER32(?), ref: 0103AF0E
                      • SetKeyboardState.USER32(?), ref: 0103AF6F
                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 0103AF9D
                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 0103AFBC
                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 0103AFFD
                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0103B020
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessagePost$KeyboardState$Parent
                      • String ID:
                      • API String ID: 87235514-0
                      • Opcode ID: cf5bf3758e9a5a4bcb43ce60a46702a6a8a81425b0c7367a4ee94df527f5348a
                      • Instruction ID: dcdda6f7b8d5dd6210e18cc905720b2ff74d97c2e9c4dc556c3f0da4a5511b48
                      • Opcode Fuzzy Hash: cf5bf3758e9a5a4bcb43ce60a46702a6a8a81425b0c7367a4ee94df527f5348a
                      • Instruction Fuzzy Hash: 8951E3A06047D57DFB764238C845BBABEED5B86308F0885C9F2D9964D2C3D9A8C4D760
                      Function 0103ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetParent.USER32(00000000), ref: 0103AD19
                      • GetKeyboardState.USER32(?), ref: 0103AD2E
                      • SetKeyboardState.USER32(?), ref: 0103AD8F
                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0103ADBB
                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0103ADD8
                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0103AE17
                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0103AE38
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessagePost$KeyboardState$Parent
                      • String ID:
                      • API String ID: 87235514-0
                      • Opcode ID: 255f225906d6ab0f09de3dd24de045f067bedda0c890e9a3470957a80f589702
                      • Instruction ID: 527a20a00bd03e8878412d67805cb697a3a877bf4b6827a311a0279fb4720fc8
                      • Opcode Fuzzy Hash: 255f225906d6ab0f09de3dd24de045f067bedda0c890e9a3470957a80f589702
                      • Instruction Fuzzy Hash: E451E7A17047D57EFB379238CC59BBA7EDC5B86304F0885C8E1D6874C2D294E884D760
                      Function 0100542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetConsoleCP.KERNEL32(01013CD6,?,?,?,?,?,?,?,?,01005BA3,?,?,01013CD6,?,?), ref: 01005470
                      • __fassign.LIBCMT ref: 010054EB
                      • __fassign.LIBCMT ref: 01005506
                      • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,01013CD6,00000005,00000000,00000000), ref: 0100552C
                      • WriteFile.KERNEL32(?,01013CD6,00000000,01005BA3,00000000,?,?,?,?,?,?,?,?,?,01005BA3,?), ref: 0100554B
                      • WriteFile.KERNEL32(?,?,00000001,01005BA3,00000000,?,?,?,?,?,?,?,?,?,01005BA3,?), ref: 01005584
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                      • String ID:
                      • API String ID: 1324828854-0
                      • Opcode ID: b8b5f39179328974c68b370caee3b259fce603fb6ad279ee87e42dadb21aaa67
                      • Instruction ID: fad42c17f26f2de9184f950cc57bf5853d17be7232e586263fee1967f89829d6
                      • Opcode Fuzzy Hash: b8b5f39179328974c68b370caee3b259fce603fb6ad279ee87e42dadb21aaa67
                      • Instruction Fuzzy Hash: 6451BF70A002499FEB22CFA8DC55AEEBBF9EF09301F14415AF995E7291D6319A41CF60
                      Function 00FF2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                      Download Yara Rule
                      APIs
                      • _ValidateLocalCookies.LIBCMT ref: 00FF2D4B
                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00FF2D53
                      • _ValidateLocalCookies.LIBCMT ref: 00FF2DE1
                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00FF2E0C
                      • _ValidateLocalCookies.LIBCMT ref: 00FF2E61
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                      • String ID: csm
                      • API String ID: 1170836740-1018135373
                      • Opcode ID: f7bd6224d96904da030aadefab687ddf5dcda9ae10034af94941dfcf4f3fcf99
                      • Instruction ID: 569ab40d31e24c7b9c3318080b1d97128085cae5f8a2f9048d7c8a1095877188
                      • Opcode Fuzzy Hash: f7bd6224d96904da030aadefab687ddf5dcda9ae10034af94941dfcf4f3fcf99
                      • Instruction Fuzzy Hash: D041B335E0020DABCF10DF68CC95ABEBBB5BF45324F148155EA14AB362D7399A05DB90
                      Function 010510B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0105304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0105307A
                        • Part of subcall function 0105304E: _wcslen.LIBCMT ref: 0105309B
                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 01051112
                      • WSAGetLastError.WSOCK32 ref: 01051121
                      • WSAGetLastError.WSOCK32 ref: 010511C9
                      • closesocket.WSOCK32(00000000), ref: 010511F9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                      • String ID:
                      • API String ID: 2675159561-0
                      • Opcode ID: 411542f2f83e35a9e5a7ddb458f99071b3a99d5b089bd39ab6b739c7827533c6
                      • Instruction ID: 5fea2a7d6d14d5c539a584ddd55500b57e396f4fc6805ccc21446e9a50d18906
                      • Opcode Fuzzy Hash: 411542f2f83e35a9e5a7ddb458f99071b3a99d5b089bd39ab6b739c7827533c6
                      • Instruction Fuzzy Hash: 03412B31600204AFEB609F28C844BAEBBE9FF45364F048099FC959B295C779ED41CBE5
                      Function 0103CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0103DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0103CF22,?), ref: 0103DDFD
                        • Part of subcall function 0103DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0103CF22,?), ref: 0103DE16
                      • lstrcmpiW.KERNEL32(?,?), ref: 0103CF45
                      • MoveFileW.KERNEL32(?,?), ref: 0103CF7F
                      • _wcslen.LIBCMT ref: 0103D005
                      • _wcslen.LIBCMT ref: 0103D01B
                      • SHFileOperationW.SHELL32(?), ref: 0103D061
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                      • String ID: \*.*
                      • API String ID: 3164238972-1173974218
                      • Opcode ID: 8e44ea0315bece9f24bc4e345bc45ebdd13d103dd408e6ba2c102f6f2bddf1d5
                      • Instruction ID: c46a69caed7f51650b2f80320c10e0511cd6f057aa9aa5a569cc2b371a3dcd2a
                      • Opcode Fuzzy Hash: 8e44ea0315bece9f24bc4e345bc45ebdd13d103dd408e6ba2c102f6f2bddf1d5
                      • Instruction Fuzzy Hash: 774155719052195FEF52EBA4DA81ADEB7FCAF58380F0000E6E689EB141EB35A744CF50
                      Function 01062DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01062E1C
                      • GetWindowLongW.USER32(00000000,000000F0), ref: 01062E4F
                      • GetWindowLongW.USER32(00000000,000000F0), ref: 01062E84
                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 01062EB6
                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 01062EE0
                      • GetWindowLongW.USER32(00000000,000000F0), ref: 01062EF1
                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 01062F0B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: LongWindow$MessageSend
                      • String ID:
                      • API String ID: 2178440468-0
                      • Opcode ID: 66c3990766660ded6639d2566ccc3282cde3b4ecf59a489a48a07bacbf70ea5a
                      • Instruction ID: 6c21fb142d4c51ca54f652e7aa93b939937cd6b8b8fa6433dea680f642455f71
                      • Opcode Fuzzy Hash: 66c3990766660ded6639d2566ccc3282cde3b4ecf59a489a48a07bacbf70ea5a
                      • Instruction Fuzzy Hash: 57312430644241AFEB21CF5CDD84FA537E8FB9A710F1501A5FA908F2A6CB76A840CB01
                      Function 01037726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01037769
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0103778F
                      • SysAllocString.OLEAUT32(00000000), ref: 01037792
                      • SysAllocString.OLEAUT32(?), ref: 010377B0
                      • SysFreeString.OLEAUT32(?), ref: 010377B9
                      • StringFromGUID2.OLE32(?,?,00000028), ref: 010377DE
                      • SysAllocString.OLEAUT32(?), ref: 010377EC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                      • String ID:
                      • API String ID: 3761583154-0
                      • Opcode ID: 3fbe26b0b2239251bb3f2045cbf25f9cdd2ad1ef9e38a2f7965335fc39e0e70a
                      • Instruction ID: fd97319947ae23b3632598ee0d9cc216ec98d91217a4c3d1fed49129191456c0
                      • Opcode Fuzzy Hash: 3fbe26b0b2239251bb3f2045cbf25f9cdd2ad1ef9e38a2f7965335fc39e0e70a
                      • Instruction Fuzzy Hash: CB21B0B6604219AFEB11DEADCC88CBB77ECFB492647008066FA84DB251DA74DC41C760
                      Function 010377FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01037842
                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01037868
                      • SysAllocString.OLEAUT32(00000000), ref: 0103786B
                      • SysAllocString.OLEAUT32 ref: 0103788C
                      • SysFreeString.OLEAUT32 ref: 01037895
                      • StringFromGUID2.OLE32(?,?,00000028), ref: 010378AF
                      • SysAllocString.OLEAUT32(?), ref: 010378BD
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                      • String ID:
                      • API String ID: 3761583154-0
                      • Opcode ID: 3df784b6765ba7188c0a9edb8d83347c62eeb1c0794435b086cef188af3a64c6
                      • Instruction ID: ae540356ce52488a77f3e5e18288388e7c4b10473fa9a1eedb0b2bf597bb381e
                      • Opcode Fuzzy Hash: 3df784b6765ba7188c0a9edb8d83347c62eeb1c0794435b086cef188af3a64c6
                      • Instruction Fuzzy Hash: 5C21C171600204AFEB209FADCC88DAA77ECEB493607008025F994CB2A5DA74DC41CB74
                      Function 010405A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                      Download Yara Rule
                      APIs
                      • GetStdHandle.KERNEL32(000000F6), ref: 010405C6
                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01040601
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CreateHandlePipe
                      • String ID: nul
                      • API String ID: 1424370930-2873401336
                      • Opcode ID: ef4b12637e06ce83b6b084f7124312954b881a18fffddc972ef6e0d50ced975d
                      • Instruction ID: 5629ebd9f968070f5f2e4bac6c63070a570510135bdc593f4756577f3f44d98c
                      • Opcode Fuzzy Hash: ef4b12637e06ce83b6b084f7124312954b881a18fffddc972ef6e0d50ced975d
                      • Instruction Fuzzy Hash: 2121A6B55003059BEB209F6DC884ADA7BE4AF89724F304A69FEE2F72D8D7719540CB50
                      Function 010404D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                      Download Yara Rule
                      APIs
                      • GetStdHandle.KERNEL32(0000000C), ref: 010404F2
                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0104052E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CreateHandlePipe
                      • String ID: nul
                      • API String ID: 1424370930-2873401336
                      • Opcode ID: 38482ca61c329aa4e2e6dd96a007a00bb4e832336d839d5d4c0931a3eb4116d7
                      • Instruction ID: 83678e57a6ddbc2e328ecf78d4c0ad81e1b4fd4a7a237ef8ec0ae845722d4255
                      • Opcode Fuzzy Hash: 38482ca61c329aa4e2e6dd96a007a00bb4e832336d839d5d4c0931a3eb4116d7
                      • Instruction Fuzzy Hash: 362171F1500305EBEB209F29D884ADB7BE4EF45724F104A69FAE1E71E8D7719540CB60
                      Function 010640AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FD604C
                        • Part of subcall function 00FD600E: GetStockObject.GDI32(00000011), ref: 00FD6060
                        • Part of subcall function 00FD600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FD606A
                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01064112
                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0106411F
                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0106412A
                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01064139
                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01064145
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessageSend$CreateObjectStockWindow
                      • String ID: Msctls_Progress32
                      • API String ID: 1025951953-3636473452
                      • Opcode ID: 9a91ac2beabc28fa7d2c859cf71c9d82dc3e29ebc422f3c6db6d44c4dff798c9
                      • Instruction ID: bdfef38d8b799715c2954b65a0b2d36d129f15237c00b003779cc64aef258c7f
                      • Opcode Fuzzy Hash: 9a91ac2beabc28fa7d2c859cf71c9d82dc3e29ebc422f3c6db6d44c4dff798c9
                      • Instruction Fuzzy Hash: FE1182B215021ABEFF219E64CC85EEB7F9DEF08798F014111FA58E6150C6769C21DBA4
                      Function 0100D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0100D7A3: _free.LIBCMT ref: 0100D7CC
                      • _free.LIBCMT ref: 0100D82D
                        • Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
                        • Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0
                      • _free.LIBCMT ref: 0100D838
                      • _free.LIBCMT ref: 0100D843
                      • _free.LIBCMT ref: 0100D897
                      • _free.LIBCMT ref: 0100D8A2
                      • _free.LIBCMT ref: 0100D8AD
                      • _free.LIBCMT ref: 0100D8B8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                      • Instruction ID: 3aac571e8af34bbd681cc50084bb9e42a53d80b87334a38304f0e981b84b7aa9
                      • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                      • Instruction Fuzzy Hash: 6B113771940B45AAFA23BFF4CC49FCB7BDCBF60700F400825A2DDA60D0EA65B5058762
                      Function 0103DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0103DA74
                      • LoadStringW.USER32(00000000), ref: 0103DA7B
                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0103DA91
                      • LoadStringW.USER32(00000000), ref: 0103DA98
                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0103DADC
                      Strings
                      • %s (%d) : ==> %s: %s %s, xrefs: 0103DAB9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: HandleLoadModuleString$Message
                      • String ID: %s (%d) : ==> %s: %s %s
                      • API String ID: 4072794657-3128320259
                      • Opcode ID: 4f69e2289048aee5f8d6ddf4c5f69f9c349e19f5920e47cfc2b3776aa9d67908
                      • Instruction ID: a5ea3365a5f75a751a209cc0b3122f74cd054001c93f04fe16f3851707d37cea
                      • Opcode Fuzzy Hash: 4f69e2289048aee5f8d6ddf4c5f69f9c349e19f5920e47cfc2b3776aa9d67908
                      • Instruction Fuzzy Hash: D70162F2500208BFF7109BE49E89EEB376CE708301F400496F7C6E6045EA799E844B74
                      Function 0104096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                      Download Yara Rule
                      APIs
                      • InterlockedExchange.KERNEL32(0167E960,0167E960), ref: 0104097B
                      • EnterCriticalSection.KERNEL32(0167E940,00000000), ref: 0104098D
                      • TerminateThread.KERNEL32(01679B60,000001F6), ref: 0104099B
                      • WaitForSingleObject.KERNEL32(01679B60,000003E8), ref: 010409A9
                      • CloseHandle.KERNEL32(01679B60), ref: 010409B8
                      • InterlockedExchange.KERNEL32(0167E960,000001F6), ref: 010409C8
                      • LeaveCriticalSection.KERNEL32(0167E940), ref: 010409CF
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                      • String ID:
                      • API String ID: 3495660284-0
                      • Opcode ID: 124301a2afd15fccd5d589ee976a6a5d34fd9a63013c37bda1b6ae31525924c0
                      • Instruction ID: 2a4db53aa06f65736638d93bfa1513b93368d33f20ae90b57cc5301fbd0b7500
                      • Opcode Fuzzy Hash: 124301a2afd15fccd5d589ee976a6a5d34fd9a63013c37bda1b6ae31525924c0
                      • Instruction Fuzzy Hash: B5F01D31442512BBF7615BA4EF88AD67A25BF01702F401025F281608A8C77A9465CFA0
                      Function 00FD5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                      Download Yara Rule
                      APIs
                      • GetClientRect.USER32(?,?), ref: 00FD5D30
                      • GetWindowRect.USER32(?,?), ref: 00FD5D71
                      • ScreenToClient.USER32(?,?), ref: 00FD5D99
                      • GetClientRect.USER32(?,?), ref: 00FD5ED7
                      • GetWindowRect.USER32(?,?), ref: 00FD5EF8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Rect$Client$Window$Screen
                      • String ID:
                      • API String ID: 1296646539-0
                      • Opcode ID: 559c7a901b9e0ce8affa4ec4413b613e11a721d66a85adcffa9f0cc74d1f372b
                      • Instruction ID: 26534d3c09c098c40f9639da2ffd7122bdc13ac9a71eb4bef64bd41c76424ac5
                      • Opcode Fuzzy Hash: 559c7a901b9e0ce8affa4ec4413b613e11a721d66a85adcffa9f0cc74d1f372b
                      • Instruction Fuzzy Hash: 91B18C35A0074ADBDB14DFA8C4807EEB7F2FF48310F18851AE8A9D7254DB34AA51DB54
                      Function 010001B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                      Download Yara Rule
                      APIs
                      • __allrem.LIBCMT ref: 010000BA
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010000D6
                      • __allrem.LIBCMT ref: 010000ED
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0100010B
                      • __allrem.LIBCMT ref: 01000122
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01000140
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                      • String ID:
                      • API String ID: 1992179935-0
                      • Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                      • Instruction ID: 1c8448dce8cc15a174d1d1ffe8294a1e8b22dd9f4545ed7bf929efcdd96bbd19
                      • Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
                      • Instruction Fuzzy Hash: 70811676A00B069BF7269E78CC40BAB73E9AF51764F24463EF691D72D0E774D9008B90
                      Function 01051D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 01053149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0105101C,00000000,?,?,00000000), ref: 01053195
                      • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 01051DC0
                      • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01051DE1
                      • WSAGetLastError.WSOCK32 ref: 01051DF2
                      • inet_ntoa.WSOCK32(?), ref: 01051E8C
                      • htons.WSOCK32(?,?,?,?,?), ref: 01051EDB
                      • _strlen.LIBCMT ref: 01051F35
                        • Part of subcall function 010339E8: _strlen.LIBCMT ref: 010339F2
                        • Part of subcall function 00FD6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,00FECF58,?,?,?), ref: 00FD6DBA
                        • Part of subcall function 00FD6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,00FECF58,?,?,?), ref: 00FD6DED
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
                      • String ID:
                      • API String ID: 1923757996-0
                      • Opcode ID: ef15ca8c539e699ec6edc6db4245bb7ddb4d8e45ea3003c03e2cf53f5c6fded1
                      • Instruction ID: 16ddd328d93373d35f7fd5aeb9b52b1fd2fd5f7199c5c4e964fe68f611a1909f
                      • Opcode Fuzzy Hash: ef15ca8c539e699ec6edc6db4245bb7ddb4d8e45ea3003c03e2cf53f5c6fded1
                      • Instruction Fuzzy Hash: CBA1D030204340AFD364EF24C885F2B7BE5AF94318F58894DF9965B2A2CB75ED46CB91
                      Function 010061FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00FF82D9,00FF82D9,?,?,?,0100644F,00000001,00000001,8BE85006), ref: 01006258
                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0100644F,00000001,00000001,8BE85006,?,?,?), ref: 010062DE
                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 010063D8
                      • __freea.LIBCMT ref: 010063E5
                        • Part of subcall function 01003820: RtlAllocateHeap.NTDLL(00000000,?,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6,?,00FD1129), ref: 01003852
                      • __freea.LIBCMT ref: 010063EE
                      • __freea.LIBCMT ref: 01006413
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                      • String ID:
                      • API String ID: 1414292761-0
                      • Opcode ID: 7034a82da91fcac003f688c616e2d4ef6f98624b6124d1c98923a4d114a2e252
                      • Instruction ID: 3a167b4512316bd94e8d1b5198120e3360e9c942e8fa05175ecf796e2b43383e
                      • Opcode Fuzzy Hash: 7034a82da91fcac003f688c616e2d4ef6f98624b6124d1c98923a4d114a2e252
                      • Instruction Fuzzy Hash: DD51E872600216AFFB274E64CC81EAF7BEAEF44650F158269FD45DA1C0DB36DC50C6A0
                      Function 0105BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                        • Part of subcall function 0105C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0105B6AE,?,?), ref: 0105C9B5
                        • Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105C9F1
                        • Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA68
                        • Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA9E
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0105BCCA
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0105BD25
                      • RegCloseKey.ADVAPI32(00000000), ref: 0105BD6A
                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0105BD99
                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0105BDF3
                      • RegCloseKey.ADVAPI32(?), ref: 0105BDFF
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                      • String ID:
                      • API String ID: 1120388591-0
                      • Opcode ID: f8f1efe8790cd4d1b57721cb12de6e50ee98033f8357c8b2c7fdb4d42b3933e3
                      • Instruction ID: 5069ca4d37dda5d075f4a7ee905dfac34f16be41df8998abe0669ea1489bd471
                      • Opcode Fuzzy Hash: f8f1efe8790cd4d1b57721cb12de6e50ee98033f8357c8b2c7fdb4d42b3933e3
                      • Instruction Fuzzy Hash: 5581B330208241AFD754EF24C895E2BBBE6FF84308F18459DF5954B2A2DB35ED05DB92
                      Function 0102F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(00000035), ref: 0102F7B9
                      • SysAllocString.OLEAUT32(00000001), ref: 0102F860
                      • VariantCopy.OLEAUT32(0102FA64,00000000), ref: 0102F889
                      • VariantClear.OLEAUT32(0102FA64), ref: 0102F8AD
                      • VariantCopy.OLEAUT32(0102FA64,00000000), ref: 0102F8B1
                      • VariantClear.OLEAUT32(?), ref: 0102F8BB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Variant$ClearCopy$AllocInitString
                      • String ID:
                      • API String ID: 3859894641-0
                      • Opcode ID: ae1c487a908bb0b8a009745476093cc01336c1c797c923be02d6cfff9d557d03
                      • Instruction ID: a4d9d89b52ec5642ae68895a76ff8ab95ee46fc4f47528a40885e237d80ba23b
                      • Opcode Fuzzy Hash: ae1c487a908bb0b8a009745476093cc01336c1c797c923be02d6cfff9d557d03
                      • Instruction Fuzzy Hash: 7851E331600322BADF20AF65D884B6DB3F9EF45350F24845BE986DF295DBB49C40CB96
                      Function 0104910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD7620: _wcslen.LIBCMT ref: 00FD7625
                        • Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A
                      • GetOpenFileNameW.COMDLG32(00000058), ref: 010494E5
                      • _wcslen.LIBCMT ref: 01049506
                      • _wcslen.LIBCMT ref: 0104952D
                      • GetSaveFileNameW.COMDLG32(00000058), ref: 01049585
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _wcslen$FileName$OpenSave
                      • String ID: X
                      • API String ID: 83654149-3081909835
                      • Opcode ID: 94355f2ca700b55f09c35d096361736fda4383207d71d7a442cbe24a7879f5f3
                      • Instruction ID: 42465ca81f31589b0cf966817e7466fd51700674d7dce6c092d2df69ae5c90e9
                      • Opcode Fuzzy Hash: 94355f2ca700b55f09c35d096361736fda4383207d71d7a442cbe24a7879f5f3
                      • Instruction Fuzzy Hash: 59E180716083418FD724DF24C881A6AB7E5BF89314F18857DF9899B3A2DB35ED04CB92
                      Function 00FE920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2
                      • BeginPaint.USER32(?,?,?), ref: 00FE9241
                      • GetWindowRect.USER32(?,?), ref: 00FE92A5
                      • ScreenToClient.USER32(?,?), ref: 00FE92C2
                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00FE92D3
                      • EndPaint.USER32(?,?,?,?,?), ref: 00FE9321
                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 010271EA
                        • Part of subcall function 00FE9339: BeginPath.GDI32(00000000), ref: 00FE9357
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                      • String ID:
                      • API String ID: 3050599898-0
                      • Opcode ID: a86b0d2afc63f70f74122dcebd6a45e2fcaa2463dd5c3e273236913751886bbd
                      • Instruction ID: 8bdb5b02df2c3b221a83173b7b870337f9abee4d4af85e26a70d13e67f4b1e3c
                      • Opcode Fuzzy Hash: a86b0d2afc63f70f74122dcebd6a45e2fcaa2463dd5c3e273236913751886bbd
                      • Instruction Fuzzy Hash: 2941B031108340AFD721DF29C884FAA7BE9EF59320F140269FAE4871E1C7769845EB62
                      Function 010407EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                      Download Yara Rule
                      APIs
                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 0104080C
                      • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 01040847
                      • EnterCriticalSection.KERNEL32(?), ref: 01040863
                      • LeaveCriticalSection.KERNEL32(?), ref: 010408DC
                      • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 010408F3
                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 01040921
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                      • String ID:
                      • API String ID: 3368777196-0
                      • Opcode ID: 04c75b22003e05b870aef8b23f33dcd00f1f2a8177033db1a489cd4fe23c8807
                      • Instruction ID: 7ebaed5da5dffe4992cf38ba1de04780f5fa6b661751ada75dad63d6d51428ef
                      • Opcode Fuzzy Hash: 04c75b22003e05b870aef8b23f33dcd00f1f2a8177033db1a489cd4fe23c8807
                      • Instruction Fuzzy Hash: FA418B71900205EBEF159F54DC81AAA77B9FF04300F1080B9EE40AA29ADB35EE54DBA0
                      Function 010681DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                      Download Yara Rule
                      APIs
                      • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0102F3AB,00000000,?,?,00000000,?,0102682C,00000004,00000000,00000000), ref: 0106824C
                      • EnableWindow.USER32(00000000,00000000), ref: 01068272
                      • ShowWindow.USER32(FFFFFFFF,00000000), ref: 010682D1
                      • ShowWindow.USER32(00000000,00000004), ref: 010682E5
                      • EnableWindow.USER32(00000000,00000001), ref: 0106830B
                      • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0106832F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Window$Show$Enable$MessageSend
                      • String ID:
                      • API String ID: 642888154-0
                      • Opcode ID: 939b55ca83048ae0befaa9515c43db00b4441fe11bdd575178f162aa8b62ffb7
                      • Instruction ID: 54e64c139bba0a142953740dc92a6add78b4eed3eb48e958ab5c07680367ec67
                      • Opcode Fuzzy Hash: 939b55ca83048ae0befaa9515c43db00b4441fe11bdd575178f162aa8b62ffb7
                      • Instruction Fuzzy Hash: 6441B634601745AFEB62CF19C989BE47FE4FB0A714F1881EAE6D84F262C336A441CB50
                      Function 010522DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32(?,?,00000000), ref: 010522E8
                        • Part of subcall function 0104E4EC: GetWindowRect.USER32(?,?), ref: 0104E504
                      • GetDesktopWindow.USER32 ref: 01052312
                      • GetWindowRect.USER32(00000000), ref: 01052319
                      • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 01052355
                      • GetCursorPos.USER32(?), ref: 01052381
                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 010523DF
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Window$Rectmouse_event$CursorDesktopForeground
                      • String ID:
                      • API String ID: 2387181109-0
                      • Opcode ID: 542bb78cffd5feabcf9aada93cdfc9aff8896332d0c6ee7281101e72126dc520
                      • Instruction ID: fb712ea66b6ff7a061fb2e3469481fd9ea4cc56bafbdea92a209e2d1a8353333
                      • Opcode Fuzzy Hash: 542bb78cffd5feabcf9aada93cdfc9aff8896332d0c6ee7281101e72126dc520
                      • Instruction Fuzzy Hash: 6E31C072504305AFD760DF58C848B9BBBE9FF88314F004A1AF9C597191DB35EA08CB92
                      Function 01034C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                      Download Yara Rule
                      APIs
                      • IsWindowVisible.USER32(?), ref: 01034C95
                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 01034CB2
                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 01034CEA
                      • _wcslen.LIBCMT ref: 01034D08
                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 01034D10
                      • _wcsstr.LIBVCRUNTIME ref: 01034D1A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                      • String ID:
                      • API String ID: 72514467-0
                      • Opcode ID: d154c5544e29c1645434c52d3cd9e08f1cd45294bb0456dbdb328894f6b65fb8
                      • Instruction ID: fc479a51ffd4a766ff670bf78b32f8ef197dc03479a174e6cf9ebbb90817b806
                      • Opcode Fuzzy Hash: d154c5544e29c1645434c52d3cd9e08f1cd45294bb0456dbdb328894f6b65fb8
                      • Instruction Fuzzy Hash: F52129316042047BFB656B3AAC49E7F7BDCDF89750F008069F845CE192DAB5DC0097A0
                      Function 0104581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FD3A97,?,?,00FD2E7F,?,?,?,00000000), ref: 00FD3AC2
                      • _wcslen.LIBCMT ref: 0104587B
                      • CoInitialize.OLE32(00000000), ref: 01045995
                      • CoCreateInstance.OLE32(0106FCF8,00000000,00000001,0106FB68,?), ref: 010459AE
                      • CoUninitialize.OLE32 ref: 010459CC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                      • String ID: .lnk
                      • API String ID: 3172280962-24824748
                      • Opcode ID: ff8d6d51fd2cdf5023cbf429a1e52b7a3de96c9b9dd12fde445c47ae2991367d
                      • Instruction ID: ddfc788cf2ff8b5001fb792ebe2b5688c90250e6728dfbb9a3bab24246383dcf
                      • Opcode Fuzzy Hash: ff8d6d51fd2cdf5023cbf429a1e52b7a3de96c9b9dd12fde445c47ae2991367d
                      • Instruction Fuzzy Hash: 48D156B56083019FC714DF19C880A2ABBE6FF89710F1449ADF9899B361DB35EC45CB92
                      Function 0103175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 01030FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01030FCA
                        • Part of subcall function 01030FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01030FD6
                        • Part of subcall function 01030FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01030FE5
                        • Part of subcall function 01030FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01030FEC
                        • Part of subcall function 01030FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01031002
                      • GetLengthSid.ADVAPI32(?,00000000,01031335), ref: 010317AE
                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 010317BA
                      • HeapAlloc.KERNEL32(00000000), ref: 010317C1
                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 010317DA
                      • GetProcessHeap.KERNEL32(00000000,00000000,01031335), ref: 010317EE
                      • HeapFree.KERNEL32(00000000), ref: 010317F5
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                      • String ID:
                      • API String ID: 3008561057-0
                      • Opcode ID: 80b8eae80b52a6c8674bd4fd3173df2fa50cc5790254e11ccd723589797f8b2e
                      • Instruction ID: 558bc568c3ddf808af11b61e11b2dedbb70d8004c63ab96f5a7dcd02251b1634
                      • Opcode Fuzzy Hash: 80b8eae80b52a6c8674bd4fd3173df2fa50cc5790254e11ccd723589797f8b2e
                      • Instruction Fuzzy Hash: 6111AC31500205EFEB219FA8CD48BAE7BFDFB8A255F184098F5C197210C73AA944CB60
                      Function 010314CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 010314FF
                      • OpenProcessToken.ADVAPI32(00000000), ref: 01031506
                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 01031515
                      • CloseHandle.KERNEL32(00000004), ref: 01031520
                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0103154F
                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 01031563
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                      • String ID:
                      • API String ID: 1413079979-0
                      • Opcode ID: 13d023494e00224705a1685ab9a680c78ef5c1f76226a1bcfafeb414c2a6b1a1
                      • Instruction ID: f3e68c806847c65b5716ce16324900978a80f54c7a13ffb0cfa153ca8e73e3e3
                      • Opcode Fuzzy Hash: 13d023494e00224705a1685ab9a680c78ef5c1f76226a1bcfafeb414c2a6b1a1
                      • Instruction Fuzzy Hash: 71112972500249EBEF218F98DE49BDE7BADFF49744F044055FA85A20A0C37A8E61DB60
                      Function 00FF3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,00FF3379,00FF2FE5), ref: 00FF3390
                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00FF339E
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00FF33B7
                      • SetLastError.KERNEL32(00000000,?,00FF3379,00FF2FE5), ref: 00FF3409
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ErrorLastValue___vcrt_
                      • String ID:
                      • API String ID: 3852720340-0
                      • Opcode ID: 93ab0a6499906dcd8721f83fd9615e751c813c559de9aa87b4f8e0945a8a140b
                      • Instruction ID: 9692ba7b59d1561f7dc7af28b5902b93cd4b8a4b4edde3b75feae4592cf539e4
                      • Opcode Fuzzy Hash: 93ab0a6499906dcd8721f83fd9615e751c813c559de9aa87b4f8e0945a8a140b
                      • Instruction Fuzzy Hash: 5D012433A083297EBA3566747D99A773A94EF463B9B200229F760802F4EF1B4E117244
                      Function 01002D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,01005686,01013CD6,?,00000000,?,01005B6A,?,?,?,?,?,00FFE6D1,?,01098A48), ref: 01002D78
                      • _free.LIBCMT ref: 01002DAB
                      • _free.LIBCMT ref: 01002DD3
                      • SetLastError.KERNEL32(00000000,?,?,?,?,00FFE6D1,?,01098A48,00000010,00FD4F4A,?,?,00000000,01013CD6), ref: 01002DE0
                      • SetLastError.KERNEL32(00000000,?,?,?,?,00FFE6D1,?,01098A48,00000010,00FD4F4A,?,?,00000000,01013CD6), ref: 01002DEC
                      • _abort.LIBCMT ref: 01002DF2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ErrorLast$_free$_abort
                      • String ID:
                      • API String ID: 3160817290-0
                      • Opcode ID: 12a32c8aef166174ad8a3f15ebaf6cb1ee1c2c6879bf9f284002d0c477e37dca
                      • Instruction ID: ab43fa3fc45d84008193599a5e874e7cda03b1ca8a7636f5b9baa96acc868ffb
                      • Opcode Fuzzy Hash: 12a32c8aef166174ad8a3f15ebaf6cb1ee1c2c6879bf9f284002d0c477e37dca
                      • Instruction Fuzzy Hash: 74F02832508A022BF6633238BC0CE9E2999BFD26A0F25041AF9E4D61D4EF298C018360
                      Function 01068A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FE9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FE9693
                        • Part of subcall function 00FE9639: SelectObject.GDI32(?,00000000), ref: 00FE96A2
                        • Part of subcall function 00FE9639: BeginPath.GDI32(?), ref: 00FE96B9
                        • Part of subcall function 00FE9639: SelectObject.GDI32(?,00000000), ref: 00FE96E2
                      • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 01068A4E
                      • LineTo.GDI32(?,00000003,00000000), ref: 01068A62
                      • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 01068A70
                      • LineTo.GDI32(?,00000000,00000003), ref: 01068A80
                      • EndPath.GDI32(?), ref: 01068A90
                      • StrokePath.GDI32(?), ref: 01068AA0
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                      • String ID:
                      • API String ID: 43455801-0
                      • Opcode ID: e2c2d96fb0feab8e0e358713395c2a26bcca0d28bc69b22b2dab7d9cc41f6b0e
                      • Instruction ID: 3480b82e0694cb24b77229cd34e5b4cbea4706829f4cbea44fd5649c4430f7c8
                      • Opcode Fuzzy Hash: e2c2d96fb0feab8e0e358713395c2a26bcca0d28bc69b22b2dab7d9cc41f6b0e
                      • Instruction Fuzzy Hash: 5D110C76000108BFFF119F94DC48E9A7FACEB09350F008052FA9599164C7769D55DB60
                      Function 010351FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                      Download Yara Rule
                      APIs
                      • GetDC.USER32(00000000), ref: 01035218
                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 01035229
                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 01035230
                      • ReleaseDC.USER32(00000000,00000000), ref: 01035238
                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0103524F
                      • MulDiv.KERNEL32(000009EC,00000001,?), ref: 01035261
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CapsDevice$Release
                      • String ID:
                      • API String ID: 1035833867-0
                      • Opcode ID: cd87afcb1a6d0b765d39cab5a63217742668fd722c4a774edd683a0a66a4d7a7
                      • Instruction ID: 68249d87751a3c9c797a24c7ff949f1577691710a509bda62e2230c038e9af23
                      • Opcode Fuzzy Hash: cd87afcb1a6d0b765d39cab5a63217742668fd722c4a774edd683a0a66a4d7a7
                      • Instruction Fuzzy Hash: B601A275E00719BBFB109BE59D49E4EBFB8EF49351F044066FA85AB290D6719C00CFA0
                      Function 00FD1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FD1BF4
                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00FD1BFC
                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FD1C07
                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FD1C12
                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00FD1C1A
                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FD1C22
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Virtual
                      • String ID:
                      • API String ID: 4278518827-0
                      • Opcode ID: d545b0fbb7c29e11de79f1be4b4f12215da61d8c3b6879725a5f97f67f062afe
                      • Instruction ID: 559cefd6f6aa8e7e9fd627a210b00ced7d268c84d5319b4227cddb4e9296aa32
                      • Opcode Fuzzy Hash: d545b0fbb7c29e11de79f1be4b4f12215da61d8c3b6879725a5f97f67f062afe
                      • Instruction Fuzzy Hash: B60144B0902B5ABDE3008F6A8C85A52FEA8FF19354F00411BA15C4BA42C7B5A864CBE5
                      Function 0103EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0103EB30
                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0103EB46
                      • GetWindowThreadProcessId.USER32(?,?), ref: 0103EB55
                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0103EB64
                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0103EB6E
                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0103EB75
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                      • String ID:
                      • API String ID: 839392675-0
                      • Opcode ID: 62db7f1c7552a53eaeb4e56a77ec4cc1e32e16e34acf467a695ec815c96b4c51
                      • Instruction ID: 3220390c6783093f670d22fbef60852efecbfe5e9880a61d94b404f8aad2f36e
                      • Opcode Fuzzy Hash: 62db7f1c7552a53eaeb4e56a77ec4cc1e32e16e34acf467a695ec815c96b4c51
                      • Instruction Fuzzy Hash: DDF01D72140158BBE63166529D0DEAB3A7CEFCAB11F000158F682D509496A96A0187B5
                      Function 01027439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetClientRect.USER32(?), ref: 01027452
                      • SendMessageW.USER32(?,00001328,00000000,?), ref: 01027469
                      • GetWindowDC.USER32(?), ref: 01027475
                      • GetPixel.GDI32(00000000,?,?), ref: 01027484
                      • ReleaseDC.USER32(?,00000000), ref: 01027496
                      • GetSysColor.USER32(00000005), ref: 010274B0
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ClientColorMessagePixelRectReleaseSendWindow
                      • String ID:
                      • API String ID: 272304278-0
                      • Opcode ID: f8433fc801ba9806f3fc7422b6a45fe0f4e63d725bf7e4c4ab8550fe76cc4c62
                      • Instruction ID: d1ea2c752d4f5a9b1daaeae92d9e41f170d3836cb2c0f5a8b9be7c4a552164da
                      • Opcode Fuzzy Hash: f8433fc801ba9806f3fc7422b6a45fe0f4e63d725bf7e4c4ab8550fe76cc4c62
                      • Instruction Fuzzy Hash: A2018B32400215EFEB615FA4DD08BAA7BB5FB08311F504060F995A21A1CF362E41AB50
                      Function 01031874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0103187F
                      • UnloadUserProfile.USERENV(?,?), ref: 0103188B
                      • CloseHandle.KERNEL32(?), ref: 01031894
                      • CloseHandle.KERNEL32(?), ref: 0103189C
                      • GetProcessHeap.KERNEL32(00000000,?), ref: 010318A5
                      • HeapFree.KERNEL32(00000000), ref: 010318AC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                      • String ID:
                      • API String ID: 146765662-0
                      • Opcode ID: 2e3ae3694011864b14601f1f5bc6973858154083c3605309392da687ffe0bff8
                      • Instruction ID: cf7bafdbbb6c3cc3c6b2cd74de9075459d38d79affe57994d5bd46a60b3307ef
                      • Opcode Fuzzy Hash: 2e3ae3694011864b14601f1f5bc6973858154083c3605309392da687ffe0bff8
                      • Instruction Fuzzy Hash: AEE0ED36004501FBEB116FA2EE0C905BF39FF4A7227108221F2A585078CB375420DB60
                      Function 0103C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD7620: _wcslen.LIBCMT ref: 00FD7625
                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0103C6EE
                      • _wcslen.LIBCMT ref: 0103C735
                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0103C79C
                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0103C7CA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ItemMenu$Info_wcslen$Default
                      • String ID: 0
                      • API String ID: 1227352736-4108050209
                      • Opcode ID: 5e2a0ee5eae08f539f11d6b58ba646a49a39fca2bc51da36e53cd3e9f5729a98
                      • Instruction ID: 8a678475b35cdc1f0422fa41b00895a33975a406a59c9ad98296ecc964fdd0ca
                      • Opcode Fuzzy Hash: 5e2a0ee5eae08f539f11d6b58ba646a49a39fca2bc51da36e53cd3e9f5729a98
                      • Instruction Fuzzy Hash: 6051C2716043009BF7969E28CE45A6B7BECBFC9310F04096EFAD5E2191DB74D904D752
                      Function 0105AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                      Download Yara Rule
                      APIs
                      • ShellExecuteExW.SHELL32(0000003C), ref: 0105AEA3
                        • Part of subcall function 00FD7620: _wcslen.LIBCMT ref: 00FD7625
                      • GetProcessId.KERNEL32(00000000), ref: 0105AF38
                      • CloseHandle.KERNEL32(00000000), ref: 0105AF67
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CloseExecuteHandleProcessShell_wcslen
                      • String ID: <$@
                      • API String ID: 146682121-1426351568
                      • Opcode ID: 0780cb899328533724b4e6fe528c5e66f6cc58dbb8957865d64083a5e9b6d6f5
                      • Instruction ID: 2bc1446f029050c4df87eb08fd289dd321cb5bb1cd8ac783c9d7caf5817d01d4
                      • Opcode Fuzzy Hash: 0780cb899328533724b4e6fe528c5e66f6cc58dbb8957865d64083a5e9b6d6f5
                      • Instruction Fuzzy Hash: 78718D71A00215DFCB54EF94D884A9EBBF1FF08310F08859AE856AB392D779ED41DB90
                      Function 0103719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 01037206
                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0103723C
                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0103724D
                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 010372CF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ErrorMode$AddressCreateInstanceProc
                      • String ID: DllGetClassObject
                      • API String ID: 753597075-1075368562
                      • Opcode ID: 6e8510c71fb41cb4717d28b3f55f5895a90966ecd18f3f45696464649d5a19ae
                      • Instruction ID: 317d9b5ced393f815f3a96b604ae763eaa660ced7e08a2bb0de77714e5705eb7
                      • Opcode Fuzzy Hash: 6e8510c71fb41cb4717d28b3f55f5895a90966ecd18f3f45696464649d5a19ae
                      • Instruction Fuzzy Hash: 9C413DB1A00205EFDB25CF54C884A9A7FADEF89310F1480ADFD459F20AD7B5D944CBA0
                      Function 01063D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01063E35
                      • IsMenu.USER32(?), ref: 01063E4A
                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 01063E92
                      • DrawMenuBar.USER32 ref: 01063EA5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Menu$Item$DrawInfoInsert
                      • String ID: 0
                      • API String ID: 3076010158-4108050209
                      • Opcode ID: d7b0f1e40ab8c98244488ec62ec5f8f237bd54e9445dbdf8854ccc7e94d1a18d
                      • Instruction ID: bb04cf70da7ccb075e1837914afccd464e36571a01c20e9521a39e94d37bbdad
                      • Opcode Fuzzy Hash: d7b0f1e40ab8c98244488ec62ec5f8f237bd54e9445dbdf8854ccc7e94d1a18d
                      • Instruction Fuzzy Hash: DF416C75A00209AFEB20DF54DC84AEABBF9FF48350F044159F9899B290D735A940CFA0
                      Function 01031DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                        • Part of subcall function 01033CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01033CCA
                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 01031E66
                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 01031E79
                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 01031EA9
                        • Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessageSend$_wcslen$ClassName
                      • String ID: ComboBox$ListBox
                      • API String ID: 2081771294-1403004172
                      • Opcode ID: 43e7ee81956a72ab52781a59c87ff4cee37444099497019a93c7d01a5e438e09
                      • Instruction ID: a8d820d8a5628f6da50707485e1bc3c2354945b75a164cb5f0b54a758d8b32e7
                      • Opcode Fuzzy Hash: 43e7ee81956a72ab52781a59c87ff4cee37444099497019a93c7d01a5e438e09
                      • Instruction Fuzzy Hash: 20213871A00108BEEB14ABA5DC45CFFBBBDEF89350B04411AF4A1A72E1DB7A59099730
                      Function 0105C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _wcslen
                      • String ID: HKEY_LOCAL_MACHINE$HKLM
                      • API String ID: 176396367-4004644295
                      • Opcode ID: dd36355957a4f5547ddffd77a9d9682d76612488d3c7d189ed7852701efae5b3
                      • Instruction ID: 97d0fcb3eecaf7d94acdaeb77ecda2f3ca7aa577257fe90585586680fc4c86b0
                      • Opcode Fuzzy Hash: dd36355957a4f5547ddffd77a9d9682d76612488d3c7d189ed7852701efae5b3
                      • Instruction Fuzzy Hash: 9F310633A002654BEBB1DF6CDA500BF3FD99B91658F094099ECC1AB346E6B1CD40E7A0
                      Function 01062F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01062F8D
                      • LoadLibraryW.KERNEL32(?), ref: 01062F94
                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 01062FA9
                      • DestroyWindow.USER32(?), ref: 01062FB1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessageSend$DestroyLibraryLoadWindow
                      • String ID: SysAnimate32
                      • API String ID: 3529120543-1011021900
                      • Opcode ID: 09e7cd5f7c87dd4362e4def5292bf059218c8baaff41e5f0dca3b9502857d34e
                      • Instruction ID: bf04ae74d7c22422626a5dfe4bab039b9f06802b98fcf13707bc302407b8cee2
                      • Opcode Fuzzy Hash: 09e7cd5f7c87dd4362e4def5292bf059218c8baaff41e5f0dca3b9502857d34e
                      • Instruction Fuzzy Hash: 0E21CD72204209ABEF218FA8DC80EBB37EDEF49364F104629FAD0D6195D771DC519760
                      Function 00FF4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00FF4D1E,010028E9,?,00FF4CBE,010028E9,010988B8,0000000C,00FF4E15,010028E9,00000002), ref: 00FF4D8D
                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00FF4DA0
                      • FreeLibrary.KERNEL32(00000000,?,?,?,00FF4D1E,010028E9,?,00FF4CBE,010028E9,010988B8,0000000C,00FF4E15,010028E9,00000002,00000000), ref: 00FF4DC3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: AddressFreeHandleLibraryModuleProc
                      • String ID: CorExitProcess$mscoree.dll
                      • API String ID: 4061214504-1276376045
                      • Opcode ID: 2c62f88320cfa4c10b01eab3be737b0852af885945167f3701a1160a33231e64
                      • Instruction ID: 7bf1decf2e549fd073ddcfb205bc04de0baba1e36d803bb84dc5b745f9cea217
                      • Opcode Fuzzy Hash: 2c62f88320cfa4c10b01eab3be737b0852af885945167f3701a1160a33231e64
                      • Instruction Fuzzy Hash: F0F0C830E0020CBBEB209F90DD09BAEBFF4EF45711F000158F985A6164CB355D40DB94
                      Function 00FD4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00FD4EDD,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E9C
                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FD4EAE
                      • FreeLibrary.KERNEL32(00000000,?,?,00FD4EDD,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4EC0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Library$AddressFreeLoadProc
                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                      • API String ID: 145871493-3689287502
                      • Opcode ID: 58235318a35e780c2fb5a1a0a2b77acc3fe906fad59e549684a80c4a5544d5b6
                      • Instruction ID: fbd3e5047251314a05c1c33b72b1f11549ed6ee7c7b2f5ff0f680a4cbcf9b672
                      • Opcode Fuzzy Hash: 58235318a35e780c2fb5a1a0a2b77acc3fe906fad59e549684a80c4a5544d5b6
                      • Instruction Fuzzy Hash: 0BE0CD35E02522ABE33117266C28B5F7759AF82F72B0D0116FCC0DA304DF74DC0155A0
                      Function 00FD4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,01013CDE,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E62
                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FD4E74
                      • FreeLibrary.KERNEL32(00000000,?,?,01013CDE,?,010A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00FD4E87
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Library$AddressFreeLoadProc
                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                      • API String ID: 145871493-1355242751
                      • Opcode ID: 44b545beee00601f552fbe9b637f90a762820b47af23a8b774eb5d18455e1040
                      • Instruction ID: 5448a2a5a9c3e822e3d3c8c11a49ccad93ceeb870f0af9682ae0c3d7ce521bc9
                      • Opcode Fuzzy Hash: 44b545beee00601f552fbe9b637f90a762820b47af23a8b774eb5d18455e1040
                      • Instruction Fuzzy Hash: FED0C231902661A76A321B25A828E8B2B19AFC6B613090216F8C0AA218CF35CD01A6D0
                      Function 0105A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcessId.KERNEL32 ref: 0105A427
                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0105A435
                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0105A468
                      • CloseHandle.KERNEL32(?), ref: 0105A63D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Process$CloseCountersCurrentHandleOpen
                      • String ID:
                      • API String ID: 3488606520-0
                      • Opcode ID: 538f66a4db0701fa79b028644c33bb30ede134eb9545b0c5ec0e126890b30e6f
                      • Instruction ID: b07e5a67c9646086e45879c47f812576e28d86f81faf07df9fd0ab9af71ef79d
                      • Opcode Fuzzy Hash: 538f66a4db0701fa79b028644c33bb30ede134eb9545b0c5ec0e126890b30e6f
                      • Instruction Fuzzy Hash: 89A191716043019FE760DF18C882F2AB7E5AF88714F04895DF99A9B392DBB4E841CB91
                      Function 0103E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0103DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0103CF22,?), ref: 0103DDFD
                        • Part of subcall function 0103DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0103CF22,?), ref: 0103DE16
                        • Part of subcall function 0103E199: GetFileAttributesW.KERNEL32(?,0103CF95), ref: 0103E19A
                      • lstrcmpiW.KERNEL32(?,?), ref: 0103E473
                      • MoveFileW.KERNEL32(?,?), ref: 0103E4AC
                      • _wcslen.LIBCMT ref: 0103E5EB
                      • _wcslen.LIBCMT ref: 0103E603
                      • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0103E650
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                      • String ID:
                      • API String ID: 3183298772-0
                      • Opcode ID: 0b7a21c2aebde0ff61d378a242a7155150480cef422cda8e238128ab60b72367
                      • Instruction ID: 734798e4fdda73d3fbddd8580ad3013dfeb4549eaf63b14e87716a0fae79396f
                      • Opcode Fuzzy Hash: 0b7a21c2aebde0ff61d378a242a7155150480cef422cda8e238128ab60b72367
                      • Instruction Fuzzy Hash: 2B5161B25083459BD764EBA4DC809DF77ECAFC5340F004A1EE6C9D3191EF79A2888766
                      Function 0105B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                        • Part of subcall function 0105C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0105B6AE,?,?), ref: 0105C9B5
                        • Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105C9F1
                        • Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA68
                        • Part of subcall function 0105C998: _wcslen.LIBCMT ref: 0105CA9E
                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0105BAA5
                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0105BB00
                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0105BB63
                      • RegCloseKey.ADVAPI32(?,?), ref: 0105BBA6
                      • RegCloseKey.ADVAPI32(00000000), ref: 0105BBB3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                      • String ID:
                      • API String ID: 826366716-0
                      • Opcode ID: 0c251a19b6f073db8e7c489c957c299102897fcc264902ce7da57528b443854b
                      • Instruction ID: 2c7789d2877febb2b37a10ec357acbf85d3468c7b4ff3b889342a623c3845c04
                      • Opcode Fuzzy Hash: 0c251a19b6f073db8e7c489c957c299102897fcc264902ce7da57528b443854b
                      • Instruction Fuzzy Hash: 9961C331208201AFE354DF14C890E2BBBE6FF84308F58859DF5954B2A2DB75ED45CB92
                      Function 01038BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                      Download Yara Rule
                      APIs
                      • VariantInit.OLEAUT32(?), ref: 01038BCD
                      • VariantClear.OLEAUT32 ref: 01038C3E
                      • VariantClear.OLEAUT32 ref: 01038C9D
                      • VariantClear.OLEAUT32(?), ref: 01038D10
                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 01038D3B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Variant$Clear$ChangeInitType
                      • String ID:
                      • API String ID: 4136290138-0
                      • Opcode ID: e1b22e08fb92f588f9b90397cda81371e2b35571bf3deb543f69e7e65a5b3ffb
                      • Instruction ID: 4c57303cfe24c74984ec4fa25bc0be828649206c2646bc0da0f0b6e4ad1cf8ff
                      • Opcode Fuzzy Hash: e1b22e08fb92f588f9b90397cda81371e2b35571bf3deb543f69e7e65a5b3ffb
                      • Instruction Fuzzy Hash: F8516BB5A00219EFDB10DF58C884AAABBF8FF89310F05859AF945DB314E734E911CB90
                      Function 01048AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                      Download Yara Rule
                      APIs
                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 01048BAE
                      • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 01048BDA
                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 01048C32
                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 01048C57
                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 01048C5F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: PrivateProfile$SectionWrite$String
                      • String ID:
                      • API String ID: 2832842796-0
                      • Opcode ID: 06eb81c4463d73ce8f656d3d357d57169b4a0ed662cd86006d08b86633a6e33a
                      • Instruction ID: c8f0c411d548b07e0ec7e810e1bc14cd7761169dc931db02e2f078c06f97984f
                      • Opcode Fuzzy Hash: 06eb81c4463d73ce8f656d3d357d57169b4a0ed662cd86006d08b86633a6e33a
                      • Instruction Fuzzy Hash: 67515A75A002199FDB11DF65C880A69BBF2FF48314F08C49AE849AB362DB35ED41DB91
                      Function 01058EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryW.KERNEL32(?,00000000,?), ref: 01058F40
                      • GetProcAddress.KERNEL32(00000000,?), ref: 01058FD0
                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 01058FEC
                      • GetProcAddress.KERNEL32(00000000,?), ref: 01059032
                      • FreeLibrary.KERNEL32(00000000), ref: 01059052
                        • Part of subcall function 00FEF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,01041043,?,753CE610), ref: 00FEF6E6
                        • Part of subcall function 00FEF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0102FA64,00000000,00000000,?,?,01041043,?,753CE610,?,0102FA64), ref: 00FEF70D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                      • String ID:
                      • API String ID: 666041331-0
                      • Opcode ID: 006a6ddb9b90422f757029e19c07842499f6dc6f25e18d173252a58096663199
                      • Instruction ID: b5de8c52d298e78950c7533813619ae4f4b036d333cd655b5a8a097a5afa9b33
                      • Opcode Fuzzy Hash: 006a6ddb9b90422f757029e19c07842499f6dc6f25e18d173252a58096663199
                      • Instruction Fuzzy Hash: BC515835604205DFCB51DF58C4848AEBBF1FF49314B0880AAED8A9B362D735ED85CB90
                      Function 01066B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                      Download Yara Rule
                      APIs
                      • SetWindowLongW.USER32(00000002,000000F0,?), ref: 01066C33
                      • SetWindowLongW.USER32(?,000000EC,?), ref: 01066C4A
                      • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 01066C73
                      • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0104AB79,00000000,00000000), ref: 01066C98
                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 01066CC7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Window$Long$MessageSendShow
                      • String ID:
                      • API String ID: 3688381893-0
                      • Opcode ID: 542a870305ee342cd1523bd96198f2c0d9a108e796d3ecb78b231cfe0fcf1a9f
                      • Instruction ID: 297945541406eb1d9b8c0c9336b291421e96551d07a8f683797847ac26b209f9
                      • Opcode Fuzzy Hash: 542a870305ee342cd1523bd96198f2c0d9a108e796d3ecb78b231cfe0fcf1a9f
                      • Instruction Fuzzy Hash: DE41A135A00508AFE7248F68CD54FB97FA9EB09360F040268F995A72A8C373AD41CA40
                      Function 01002051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _free
                      • String ID:
                      • API String ID: 269201875-0
                      • Opcode ID: 1e45fc54524e069795e3ea98093056e57f1de15eef4a843bfb3176361f6e72c1
                      • Instruction ID: 977769e55b4fcda74f8fb1f81418ef3334d7d610fd291760e32db43c311c15e4
                      • Opcode Fuzzy Hash: 1e45fc54524e069795e3ea98093056e57f1de15eef4a843bfb3176361f6e72c1
                      • Instruction Fuzzy Hash: CF41E636E003009FEB22DF78C984A9DB7F5EF89314F1545A9E655EB392D731A901CB80
                      Function 00FE912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                      Download Yara Rule
                      APIs
                      • GetCursorPos.USER32(?), ref: 00FE9141
                      • ScreenToClient.USER32(00000000,?), ref: 00FE915E
                      • GetAsyncKeyState.USER32(00000001), ref: 00FE9183
                      • GetAsyncKeyState.USER32(00000002), ref: 00FE919D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: AsyncState$ClientCursorScreen
                      • String ID:
                      • API String ID: 4210589936-0
                      • Opcode ID: f819e60e82f22fbdcbd2487ce1b9c8e88c190bef9ef55e0b3ea1d30bbabaa4c3
                      • Instruction ID: 4b09042db855353f80010a18128468604ddd131e02f661bdb6f4a66b662dcfb5
                      • Opcode Fuzzy Hash: f819e60e82f22fbdcbd2487ce1b9c8e88c190bef9ef55e0b3ea1d30bbabaa4c3
                      • Instruction Fuzzy Hash: 61416031A0861BFBDF199F69C844BEEB775FF15320F208219E469A32D0C7785990DBA1
                      Function 01043874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetInputState.USER32 ref: 010438CB
                      • TranslateAcceleratorW.USER32(?,00000000,?), ref: 01043922
                      • TranslateMessage.USER32(?), ref: 0104394B
                      • DispatchMessageW.USER32(?), ref: 01043955
                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 01043966
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                      • String ID:
                      • API String ID: 2256411358-0
                      • Opcode ID: 888d7f74545d857c12481113f13d346a25e8c607f50d8dbe74baaf76bebdd4e6
                      • Instruction ID: 50026ed6e76feb0e6ac4f3c98300041d68214ca2da7c2bbd459e4d264e4f1783
                      • Opcode Fuzzy Hash: 888d7f74545d857c12481113f13d346a25e8c607f50d8dbe74baaf76bebdd4e6
                      • Instruction Fuzzy Hash: F331E6B4504762AFFB75CA389488BB77BE8BB05300F4455BDD5E28A0D5E3799884CB11
                      Function 01031901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetWindowRect.USER32(?,?), ref: 01031915
                      • PostMessageW.USER32(00000001,00000201,00000001), ref: 010319C1
                      • Sleep.KERNEL32(00000000,?,?,?), ref: 010319C9
                      • PostMessageW.USER32(00000001,00000202,00000000), ref: 010319DA
                      • Sleep.KERNEL32(00000000,?,?,?,?), ref: 010319E2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessagePostSleep$RectWindow
                      • String ID:
                      • API String ID: 3382505437-0
                      • Opcode ID: 2da094b66b7529d3e17f383ed92c0cce0dc507bdf288207b791bea9a38c75be1
                      • Instruction ID: 586d8f63ccd00c18ea3e1ae239fba4669c8d736993972d404d8771e024513a34
                      • Opcode Fuzzy Hash: 2da094b66b7529d3e17f383ed92c0cce0dc507bdf288207b791bea9a38c75be1
                      • Instruction Fuzzy Hash: 4D31E871900219EFDB14CFACC948ADE3BB9EF49315F004266F9A1EB2D1C7709954CB90
                      Function 01065706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 01065745
                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 0106579D
                      • _wcslen.LIBCMT ref: 010657AF
                      • _wcslen.LIBCMT ref: 010657BA
                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 01065816
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessageSend$_wcslen
                      • String ID:
                      • API String ID: 763830540-0
                      • Opcode ID: 8b2e3cbb47457046c2e15deadf41e0fd7f4d8315f1410ccc6db3180d40a3f2a9
                      • Instruction ID: 48940cf8ea3dd93b027f87c82e3451cbd862fd3c1d00b1a6aa55d4d42cf55d30
                      • Opcode Fuzzy Hash: 8b2e3cbb47457046c2e15deadf41e0fd7f4d8315f1410ccc6db3180d40a3f2a9
                      • Instruction Fuzzy Hash: 0D21BA71A042199AEB209FA4DC84AEE7BFCFF04764F008256FAA9EB1C4D7749585CF50
                      Function 01050930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                      • IsWindow.USER32(00000000), ref: 01050951
                      • GetForegroundWindow.USER32 ref: 01050968
                      • GetDC.USER32(00000000), ref: 010509A4
                      • GetPixel.GDI32(00000000,?,00000003), ref: 010509B0
                      • ReleaseDC.USER32(00000000,00000003), ref: 010509E8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Window$ForegroundPixelRelease
                      • String ID:
                      • API String ID: 4156661090-0
                      • Opcode ID: 5b9bdb98241f737b3928272859d60acef390b240281799c3b8ec2b36932e469e
                      • Instruction ID: dee5c30b4fea109f0f163cab72dab253f6c2b3da04daa90d83926fc73f31b42b
                      • Opcode Fuzzy Hash: 5b9bdb98241f737b3928272859d60acef390b240281799c3b8ec2b36932e469e
                      • Instruction Fuzzy Hash: 9D218E75600204AFE714EF69D984AAEBBF9FF48700F048069F88AD7365CB75AC44CB90
                      Function 0100CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                      Download Yara Rule
                      APIs
                      • GetEnvironmentStringsW.KERNEL32 ref: 0100CDC6
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0100CDE9
                        • Part of subcall function 01003820: RtlAllocateHeap.NTDLL(00000000,?,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6,?,00FD1129), ref: 01003852
                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0100CE0F
                      • _free.LIBCMT ref: 0100CE22
                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0100CE31
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                      • String ID:
                      • API String ID: 336800556-0
                      • Opcode ID: fa0dad06d6fb9904e4bc58e47c1a74f5e3a26a060ceee5e15cb53d4545a048cf
                      • Instruction ID: 9b26ea651d6ecffda6efffc896ed09603969240d2a2bfdbedee87329864dc7d0
                      • Opcode Fuzzy Hash: fa0dad06d6fb9904e4bc58e47c1a74f5e3a26a060ceee5e15cb53d4545a048cf
                      • Instruction Fuzzy Hash: 7601FC726022557F333325BA6D4CC7F7DADDEC7AA171502A9FE85C7180DE658D0182B0
                      Function 00FE9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                      Download Yara Rule
                      APIs
                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FE9693
                      • SelectObject.GDI32(?,00000000), ref: 00FE96A2
                      • BeginPath.GDI32(?), ref: 00FE96B9
                      • SelectObject.GDI32(?,00000000), ref: 00FE96E2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ObjectSelect$BeginCreatePath
                      • String ID:
                      • API String ID: 3225163088-0
                      • Opcode ID: 6449a88d6aa7971d877341de57a42d19a0cdcce17b0e7616e51a42b6b7b3ce9a
                      • Instruction ID: 3cb7aab17aac138e4febea51121248ff51262fbcc70ccf4de354d4f88e8d8d8e
                      • Opcode Fuzzy Hash: 6449a88d6aa7971d877341de57a42d19a0cdcce17b0e7616e51a42b6b7b3ce9a
                      • Instruction Fuzzy Hash: BF21D431816785EFEB318F25E9047A93BB8BB01365F500217F490A60E8D3BA5981DFA1
                      Function 01035711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _memcmp
                      • String ID:
                      • API String ID: 2931989736-0
                      • Opcode ID: 700888df3ca88fd43caabe50e4194da40914e6160a2fa88767e2cb8247da6ae1
                      • Instruction ID: 1f55727aa7a49a756ec05942646f03bbc37c01a22281b8f0c2b2969112db74fd
                      • Opcode Fuzzy Hash: 700888df3ca88fd43caabe50e4194da40914e6160a2fa88767e2cb8247da6ae1
                      • Instruction Fuzzy Hash: 5E01D86564520AFBE20A5515BE92FBF739DBFA13A4F414024FE449F212F764ED10D2E0
                      Function 01002DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,?,00FFF2DE,01003863,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6), ref: 01002DFD
                      • _free.LIBCMT ref: 01002E32
                      • _free.LIBCMT ref: 01002E59
                      • SetLastError.KERNEL32(00000000,00FD1129), ref: 01002E66
                      • SetLastError.KERNEL32(00000000,00FD1129), ref: 01002E6F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ErrorLast$_free
                      • String ID:
                      • API String ID: 3170660625-0
                      • Opcode ID: 821785e7971844f27dbfad37acb3d82535ff195f824ced18146e3cb141b3e86e
                      • Instruction ID: d8c94fdba565fcfb894b054e932c0d5332863ed287822ff04d6ddb54aae6a3ee
                      • Opcode Fuzzy Hash: 821785e7971844f27dbfad37acb3d82535ff195f824ced18146e3cb141b3e86e
                      • Instruction Fuzzy Hash: 6F01F9765886416BF62376396D4CD6F159DABE13A1F650028F5D5921D5EA358C014220
                      Function 0103000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                      Download Yara Rule
                      APIs
                      • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?,?,0103035E), ref: 0103002B
                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?), ref: 01030046
                      • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?), ref: 01030054
                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?), ref: 01030064
                      • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0102FF41,80070057,?,?), ref: 01030070
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: From$Prog$FreeStringTasklstrcmpi
                      • String ID:
                      • API String ID: 3897988419-0
                      • Opcode ID: fadc88627824b340f4cd6f00810d7f77de3d7c9ebf5147bc3855893b1392e7e1
                      • Instruction ID: c8157c7d94ba7ade70b9beace782c4fdbaa64553fbeb554973a277b089bada1e
                      • Opcode Fuzzy Hash: fadc88627824b340f4cd6f00810d7f77de3d7c9ebf5147bc3855893b1392e7e1
                      • Instruction Fuzzy Hash: 0101A272601205BFEB205F68DD44BAABEEDEF84761F144124FAC5D2218D77ADD408BA0
                      Function 0103E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                      Download Yara Rule
                      APIs
                      • QueryPerformanceCounter.KERNEL32(?), ref: 0103E997
                      • QueryPerformanceFrequency.KERNEL32(?), ref: 0103E9A5
                      • Sleep.KERNEL32(00000000), ref: 0103E9AD
                      • QueryPerformanceCounter.KERNEL32(?), ref: 0103E9B7
                      • Sleep.KERNEL32 ref: 0103E9F3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: PerformanceQuery$CounterSleep$Frequency
                      • String ID:
                      • API String ID: 2833360925-0
                      • Opcode ID: 2649a1971142726daa15472736e6375d2ff14d4090702d4144bb2f58131eeea9
                      • Instruction ID: 17059d75b81a095d235168a53b8396d8c7537929e3559de0dff8bfb5df9fce9e
                      • Opcode Fuzzy Hash: 2649a1971142726daa15472736e6375d2ff14d4090702d4144bb2f58131eeea9
                      • Instruction Fuzzy Hash: 4E016931C01629DBDF50AFE4D948AEDBB7CFF49301F000656E9C2B2244CB399552CBA1
                      Function 010310F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 01031114
                      • GetLastError.KERNEL32(?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031120
                      • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 0103112F
                      • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,01030B9B,?,?,?), ref: 01031136
                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0103114D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                      • String ID:
                      • API String ID: 842720411-0
                      • Opcode ID: d59fb4f22d3370e8b558bc8f9535d97276ec335f5c0a64a661fd5fedc2426ddd
                      • Instruction ID: 278874d13ed5a6f6a079012510b1ca99c1e505e5da88586600f2ddd894d8a244
                      • Opcode Fuzzy Hash: d59fb4f22d3370e8b558bc8f9535d97276ec335f5c0a64a661fd5fedc2426ddd
                      • Instruction Fuzzy Hash: ED011D75200205BFEB214F69DD49AAA3FAEEFCA260B104455F9C5D7354DA36DD009B60
                      Function 01030FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 01030FCA
                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 01030FD6
                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 01030FE5
                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 01030FEC
                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 01031002
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: HeapInformationToken$AllocErrorLastProcess
                      • String ID:
                      • API String ID: 44706859-0
                      • Opcode ID: ad41875d348bba799d1805ece5dd293cc6c63057faeaa079ce7da1cd811b51ae
                      • Instruction ID: 396d908ff5f4fc8ae7937ae9eb16e772be6cc4d84830bd91f7b0d4b7929d4d85
                      • Opcode Fuzzy Hash: ad41875d348bba799d1805ece5dd293cc6c63057faeaa079ce7da1cd811b51ae
                      • Instruction Fuzzy Hash: CDF04935200341BBEB214FA99D49F563BADEF8A662F104454FAC9DA251CA76D8108B60
                      Function 01031014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                      Download Yara Rule
                      APIs
                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0103102A
                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01031036
                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01031045
                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0103104C
                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01031062
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: HeapInformationToken$AllocErrorLastProcess
                      • String ID:
                      • API String ID: 44706859-0
                      • Opcode ID: 1b9077efb2227d94faec400e19aa2d38db1c38fe1b0c5158f741234218a60f77
                      • Instruction ID: 9e6b4fa086793339a1ba018988787ec70aeb03f84117966cf0471f93be304469
                      • Opcode Fuzzy Hash: 1b9077efb2227d94faec400e19aa2d38db1c38fe1b0c5158f741234218a60f77
                      • Instruction Fuzzy Hash: E0F06D35200341FBEB225FA9ED59F563FADEF8A661F100414FAC5DB250CA76D9108B60
                      Function 0104030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                      Download Yara Rule
                      APIs
                      • CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 01040324
                      • CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 01040331
                      • CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 0104033E
                      • CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 0104034B
                      • CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 01040358
                      • CloseHandle.KERNEL32(?,?,?,?,0104017D,?,010432FC,?,00000001,01012592,?), ref: 01040365
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CloseHandle
                      • String ID:
                      • API String ID: 2962429428-0
                      • Opcode ID: 92a05e3d824efbee831f4b83a2dffa55ec32cc566087c35a8f4439b1a301a66a
                      • Instruction ID: 056dc06c431a820420c97f204e677766cc4a433bfb92e0e2334386b5c1737e78
                      • Opcode Fuzzy Hash: 92a05e3d824efbee831f4b83a2dffa55ec32cc566087c35a8f4439b1a301a66a
                      • Instruction Fuzzy Hash: EC0190B2800B159FD7309F6AD8D0453FBF9BE502163158A7EE2D662931C371A954CF80
                      Function 0100D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 0100D752
                        • Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
                        • Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0
                      • _free.LIBCMT ref: 0100D764
                      • _free.LIBCMT ref: 0100D776
                      • _free.LIBCMT ref: 0100D788
                      • _free.LIBCMT ref: 0100D79A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: e4e797feb68d2a5a947278c2a7d3400bd06e1a0de5e0e74b9dcef24506fc61e8
                      • Instruction ID: bc40eab9865ff904bad744165a532fb7aecea3dcdf80ed7554014acf9dd628fb
                      • Opcode Fuzzy Hash: e4e797feb68d2a5a947278c2a7d3400bd06e1a0de5e0e74b9dcef24506fc61e8
                      • Instruction Fuzzy Hash: B9F068325442456BB663EBDCF6C8C5A7BDDBB44250BA40849F1CCD7584D735F8404770
                      Function 01035C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • GetDlgItem.USER32(?,000003E9), ref: 01035C58
                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 01035C6F
                      • MessageBeep.USER32(00000000), ref: 01035C87
                      • KillTimer.USER32(?,0000040A), ref: 01035CA3
                      • EndDialog.USER32(?,00000001), ref: 01035CBD
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                      • String ID:
                      • API String ID: 3741023627-0
                      • Opcode ID: cd2b9ce00b65c590cd1b25de5e6c4b9747363dacffa5d781dc046b413bee533f
                      • Instruction ID: cea320f515a5e58c4dacb680960b0b296b436d7f3e9edcbc5e36584ef83e5503
                      • Opcode Fuzzy Hash: cd2b9ce00b65c590cd1b25de5e6c4b9747363dacffa5d781dc046b413bee533f
                      • Instruction Fuzzy Hash: D50144305107089EFB315B14DE4EF957BB8BB44705F04065AF6C2A14F1D7F9A9448B54
                      Function 010022A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 010022BE
                        • Part of subcall function 010029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000), ref: 010029DE
                        • Part of subcall function 010029C8: GetLastError.KERNEL32(00000000,?,0100D7D1,00000000,00000000,00000000,00000000,?,0100D7F8,00000000,00000007,00000000,?,0100DBF5,00000000,00000000), ref: 010029F0
                      • _free.LIBCMT ref: 010022D0
                      • _free.LIBCMT ref: 010022E3
                      • _free.LIBCMT ref: 010022F4
                      • _free.LIBCMT ref: 01002305
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: eaecfb4712228a110cea549f4bbbca6d4b353e6c830d9259533ae77adeb87880
                      • Instruction ID: 9fdfb9676263031bb9c3bdd0dc48228cade4e1e919ad1e26cb5b6954796559e1
                      • Opcode Fuzzy Hash: eaecfb4712228a110cea549f4bbbca6d4b353e6c830d9259533ae77adeb87880
                      • Instruction Fuzzy Hash: 3EF054B48109159BA623BF54F40488D3FA8F7287A0B900506F4D0D72ECC73B4421AFE4
                      Function 00FE95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                      Download Yara Rule
                      APIs
                      • EndPath.GDI32(?), ref: 00FE95D4
                      • StrokeAndFillPath.GDI32(?,?,010271F7,00000000,?,?,?), ref: 00FE95F0
                      • SelectObject.GDI32(?,00000000), ref: 00FE9603
                      • DeleteObject.GDI32 ref: 00FE9616
                      • StrokePath.GDI32(?), ref: 00FE9631
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Path$ObjectStroke$DeleteFillSelect
                      • String ID:
                      • API String ID: 2625713937-0
                      • Opcode ID: 5f479076ceb87555f4fa9b6fc8965bdc9a20f946edb592ab379e56b4d717c092
                      • Instruction ID: e1755e48c7337cab9367514b5f2128e4a0103f7321d2a09d4b97c6ae42db286e
                      • Opcode Fuzzy Hash: 5f479076ceb87555f4fa9b6fc8965bdc9a20f946edb592ab379e56b4d717c092
                      • Instruction Fuzzy Hash: 00F04F31409B44EBEB365F66EA0C7643FA1BB41372F448215F4E5550F8CB7A8995EF20
                      Function 01000F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: __freea$_free
                      • String ID: a/p$am/pm
                      • API String ID: 3432400110-3206640213
                      • Opcode ID: 6f541605b23087880b22fab27844b9a76a78accd74b6d1681ec0924a98bfa1aa
                      • Instruction ID: f44125d8433acb120f5964c768cf7d8983704f86b1268c186b3e493bfcdfb97c
                      • Opcode Fuzzy Hash: 6f541605b23087880b22fab27844b9a76a78accd74b6d1681ec0924a98bfa1aa
                      • Instruction Fuzzy Hash: 67D1BE71A042069AFB6B8F6CC855BFEBBF1EF05300F188199E6819B6D1D275D980CB91
                      Function 01057B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FF0242: EnterCriticalSection.KERNEL32(010A070C,010A1884,?,?,00FE198B,010A2518,?,?,?,00FD12F9,00000000), ref: 00FF024D
                        • Part of subcall function 00FF0242: LeaveCriticalSection.KERNEL32(010A070C,?,00FE198B,010A2518,?,?,?,00FD12F9,00000000), ref: 00FF028A
                        • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                        • Part of subcall function 00FF00A3: __onexit.LIBCMT ref: 00FF00A9
                      • __Init_thread_footer.LIBCMT ref: 01057BFB
                        • Part of subcall function 00FF01F8: EnterCriticalSection.KERNEL32(010A070C,?,?,00FE8747,010A2514), ref: 00FF0202
                        • Part of subcall function 00FF01F8: LeaveCriticalSection.KERNEL32(010A070C,?,00FE8747,010A2514), ref: 00FF0235
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                      • String ID: 5$G$Variable must be of type 'Object'.
                      • API String ID: 535116098-3733170431
                      • Opcode ID: 5b14bd9ffefa99c7e30a158c3f2949308336ad1b03652c826004c40af4692b9e
                      • Instruction ID: d365023e0c32f3ef8ef446abaa21135ebb2f2a24c61fe3e69b26095c28346ec3
                      • Opcode Fuzzy Hash: 5b14bd9ffefa99c7e30a158c3f2949308336ad1b03652c826004c40af4692b9e
                      • Instruction Fuzzy Hash: 46917F71600209EFCB55EF58C890DAEBBB5FF44304F848099FD865B251DB71AE41EB61
                      Function 01032716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0103B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010321D0,?,?,00000034,00000800,?,00000034), ref: 0103B42D
                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 01032760
                        • Part of subcall function 0103B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,010321FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0103B3F8
                        • Part of subcall function 0103B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0103B355
                        • Part of subcall function 0103B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,01032194,00000034,?,?,00001004,00000000,00000000), ref: 0103B365
                        • Part of subcall function 0103B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,01032194,00000034,?,?,00001004,00000000,00000000), ref: 0103B37B
                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 010327CD
                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0103281A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                      • String ID: @
                      • API String ID: 4150878124-2766056989
                      • Opcode ID: 920bd8b56dcc2f17cd12a1665db2255b62c7906a83fb97004d79f7c411e09982
                      • Instruction ID: f2b6dfaed21bc8351415eafdbf9339b28d2fed532b667d4e23cf18be922c04d0
                      • Opcode Fuzzy Hash: 920bd8b56dcc2f17cd12a1665db2255b62c7906a83fb97004d79f7c411e09982
                      • Instruction Fuzzy Hash: 5F416D72901219BFDB10DFA8CD41AEEBBB8FF59700F108095FA95B7180DA706E45CBA0
                      Function 0100172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\shipping doc.exe,00000104), ref: 01001769
                      • _free.LIBCMT ref: 01001834
                      • _free.LIBCMT ref: 0100183E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _free$FileModuleName
                      • String ID: C:\Users\user\Desktop\shipping doc.exe
                      • API String ID: 2506810119-831869447
                      • Opcode ID: 6f7b62a9887708b90d786926d70ad67277e342b24f8f7c4fe729c30cc8cf8b52
                      • Instruction ID: 0ae9d72dab94fe3a2f2f71bdc65e49a1f49b113be1ae033bf2b9662af69ccc05
                      • Opcode Fuzzy Hash: 6f7b62a9887708b90d786926d70ad67277e342b24f8f7c4fe729c30cc8cf8b52
                      • Instruction Fuzzy Hash: 27318E75A00219EBEB23DF99D884D9EBBFCEF85310F5041A6E98497280D670CB40CBA0
                      Function 0103C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0103C306
                      • DeleteMenu.USER32(?,00000007,00000000), ref: 0103C34C
                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,010A1990,01685578), ref: 0103C395
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Menu$Delete$InfoItem
                      • String ID: 0
                      • API String ID: 135850232-4108050209
                      • Opcode ID: 5f507a9d637fa45a31fe8c60af18002d7e3ee1ccf627ecb5ef31477dcdcd8abe
                      • Instruction ID: f46e54a31937358d03f83672d91f658be7e52e062cf534991959dd7b07fce41e
                      • Opcode Fuzzy Hash: 5f507a9d637fa45a31fe8c60af18002d7e3ee1ccf627ecb5ef31477dcdcd8abe
                      • Instruction Fuzzy Hash: E141A0712043029FE720DF29D984B6ABBE8AFC5314F048A5EF9E5E72D1D770A604CB52
                      Function 01064416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                      Download Yara Rule
                      APIs
                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0106CC08,00000000,?,?,?,?), ref: 010644AA
                      • GetWindowLongW.USER32 ref: 010644C7
                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 010644D7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Window$Long
                      • String ID: SysTreeView32
                      • API String ID: 847901565-1698111956
                      • Opcode ID: b4d832829f2de29fe8c7e9d74352ff684e9e021f8d798e25c424fce13194700e
                      • Instruction ID: e0227e0e1a33062277b9d3db5013e92a8bbb4b97d1f10fb40eef2cedd94dd10a
                      • Opcode Fuzzy Hash: b4d832829f2de29fe8c7e9d74352ff684e9e021f8d798e25c424fce13194700e
                      • Instruction Fuzzy Hash: 1431BE31210205AFEF618E38DC46BEA7BA9EB09334F204315FAB5D21E1DB75E8509B50
                      Function 0105304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0105335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,01053077,?,?), ref: 01053378
                      • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0105307A
                      • _wcslen.LIBCMT ref: 0105309B
                      • htons.WSOCK32(00000000,?,?,00000000), ref: 01053106
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                      • String ID: 255.255.255.255
                      • API String ID: 946324512-2422070025
                      • Opcode ID: 3fd0965c221f272659a135bbf1a14d568d732911d2a7e2b221a2702ae5e2cdf7
                      • Instruction ID: 670689795425671ee86a26f7ef4e6ea6c42dbb4d0222804338714e3b12eff829
                      • Opcode Fuzzy Hash: 3fd0965c221f272659a135bbf1a14d568d732911d2a7e2b221a2702ae5e2cdf7
                      • Instruction Fuzzy Hash: 2831EF392002058FDBA0CF68C491AABBBF0FF04398F149099E9958F392CB72ED41C760
                      Function 01064653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01064705
                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01064713
                      • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0106471A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessageSend$DestroyWindow
                      • String ID: msctls_updown32
                      • API String ID: 4014797782-2298589950
                      • Opcode ID: c8796536ec0b657a5829c67a27c63488159c2d9a62bf1d52f2c8205277aa9f76
                      • Instruction ID: 24abfaa8ae673d35bd1d976ca60d3ca9446f96f679ff8a67d5f3fceea33b59ff
                      • Opcode Fuzzy Hash: c8796536ec0b657a5829c67a27c63488159c2d9a62bf1d52f2c8205277aa9f76
                      • Instruction Fuzzy Hash: 24215CB5600209AFEB11DF68DC81DAB37EDEB5A3A4B04005AFA80DB251CB75EC11DB60
                      Function 010395AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _wcslen
                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                      • API String ID: 176396367-2734436370
                      • Opcode ID: fc379beac6c532a5f3c65cc85d98311c31087228d838fa4d40e5de0bb0a38085
                      • Instruction ID: a4988b5e49ec4e295fb887d3105ba4d8889b9d2032ea47a7df659cf72f895b21
                      • Opcode Fuzzy Hash: fc379beac6c532a5f3c65cc85d98311c31087228d838fa4d40e5de0bb0a38085
                      • Instruction Fuzzy Hash: D3218B3220461166D331BB299C12FBB73DC9FD5308F04402AFACA9B182EBD5A981D391
                      Function 010637B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01063840
                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01063850
                      • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01063876
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessageSend$MoveWindow
                      • String ID: Listbox
                      • API String ID: 3315199576-2633736733
                      • Opcode ID: 5a5fae193e548752cd9bb1ade7fec3ea7e0c570d45a6c3be9b64dafcf98adcec
                      • Instruction ID: a5e646946bf0d25f81020e4ec4b6daddc4436d325b6451104e74fd84f272b0b2
                      • Opcode Fuzzy Hash: 5a5fae193e548752cd9bb1ade7fec3ea7e0c570d45a6c3be9b64dafcf98adcec
                      • Instruction Fuzzy Hash: D621B072610218BFEF228E58CC45EEB37AEFF89750F108154F9849B190C676DC5187E0
                      Function 010449F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNEL32(00000001), ref: 01044A08
                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 01044A5C
                      • SetErrorMode.KERNEL32(00000000,?,?,0106CC08), ref: 01044AD0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ErrorMode$InformationVolume
                      • String ID: %lu
                      • API String ID: 2507767853-685833217
                      • Opcode ID: dede2e5567e1a18df547e337bf2322128931e4af06b51d51adc5ddacf67fc810
                      • Instruction ID: d7647e2aab7394a7b3768540db087dd6eef015a17fc6f8a90e0131aa7a66cfac
                      • Opcode Fuzzy Hash: dede2e5567e1a18df547e337bf2322128931e4af06b51d51adc5ddacf67fc810
                      • Instruction Fuzzy Hash: F3318171A00109AFDB10DF54C984EAA7BF8EF04304F0440A9E945DF352DB75ED45CB61
                      Function 010641EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0106424F
                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01064264
                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01064271
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: msctls_trackbar32
                      • API String ID: 3850602802-1010561917
                      • Opcode ID: c5d2bdab15cb87f80a40e1f64f3bbf2a186a8765b090ed724876d3e626bff460
                      • Instruction ID: c0ebc7723b622d9b6ecffedb5a85fe47ab3fff8b4fef26c5764da85460f984b4
                      • Opcode Fuzzy Hash: c5d2bdab15cb87f80a40e1f64f3bbf2a186a8765b090ed724876d3e626bff460
                      • Instruction Fuzzy Hash: 44112931240209BEEF215F39CC45FAB3BECEF85B54F110114FAD5E6090D2B1D8519B10
                      Function 01032F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD6B57: _wcslen.LIBCMT ref: 00FD6B6A
                        • Part of subcall function 01032DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01032DC5
                        • Part of subcall function 01032DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 01032DD6
                        • Part of subcall function 01032DA7: GetCurrentThreadId.KERNEL32 ref: 01032DDD
                        • Part of subcall function 01032DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 01032DE4
                      • GetFocus.USER32 ref: 01032F78
                        • Part of subcall function 01032DEE: GetParent.USER32(00000000), ref: 01032DF9
                      • GetClassNameW.USER32(?,?,00000100), ref: 01032FC3
                      • EnumChildWindows.USER32(?,0103303B), ref: 01032FEB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                      • String ID: %s%d
                      • API String ID: 1272988791-1110647743
                      • Opcode ID: eeb417c6fc2befc56b16996882b71c1046ad295ae1a13c2a1a8e84a527fbb622
                      • Instruction ID: ba6ddc3627777c882173f7e37bed1cef301d6c6de799cced35040d57177117fd
                      • Opcode Fuzzy Hash: eeb417c6fc2befc56b16996882b71c1046ad295ae1a13c2a1a8e84a527fbb622
                      • Instruction Fuzzy Hash: 2711D271200205ABDF117F648CD9EEE776EAFD4304F04407AF989DB252DE3599099B70
                      Function 01065882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010658C1
                      • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 010658EE
                      • DrawMenuBar.USER32(?), ref: 010658FD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Menu$InfoItem$Draw
                      • String ID: 0
                      • API String ID: 3227129158-4108050209
                      • Opcode ID: df6f063d0c180214f1737c23f73573f1775991c7c9ee63713f853a243dbc28a6
                      • Instruction ID: 880278ee1b19d451e890ce4e72600ec73d8e0c393763dc5deb51a4becc53589f
                      • Opcode Fuzzy Hash: df6f063d0c180214f1737c23f73573f1775991c7c9ee63713f853a243dbc28a6
                      • Instruction Fuzzy Hash: 33016D31500258AFEB619F15DC44BAFBBB8FF453A0F00809AE889D6151DB348A84DF31
                      Function 0102D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0102D3BF
                      • FreeLibrary.KERNEL32 ref: 0102D3E5
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: AddressFreeLibraryProc
                      • String ID: GetSystemWow64DirectoryW$X64
                      • API String ID: 3013587201-2590602151
                      • Opcode ID: 7b522354269ca5a63d731483791225d34f53417002f7ae20156358e422da35ca
                      • Instruction ID: 1ffc2450a42a1539d69a8534b8190725d6ad991385874a46435d03a6708b3255
                      • Opcode Fuzzy Hash: 7b522354269ca5a63d731483791225d34f53417002f7ae20156358e422da35ca
                      • Instruction Fuzzy Hash: 48F02B72906631D7F7B11595CC74AAE7758AF12701F59C58AF5C1FA108DB30CE4887D1
                      Function 0103007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 22c1cb39cf56458dd449e01f1d5e2e2e9306d8dba11966d723a84a03747dfbbd
                      • Instruction ID: dbae0eaa9ae505041603fbe0ed8ecc2540fb648b72a8c525f930c830e6d3bcd5
                      • Opcode Fuzzy Hash: 22c1cb39cf56458dd449e01f1d5e2e2e9306d8dba11966d723a84a03747dfbbd
                      • Instruction Fuzzy Hash: C1C13A75A0120AAFDB14CFA8C894AAEBBB9FF88704F108598F545EB255D731ED41CB90
                      Function 0105342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Variant$ClearInitInitializeUninitialize
                      • String ID:
                      • API String ID: 1998397398-0
                      • Opcode ID: c20ecd4f2ae6a062dbf3db5b68e5031d842f21610d87bc4993251872085f8c6c
                      • Instruction ID: fc00994a931b4da2065dbdd4e8337f1cb670d6f31aef804a27b6c9073583bf0c
                      • Opcode Fuzzy Hash: c20ecd4f2ae6a062dbf3db5b68e5031d842f21610d87bc4993251872085f8c6c
                      • Instruction Fuzzy Hash: 82A158756043019FC750EF28C885A2ABBE5FF88354F088859FD8A9B361DB34ED01CB92
                      Function 01030436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                      Download Yara Rule
                      APIs
                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0106FC08,?), ref: 010305F0
                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0106FC08,?), ref: 01030608
                      • CLSIDFromProgID.OLE32(?,?,00000000,0106CC40,000000FF,?,00000000,00000800,00000000,?,0106FC08,?), ref: 0103062D
                      • _memcmp.LIBVCRUNTIME ref: 0103064E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: FromProg$FreeTask_memcmp
                      • String ID:
                      • API String ID: 314563124-0
                      • Opcode ID: d11c1d8ce0737acb61d040833a3353d3e8cf9a4ef19007004413ee41c6ddf964
                      • Instruction ID: 5720831c45b4c2350c202680ed2604148b200fcea2eb41a4266451c94d169162
                      • Opcode Fuzzy Hash: d11c1d8ce0737acb61d040833a3353d3e8cf9a4ef19007004413ee41c6ddf964
                      • Instruction Fuzzy Hash: CC812A75A00109EFCB04DF98C984EEEB7B9FF89315F204598F546AB254DB71AE06CB60
                      Function 01011391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _free
                      • String ID:
                      • API String ID: 269201875-0
                      • Opcode ID: f92ee3700772e96a7e4857c65ebf544d06f682291b0762979df9eb61addfc15b
                      • Instruction ID: 6be404440a759cb1dc3283453eae81d04c26f74eb85083e15d57faeaf3329a9c
                      • Opcode Fuzzy Hash: f92ee3700772e96a7e4857c65ebf544d06f682291b0762979df9eb61addfc15b
                      • Instruction Fuzzy Hash: 08413731A40105ABEB2A6BFC9C44BFE3AE4EF11B70F144265F799D61E5EE3C84409672
                      Function 01066278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowRect.USER32(0168E920,?), ref: 010662E2
                      • ScreenToClient.USER32(?,?), ref: 01066315
                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 01066382
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Window$ClientMoveRectScreen
                      • String ID:
                      • API String ID: 3880355969-0
                      • Opcode ID: 78bd10334bc338c3717cd88c91d67b2c0c07ba3b8fe0197d02035ae175a432b5
                      • Instruction ID: c22415acc0d59cad8f802b3d1f2573315e609fc22ba4bea4ab0e618e4fe37c26
                      • Opcode Fuzzy Hash: 78bd10334bc338c3717cd88c91d67b2c0c07ba3b8fe0197d02035ae175a432b5
                      • Instruction Fuzzy Hash: 34518F70A00619EFDF21DF58D8809AE7BFAFF45360F108199F9959B291D732E941CB50
                      Function 01051AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                      Download Yara Rule
                      APIs
                      • socket.WSOCK32(00000002,00000002,00000011), ref: 01051AFD
                      • WSAGetLastError.WSOCK32 ref: 01051B0B
                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01051B8A
                      • WSAGetLastError.WSOCK32 ref: 01051B94
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ErrorLast$socket
                      • String ID:
                      • API String ID: 1881357543-0
                      • Opcode ID: 98d98ff149fbed7519d87128c8676392e09888d0de69bbf7c0ebb6e09e84eb20
                      • Instruction ID: bc73338fdfa9db25fc0d4f6fc586d3814ddb4d82023af5a8c79a858ef351894d
                      • Opcode Fuzzy Hash: 98d98ff149fbed7519d87128c8676392e09888d0de69bbf7c0ebb6e09e84eb20
                      • Instruction Fuzzy Hash: 0D41B334600200AFE760AF24C886F2A77E5AB44718F588499FA5A9F3D3D776DD41CB90
                      Function 0100B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 762cecce9222ba988bc8b4f6d32b4fad9dd1ca804e7b0fad7db132e2debe0005
                      • Instruction ID: b0d63faff8cb252431c4c2a5382daacfb96928d3ccc3aa6c61e8edadb8587275
                      • Opcode Fuzzy Hash: 762cecce9222ba988bc8b4f6d32b4fad9dd1ca804e7b0fad7db132e2debe0005
                      • Instruction Fuzzy Hash: B141067AA00305AFE7269F78CC41BAEBBE9EF88710F10456AF185DB2D0D6759A018790
                      Function 010456D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                      Download Yara Rule
                      APIs
                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 01045783
                      • GetLastError.KERNEL32(?,00000000), ref: 010457A9
                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 010457CE
                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 010457FA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CreateHardLink$DeleteErrorFileLast
                      • String ID:
                      • API String ID: 3321077145-0
                      • Opcode ID: 137d88af0527b7cc2bb0fdbe9252de9262f7f8011729c3660ddb9328a5282b5f
                      • Instruction ID: 24e7158e69ccbf13041f0ef056f7490c2fb1c8cbbd31e84b1df8483cc4518343
                      • Opcode Fuzzy Hash: 137d88af0527b7cc2bb0fdbe9252de9262f7f8011729c3660ddb9328a5282b5f
                      • Instruction Fuzzy Hash: 86414C35200611DFCB11EF14D984A5DBBE2EF88320B088499EC8AAF366DB34FD01DB91
                      Function 0100D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00FF6D71,00000000,00000000,00FF82D9,?,00FF82D9,?,00000001,00FF6D71,8BE85006,00000001,00FF82D9,00FF82D9), ref: 0100D910
                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0100D999
                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0100D9AB
                      • __freea.LIBCMT ref: 0100D9B4
                        • Part of subcall function 01003820: RtlAllocateHeap.NTDLL(00000000,?,010A1444,?,00FEFDF5,?,?,00FDA976,00000010,010A1440,00FD13FC,?,00FD13C6,?,00FD1129), ref: 01003852
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                      • String ID:
                      • API String ID: 2652629310-0
                      • Opcode ID: bb8e2588e232156f1fbd2ca7619e83fe5d8902db28e15934ed83cf6486a79f0e
                      • Instruction ID: de48de5e01806a1ee68b5fffee74f7af67b0c974d168acf38b70beded9c8cac2
                      • Opcode Fuzzy Hash: bb8e2588e232156f1fbd2ca7619e83fe5d8902db28e15934ed83cf6486a79f0e
                      • Instruction Fuzzy Hash: 0831B371A0020AABEF26DFA8DD40EAE7BA6EF41310F0541A9FD44D7190D739D950CBA0
                      Function 0103AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0103AAAC
                      • SetKeyboardState.USER32(00000080), ref: 0103AAC8
                      • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0103AB36
                      • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0103AB88
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: KeyboardState$InputMessagePostSend
                      • String ID:
                      • API String ID: 432972143-0
                      • Opcode ID: 8ea29d66e474d9b29fb2139193b4d06f966f4662004aae7de7a13cec5cd27f32
                      • Instruction ID: 7b187cad42330b3dc0337898244af3011073b3d0482e2b3841b8b39ded58d0b2
                      • Opcode Fuzzy Hash: 8ea29d66e474d9b29fb2139193b4d06f966f4662004aae7de7a13cec5cd27f32
                      • Instruction Fuzzy Hash: 5631E531B40248EEFF398A698804BFA7BEEABC5310F044A5AE5C1D71D2D3799581C765
                      Function 010652C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 01065352
                      • GetWindowLongW.USER32(?,000000F0), ref: 01065375
                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 01065382
                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010653A8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: LongWindow$InvalidateMessageRectSend
                      • String ID:
                      • API String ID: 3340791633-0
                      • Opcode ID: b9bbb113553c979a9048ab9db7a821b23edac822742e1c650c78752f411faaab
                      • Instruction ID: b1b980bdfaca29cc400974f049c17e6140603ee53fe6ce94258e5a61fe2745e3
                      • Opcode Fuzzy Hash: b9bbb113553c979a9048ab9db7a821b23edac822742e1c650c78752f411faaab
                      • Instruction Fuzzy Hash: 5531C534A55628EFFB748E18CC05BE83BA9AB04B90F48C142FBD1961E1D7F59A40DB42
                      Function 01067674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                      Download Yara Rule
                      APIs
                      • ClientToScreen.USER32(?,?), ref: 0106769A
                      • GetWindowRect.USER32(?,?), ref: 01067710
                      • PtInRect.USER32(?,?,01068B89), ref: 01067720
                      • MessageBeep.USER32(00000000), ref: 0106778C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Rect$BeepClientMessageScreenWindow
                      • String ID:
                      • API String ID: 1352109105-0
                      • Opcode ID: 4fda925403139749ffaf123097a15b4cdac62ec6bcd0c684bac898d9c0df25d8
                      • Instruction ID: e57f937f6f461ef60c95d15f42f96e8547a67ef6e98301c44721af995ebe44ff
                      • Opcode Fuzzy Hash: 4fda925403139749ffaf123097a15b4cdac62ec6bcd0c684bac898d9c0df25d8
                      • Instruction Fuzzy Hash: D841BF34601205EFEB12CF58C884EA97BF8FF48318F0481A8E5949B255D739E941CF90
                      Function 010616DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                      Download Yara Rule
                      APIs
                      • GetForegroundWindow.USER32 ref: 010616EB
                        • Part of subcall function 01033A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 01033A57
                        • Part of subcall function 01033A3D: GetCurrentThreadId.KERNEL32 ref: 01033A5E
                        • Part of subcall function 01033A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,010325B3), ref: 01033A65
                      • GetCaretPos.USER32(?), ref: 010616FF
                      • ClientToScreen.USER32(00000000,?), ref: 0106174C
                      • GetForegroundWindow.USER32 ref: 01061752
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                      • String ID:
                      • API String ID: 2759813231-0
                      • Opcode ID: acce1fc6e2324259d5ff2f10a8dc0313d06b344930df1749a4f1ee6ec9b9fd36
                      • Instruction ID: 488f249df222336859af4fc3e7b5b159fbedbb7d53cecebe895b75f8d27f6243
                      • Opcode Fuzzy Hash: acce1fc6e2324259d5ff2f10a8dc0313d06b344930df1749a4f1ee6ec9b9fd36
                      • Instruction Fuzzy Hash: 94313E75D00249AFD700EFA9C8818EEBBFDFF88204B5480AAE455E7311E7359E45CBA0
                      Function 0103D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32 ref: 0103D501
                      • Process32FirstW.KERNEL32(00000000,?), ref: 0103D50F
                      • Process32NextW.KERNEL32(00000000,?), ref: 0103D52F
                      • CloseHandle.KERNEL32(00000000), ref: 0103D5DC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                      • String ID:
                      • API String ID: 420147892-0
                      • Opcode ID: ab0de264ba8d5d53d97509758cb480727708b478deb11c9698da120cd8be99a0
                      • Instruction ID: 26d21dbefa4ae0453d9c3e51e5c1f5d91ed36d47a9d6bef5be5f0d102190383a
                      • Opcode Fuzzy Hash: ab0de264ba8d5d53d97509758cb480727708b478deb11c9698da120cd8be99a0
                      • Instruction Fuzzy Hash: 8031AF711083009FD301EF94CC81AAFBBE9EFD9344F44092EF5C1862A1EB759A48DB92
                      Function 01068FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2
                      • GetCursorPos.USER32(?), ref: 01069001
                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,01027711,?,?,?,?,?), ref: 01069016
                      • GetCursorPos.USER32(?), ref: 0106905E
                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,01027711,?,?,?), ref: 01069094
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                      • String ID:
                      • API String ID: 2864067406-0
                      • Opcode ID: 42a975d3fc39406ffa6f96ecf704eca8e7d81700c059f823d67988ecb9033212
                      • Instruction ID: 1dd98e5451fa0d60c4693b410fad92e71ae3c59eca9131f89d279a66482eacb8
                      • Opcode Fuzzy Hash: 42a975d3fc39406ffa6f96ecf704eca8e7d81700c059f823d67988ecb9033212
                      • Instruction Fuzzy Hash: D521BF35601018FFEF258F98C848EFA3FF9EB89350F004099FA8547261C3369990DB60
                      Function 0103D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesW.KERNEL32(?,0106CB68), ref: 0103D2FB
                      • GetLastError.KERNEL32 ref: 0103D30A
                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 0103D319
                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0106CB68), ref: 0103D376
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CreateDirectory$AttributesErrorFileLast
                      • String ID:
                      • API String ID: 2267087916-0
                      • Opcode ID: fc3842c407c58d6382caafa14ec9b325fff81840d0faf01edec9943a8db1b455
                      • Instruction ID: ed6111901316be25e84a1e00bf8fc7adf8e584495e540565fa6f89ae344476e9
                      • Opcode Fuzzy Hash: fc3842c407c58d6382caafa14ec9b325fff81840d0faf01edec9943a8db1b455
                      • Instruction Fuzzy Hash: FF21E2705083019F9310DFA8C98086E7BECEE86324F948A5EF4D9C72A1D735DE09CB92
                      Function 01031571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 01031014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0103102A
                        • Part of subcall function 01031014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 01031036
                        • Part of subcall function 01031014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01031045
                        • Part of subcall function 01031014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0103104C
                        • Part of subcall function 01031014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 01031062
                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 010315BE
                      • _memcmp.LIBVCRUNTIME ref: 010315E1
                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 01031617
                      • HeapFree.KERNEL32(00000000), ref: 0103161E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                      • String ID:
                      • API String ID: 1592001646-0
                      • Opcode ID: 4eba2cb71552c9f9f650033a5a172887f87730b2b119a1af4991f6dffefe7376
                      • Instruction ID: 89dc790d7e67506cb17119217a11e5adecf2851ea69194f8be6e9d481713de0a
                      • Opcode Fuzzy Hash: 4eba2cb71552c9f9f650033a5a172887f87730b2b119a1af4991f6dffefe7376
                      • Instruction Fuzzy Hash: C1219031E00109EFEB10DFA9C944BEEBBF8EF88354F084499E581AB240D735AA05DB60
                      Function 01062782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowLongW.USER32(?,000000EC), ref: 0106280A
                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 01062824
                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 01062832
                      • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01062840
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Window$Long$AttributesLayered
                      • String ID:
                      • API String ID: 2169480361-0
                      • Opcode ID: fdb18b7d0e1f4ab59d0cd83062345b46ffa3ffc1d4849f72743d08dcdd863825
                      • Instruction ID: 1193ca5c2cdab0838c5092488acfeb9d05eb89f46ef1dfcc0e6f16faa9af26d1
                      • Opcode Fuzzy Hash: fdb18b7d0e1f4ab59d0cd83062345b46ffa3ffc1d4849f72743d08dcdd863825
                      • Instruction Fuzzy Hash: 1421C131205112AFE7149B24CC44FAA7B99AF45324F198159F4A68B6E2C77AEC82C7D0
                      Function 0104CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetReadFile.WININET(?,?,00000400,?), ref: 0104CE89
                      • GetLastError.KERNEL32(?,00000000), ref: 0104CEEA
                      • SetEvent.KERNEL32(?,?,00000000), ref: 0104CEFE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ErrorEventFileInternetLastRead
                      • String ID:
                      • API String ID: 234945975-0
                      • Opcode ID: fd44a7e00618637097048eda477c1bbad86685d0d455814f4d282df8e4b092ca
                      • Instruction ID: 16a41945809d4938086c1d1d1ac369cccf750c1ac0f601e6c72c4a91894021c4
                      • Opcode Fuzzy Hash: fd44a7e00618637097048eda477c1bbad86685d0d455814f4d282df8e4b092ca
                      • Instruction Fuzzy Hash: E92190B15013059BF770DF6ACA84BAA7BF8EF40354F10446EE6C6D2162E779EA049B50
                      Function 010378F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 01038D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0103790A,?,000000FF,?,01038754,00000000,?,0000001C,?,?), ref: 01038D8C
                        • Part of subcall function 01038D7D: lstrcpyW.KERNEL32(00000000,?), ref: 01038DB2
                        • Part of subcall function 01038D7D: lstrcmpiW.KERNEL32(00000000,?,0103790A,?,000000FF,?,01038754,00000000,?,0000001C,?,?), ref: 01038DE3
                      • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,01038754,00000000,?,0000001C,?,?,00000000), ref: 01037923
                      • lstrcpyW.KERNEL32(00000000,?), ref: 01037949
                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,01038754,00000000,?,0000001C,?,?,00000000), ref: 01037984
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: lstrcmpilstrcpylstrlen
                      • String ID: cdecl
                      • API String ID: 4031866154-3896280584
                      • Opcode ID: 3c7d42df68c3c093d3f8ba1d80a5510b132c9e50f983fd832a8d8980afbeeb5d
                      • Instruction ID: b64251baa8cbc953f2537af8ab19cae0a1aae5017949b02b18376790c1d4e656
                      • Opcode Fuzzy Hash: 3c7d42df68c3c093d3f8ba1d80a5510b132c9e50f983fd832a8d8980afbeeb5d
                      • Instruction Fuzzy Hash: BC11067A200342ABDB256F39C844E7A77E9FF85350B00816BF982CB264EB369801C751
                      Function 01067CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                      Download Yara Rule
                      APIs
                      • GetWindowLongW.USER32(?,000000F0), ref: 01067D0B
                      • SetWindowLongW.USER32(00000000,000000F0,?), ref: 01067D2A
                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 01067D42
                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0104B7AD,00000000), ref: 01067D6B
                        • Part of subcall function 00FE9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00FE9BB2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Window$Long
                      • String ID:
                      • API String ID: 847901565-0
                      • Opcode ID: c112b62e5f9227084c56163900a14b92934b53da485f43edfa33750358b3753d
                      • Instruction ID: 1de9685bb4d26cc3a26201b68881aaca2df2a56f6d0d569f24bc0245873d59d0
                      • Opcode Fuzzy Hash: c112b62e5f9227084c56163900a14b92934b53da485f43edfa33750358b3753d
                      • Instruction Fuzzy Hash: 2611E432200615AFDB60AF2CCC04A6A3BE8BB45374F114B64F9B5C72F4E7358950CB50
                      Function 01065660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00001060,?,00000004), ref: 010656BB
                      • _wcslen.LIBCMT ref: 010656CD
                      • _wcslen.LIBCMT ref: 010656D8
                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 01065816
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessageSend_wcslen
                      • String ID:
                      • API String ID: 455545452-0
                      • Opcode ID: b9474b84c0fdfc845bac379499baf98fbdcc81807b5c1106b71c4b1ad2affdd0
                      • Instruction ID: 81b9f5e5a1661ed79f61b48ae0d3b35ae9ad5e16fad4ebe49523f0b81fc2d517
                      • Opcode Fuzzy Hash: b9474b84c0fdfc845bac379499baf98fbdcc81807b5c1106b71c4b1ad2affdd0
                      • Instruction Fuzzy Hash: 3111D67160020996EB209F65DC85AFF7BACEF057A4F0040AAFAD5D6081EBB4D540CB60
                      Function 01001D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ee98c522b8af2b8502dff0751215f1c520cd55041580386c951f5f8054a1e8ee
                      • Instruction ID: 53de52e6dffcd1c4aba9f59f10037b52bdaf852298f2acacadbd3dfedd877f99
                      • Opcode Fuzzy Hash: ee98c522b8af2b8502dff0751215f1c520cd55041580386c951f5f8054a1e8ee
                      • Instruction Fuzzy Hash: 6701A2B220961A7EF66335B86CC0F6B665DDF513B8F300326F6A1A11D5EB71CC004270
                      Function 01031A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,000000B0,?,?), ref: 01031A47
                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 01031A59
                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 01031A6F
                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 01031A8A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID:
                      • API String ID: 3850602802-0
                      • Opcode ID: b66ecb809a49d730073bf9905cbe8179fbfbf87ffb72a5647985ec5c1690e940
                      • Instruction ID: 77b93934eb42ab904acefdf3372fcd4391b2bd615e296b67771a3e29cde89083
                      • Opcode Fuzzy Hash: b66ecb809a49d730073bf9905cbe8179fbfbf87ffb72a5647985ec5c1690e940
                      • Instruction Fuzzy Hash: DD11093AD00219FFEB11DBA9C985FADBBB8EB48750F200091EA44B7290D7716E51DB94
                      Function 0103E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThreadId.KERNEL32 ref: 0103E1FD
                      • MessageBoxW.USER32(?,?,?,?), ref: 0103E230
                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0103E246
                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0103E24D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                      • String ID:
                      • API String ID: 2880819207-0
                      • Opcode ID: 7e5325b9fbe69f89d403eb7642ea0b9aa544189a7903912d90d99b0c39eee3dd
                      • Instruction ID: 19b47b52b44b8211515cd464d98accccaf27ef626461038d2571f84c99324e93
                      • Opcode Fuzzy Hash: 7e5325b9fbe69f89d403eb7642ea0b9aa544189a7903912d90d99b0c39eee3dd
                      • Instruction Fuzzy Hash: FC11DB76904258BFD7219FACDC05A9E7FADAF85310F048355F994D3284D6B9D90487A0
                      Function 00FFD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateThread.KERNEL32(00000000,?,00FFCFF9,00000000,00000004,00000000), ref: 00FFD218
                      • GetLastError.KERNEL32 ref: 00FFD224
                      • __dosmaperr.LIBCMT ref: 00FFD22B
                      • ResumeThread.KERNEL32(00000000), ref: 00FFD249
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Thread$CreateErrorLastResume__dosmaperr
                      • String ID:
                      • API String ID: 173952441-0
                      • Opcode ID: c77671f7113293bcd8688f532970268a9d4716f4c407e6348f3c586e7f0036ac
                      • Instruction ID: bf9b8ba75b8777e86f28b51c35c22dd8de2ef1e07a177f322ad23c976c06f397
                      • Opcode Fuzzy Hash: c77671f7113293bcd8688f532970268a9d4716f4c407e6348f3c586e7f0036ac
                      • Instruction Fuzzy Hash: 6901D63680511CBBEB215BA5DC09BBE7A6ADF82331F100259FA25961F0DB75C901E7E0
                      Function 00FD600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                      Download Yara Rule
                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FD604C
                      • GetStockObject.GDI32(00000011), ref: 00FD6060
                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00FD606A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CreateMessageObjectSendStockWindow
                      • String ID:
                      • API String ID: 3970641297-0
                      • Opcode ID: 75c3d9ac082bcae54f8f41cd129e2cf69092170c40a390e5c7315318c6d93504
                      • Instruction ID: b3d8886e4b6f6c94510251931b1641330a7238188c1c3cd0e3351fe2cfaf3ad6
                      • Opcode Fuzzy Hash: 75c3d9ac082bcae54f8f41cd129e2cf69092170c40a390e5c7315318c6d93504
                      • Instruction Fuzzy Hash: BB116172501549BFEF225F949C48EEA7B6AFF0D364F040116FA5492114D73ADC60EB90
                      Function 00FF3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___BuildCatchObject.LIBVCRUNTIME ref: 00FF3B56
                        • Part of subcall function 00FF3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00FF3AD2
                        • Part of subcall function 00FF3AA3: ___AdjustPointer.LIBCMT ref: 00FF3AED
                      • _UnwindNestedFrames.LIBCMT ref: 00FF3B6B
                      • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00FF3B7C
                      • CallCatchBlock.LIBVCRUNTIME ref: 00FF3BA4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                      • String ID:
                      • API String ID: 737400349-0
                      • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                      • Instruction ID: 0d96a72a7dcc28a065c97870d4f4ba8c11b08f982fb95cdba298975abdb9078c
                      • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                      • Instruction Fuzzy Hash: FC01173250014DBBDF125E95CC42EFB3B69EF88764F044055FF48A6131C636E961EBA0
                      Function 01003073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00FD13C6,00000000,00000000,?,0100301A,00FD13C6,00000000,00000000,00000000,?,0100328B,00000006,FlsSetValue), ref: 010030A5
                      • GetLastError.KERNEL32(?,0100301A,00FD13C6,00000000,00000000,00000000,?,0100328B,00000006,FlsSetValue,01072290,FlsSetValue,00000000,00000364,?,01002E46), ref: 010030B1
                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0100301A,00FD13C6,00000000,00000000,00000000,?,0100328B,00000006,FlsSetValue,01072290,FlsSetValue,00000000), ref: 010030BF
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: LibraryLoad$ErrorLast
                      • String ID:
                      • API String ID: 3177248105-0
                      • Opcode ID: c63e4ab38c603906820a7dadf402c86f31ed26f631e3efb6350bb96b336cf20b
                      • Instruction ID: 006eec8d165318ed07fb8b1b83da27efe7b5b1ac9a145788b4a3bff4253d2497
                      • Opcode Fuzzy Hash: c63e4ab38c603906820a7dadf402c86f31ed26f631e3efb6350bb96b336cf20b
                      • Instruction Fuzzy Hash: CC01D432712222AFFB338ABD9C54A577B98BF05A61F104620F9C9EB1C1D726D401C7E0
                      Function 01037464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0103747F
                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 01037497
                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 010374AC
                      • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 010374CA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Type$Register$FileLoadModuleNameUser
                      • String ID:
                      • API String ID: 1352324309-0
                      • Opcode ID: ef8e0da91d251df6f23858816c915ff6b85feb52f80e0ed0891d40e6f890dc8b
                      • Instruction ID: 0212238a74dfb384039edda2038276521e27d1217e519422e544c5653c7de2ec
                      • Opcode Fuzzy Hash: ef8e0da91d251df6f23858816c915ff6b85feb52f80e0ed0891d40e6f890dc8b
                      • Instruction Fuzzy Hash: 061139B5201305ABF7308F54E909B967FFCEB80B04F008569E6D6D6591DBB5F904CB60
                      Function 0103B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                      Download Yara Rule
                      APIs
                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0103ACD3,?,00008000), ref: 0103B0C4
                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0103ACD3,?,00008000), ref: 0103B0E9
                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0103ACD3,?,00008000), ref: 0103B0F3
                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0103ACD3,?,00008000), ref: 0103B126
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CounterPerformanceQuerySleep
                      • String ID:
                      • API String ID: 2875609808-0
                      • Opcode ID: 8995cecf3009846d7072edaa1229e14c2e66dc9bb995bde139c6a213c365fe7b
                      • Instruction ID: 467cd6aa10ea720184009e5258125deb376e716b58d474027140f61de15511d8
                      • Opcode Fuzzy Hash: 8995cecf3009846d7072edaa1229e14c2e66dc9bb995bde139c6a213c365fe7b
                      • Instruction Fuzzy Hash: 61115B31C0151CEBDF10AFE4E9586EEBF78FF8A715F404486E9C1B6289CB3596508B61
                      Function 01032DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 01032DC5
                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 01032DD6
                      • GetCurrentThreadId.KERNEL32 ref: 01032DDD
                      • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 01032DE4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                      • String ID:
                      • API String ID: 2710830443-0
                      • Opcode ID: 4e803fa2c80d57d1e98ac941e7935ead9eb480db8d395605be86cbeb3e93188b
                      • Instruction ID: 73a3f9d7e55b3ca333c793ac5c179e1f23d3b46b35a4ca7c7c049a0643354749
                      • Opcode Fuzzy Hash: 4e803fa2c80d57d1e98ac941e7935ead9eb480db8d395605be86cbeb3e93188b
                      • Instruction Fuzzy Hash: 94E09271101224BBEB302A779D0DFEB7E6CEF87BA1F000015F286D50809AAAD840C7B0
                      Function 01068863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FE9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00FE9693
                        • Part of subcall function 00FE9639: SelectObject.GDI32(?,00000000), ref: 00FE96A2
                        • Part of subcall function 00FE9639: BeginPath.GDI32(?), ref: 00FE96B9
                        • Part of subcall function 00FE9639: SelectObject.GDI32(?,00000000), ref: 00FE96E2
                      • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 01068887
                      • LineTo.GDI32(?,?,?), ref: 01068894
                      • EndPath.GDI32(?), ref: 010688A4
                      • StrokePath.GDI32(?), ref: 010688B2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                      • String ID:
                      • API String ID: 1539411459-0
                      • Opcode ID: 624d001936c75fd6432ef09585851636bb0b1f4b15db1a70d3414069e2ed98e0
                      • Instruction ID: afa714b8b61f41487ab1438ade8b441dc46d5a65529f194cc3af9a0338dd5221
                      • Opcode Fuzzy Hash: 624d001936c75fd6432ef09585851636bb0b1f4b15db1a70d3414069e2ed98e0
                      • Instruction Fuzzy Hash: FFF05E36045658BAFB226F94AD09FCE3F59AF0A310F048141FB91650E5C7BA5111DFE5
                      Function 00FE98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                      Download Yara Rule
                      APIs
                      • GetSysColor.USER32(00000008), ref: 00FE98CC
                      • SetTextColor.GDI32(?,?), ref: 00FE98D6
                      • SetBkMode.GDI32(?,00000001), ref: 00FE98E9
                      • GetStockObject.GDI32(00000005), ref: 00FE98F1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Color$ModeObjectStockText
                      • String ID:
                      • API String ID: 4037423528-0
                      • Opcode ID: 00dc67af47df2739dac67dd16e9e846b12252bd8f6190130e43636cd3f1cfb20
                      • Instruction ID: 9943d16f2669282915d9612fd7bed22a14c767e25f56e9ff0695d372c09ddf67
                      • Opcode Fuzzy Hash: 00dc67af47df2739dac67dd16e9e846b12252bd8f6190130e43636cd3f1cfb20
                      • Instruction Fuzzy Hash: 04E06531240290EAEB315B78A909BD93F51AB12335F048219F7F9580E5C77642509B11
                      Function 0103162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentThread.KERNEL32 ref: 01031634
                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,010311D9), ref: 0103163B
                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,010311D9), ref: 01031648
                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,010311D9), ref: 0103164F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CurrentOpenProcessThreadToken
                      • String ID:
                      • API String ID: 3974789173-0
                      • Opcode ID: 5586e8680e62b7f0ebd2fe20684182123df68f207e14b365f99426f8821e0d0a
                      • Instruction ID: da2455be6d07dc350c0c2c2e587d3dd813e457deaf1aed9641165ca931cf25da
                      • Opcode Fuzzy Hash: 5586e8680e62b7f0ebd2fe20684182123df68f207e14b365f99426f8821e0d0a
                      • Instruction Fuzzy Hash: A4E08631601212ABF7701FE59F0DB463BBDAF4A791F144848F6C9C9084D6394040C750
                      Function 0102D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                      Download Yara Rule
                      APIs
                      • GetDesktopWindow.USER32 ref: 0102D858
                      • GetDC.USER32(00000000), ref: 0102D862
                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0102D882
                      • ReleaseDC.USER32(?), ref: 0102D8A3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CapsDesktopDeviceReleaseWindow
                      • String ID:
                      • API String ID: 2889604237-0
                      • Opcode ID: e09aacb0591fe5c21f3df0a0e9b67986005027c5143bb746e9d47c1380f1e0df
                      • Instruction ID: 82e621c1f67db4925bd5d37905fc53f8de943361c5b018c5cef618780a00e694
                      • Opcode Fuzzy Hash: e09aacb0591fe5c21f3df0a0e9b67986005027c5143bb746e9d47c1380f1e0df
                      • Instruction Fuzzy Hash: FDE01AB5800245DFEB519FA0D60866DBBB6FB08310F14900AF8CAE7254C77E6901AF54
                      Function 0102D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                      Download Yara Rule
                      APIs
                      • GetDesktopWindow.USER32 ref: 0102D86C
                      • GetDC.USER32(00000000), ref: 0102D876
                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0102D882
                      • ReleaseDC.USER32(?), ref: 0102D8A3
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CapsDesktopDeviceReleaseWindow
                      • String ID:
                      • API String ID: 2889604237-0
                      • Opcode ID: a37d669390a12fe71b903b72c28958e68a3e2b7aa89dce8d1f4c235c03465389
                      • Instruction ID: fcae2cda5d225899da9f5f48fe35a92f983c68ca7d5c7e5a86667d96b07b3a47
                      • Opcode Fuzzy Hash: a37d669390a12fe71b903b72c28958e68a3e2b7aa89dce8d1f4c235c03465389
                      • Instruction Fuzzy Hash: E7E01A71800240DFDB609FA0D50866DBBB5FB08310B149009F98AE7254C73E6901AF54
                      Function 01044D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD7620: _wcslen.LIBCMT ref: 00FD7625
                      • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 01044ED4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Connection_wcslen
                      • String ID: *$LPT
                      • API String ID: 1725874428-3443410124
                      • Opcode ID: 87ada391f0f7a2a4c056f54b6ea18e10725b378558321522899565fe8779b5e1
                      • Instruction ID: 5616581edc966602fbcdb0566b640a3b3d5c3ea00f8f5e3a776f83ca54799d88
                      • Opcode Fuzzy Hash: 87ada391f0f7a2a4c056f54b6ea18e10725b378558321522899565fe8779b5e1
                      • Instruction Fuzzy Hash: D3916FB5A042049FDB15DF58C8C4FAABBF1AF44304F1980A9E84A9F362D735ED85CB91
                      Function 00FFE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                      Download Yara Rule
                      APIs
                      • __startOneArgErrorHandling.LIBCMT ref: 00FFE30D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ErrorHandling__start
                      • String ID: pow
                      • API String ID: 3213639722-2276729525
                      • Opcode ID: b3fdecc7554f1b31e655849d335909f8f2fe2003bee11e0426d719eab86f8815
                      • Instruction ID: eb123f7609eb0937f82f34d43529614e7c0b57355d1c84be3f1fc66907d158a2
                      • Opcode Fuzzy Hash: b3fdecc7554f1b31e655849d335909f8f2fe2003bee11e0426d719eab86f8815
                      • Instruction Fuzzy Hash: C8518E72E0920A96EB277718C9043B93FE4EF50750F204969E1D5422FCEF3D9C95AB46
                      Function 00FEE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID:
                      • String ID: #
                      • API String ID: 0-1885708031
                      • Opcode ID: a00372ad4039b3d99ce5fae5563004c85fa2ec455343cf1b33332898cd0ac46c
                      • Instruction ID: d25bc105b9278c3d7049c8d9f6432819f368e46d3b3e3cb50a9023e9f0f7e81d
                      • Opcode Fuzzy Hash: a00372ad4039b3d99ce5fae5563004c85fa2ec455343cf1b33332898cd0ac46c
                      • Instruction Fuzzy Hash: B4517235A44296DFEF15DF68D4806BA7BA4FF05310F248096E9C19B2D0D6389D42DBA0
                      Function 00FEF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32(00000000), ref: 00FEF2A2
                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 00FEF2BB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: GlobalMemorySleepStatus
                      • String ID: @
                      • API String ID: 2783356886-2766056989
                      • Opcode ID: 55ff205b0327e81eeb9f2759d8a15bdfbbc92a99b8a981007837a50dfd7b8c4c
                      • Instruction ID: dd2bc054cc419711d43e58a4233070ef7b66e973f004918e62405a23248236ab
                      • Opcode Fuzzy Hash: 55ff205b0327e81eeb9f2759d8a15bdfbbc92a99b8a981007837a50dfd7b8c4c
                      • Instruction Fuzzy Hash: B95156714087459BD320AF10DC86BAFBBF9FF84300F85884EF1D981295EB75852ACB66
                      Function 01055745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                      Download Yara Rule
                      APIs
                      • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 010557E0
                      • _wcslen.LIBCMT ref: 010557EC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: BuffCharUpper_wcslen
                      • String ID: CALLARGARRAY
                      • API String ID: 157775604-1150593374
                      • Opcode ID: 9696d0657edf8c0f97e0aa47a5c0d35b7ebff379919df21571736de382265e9f
                      • Instruction ID: 26722876cb509e44a396774d8830954ad972a3c059852dd96f34638e970614a6
                      • Opcode Fuzzy Hash: 9696d0657edf8c0f97e0aa47a5c0d35b7ebff379919df21571736de382265e9f
                      • Instruction Fuzzy Hash: EA41A131E002099FCB54DFA9CC819BEBBF5FF49320F14406AE985A7292E7759981CB90
                      Function 0104D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                      Download Yara Rule
                      APIs
                      • _wcslen.LIBCMT ref: 0104D130
                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0104D13A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CrackInternet_wcslen
                      • String ID: |
                      • API String ID: 596671847-2343686810
                      • Opcode ID: 82a7db0aaadb44f7bf56f1df010e16dc1288722efea76e5bc71e7bd05a85fa4b
                      • Instruction ID: 63ddcb89436e35d4cd006622d9d38de9aa026b7b7917e9bbf19840a8647b79f3
                      • Opcode Fuzzy Hash: 82a7db0aaadb44f7bf56f1df010e16dc1288722efea76e5bc71e7bd05a85fa4b
                      • Instruction Fuzzy Hash: F3313D75D00209ABDF15EFE4CC85AEE7FBAFF14300F04006AF915A6266D735AA06DB54
                      Function 0106356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                      Download Yara Rule
                      APIs
                      • DestroyWindow.USER32(?,?,?,?), ref: 01063621
                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0106365C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Window$DestroyMove
                      • String ID: static
                      • API String ID: 2139405536-2160076837
                      • Opcode ID: 38af41673f5dd74e29e1a48d9b88c89ae0bdfa3d7ca8b91975547b788a9d13ff
                      • Instruction ID: f8814a7a18f730f6ea171e9ce2e29c0aca3109a143ca081fbb2564e117f9cdfa
                      • Opcode Fuzzy Hash: 38af41673f5dd74e29e1a48d9b88c89ae0bdfa3d7ca8b91975547b788a9d13ff
                      • Instruction Fuzzy Hash: 18318171100604AAEB109F68DC40EFB73ADFF48714F00961AF9A997250DA35AC81D7A0
                      Function 01064537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 0106461F
                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01064634
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: '
                      • API String ID: 3850602802-1997036262
                      • Opcode ID: d68ee2e9c29d2845298a16d990c57516a536e9b525fbfe8e841a3e7e9281ef5d
                      • Instruction ID: e0801c4a699bed0bf6624d972cfb488d1e9cc74d273aff77eb4c9c67b17ebd72
                      • Opcode Fuzzy Hash: d68ee2e9c29d2845298a16d990c57516a536e9b525fbfe8e841a3e7e9281ef5d
                      • Instruction Fuzzy Hash: AE310674A0120AAFDB54CFA9C980ADA7BF9FF49300F14416AEA45EB342D771A941CF90
                      Function 010631EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                      Download Yara Rule
                      APIs
                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0106327C
                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01063287
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: Combobox
                      • API String ID: 3850602802-2096851135
                      • Opcode ID: 792b8c2859d4946412726cc17ad111b7b184f683a9b3a870daf96d84c0ea11d3
                      • Instruction ID: c579cb1e9c2e4b4684cf6e0e0ec6211581c5fd9d8587df9fa0ec8ba587ec35c2
                      • Opcode Fuzzy Hash: 792b8c2859d4946412726cc17ad111b7b184f683a9b3a870daf96d84c0ea11d3
                      • Instruction Fuzzy Hash: 1C11E67130020A7FFF629E58DC80EBB379EFB48364F104125F5989B291D6759C50C7A0
                      Function 01063710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00FD604C
                        • Part of subcall function 00FD600E: GetStockObject.GDI32(00000011), ref: 00FD6060
                        • Part of subcall function 00FD600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00FD606A
                      • GetWindowRect.USER32(00000000,?), ref: 0106377A
                      • GetSysColor.USER32(00000012), ref: 01063794
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                      • String ID: static
                      • API String ID: 1983116058-2160076837
                      • Opcode ID: 57e4ab82a242456c184536177663147bec98f75e4771488733c5a753d8b9d6d0
                      • Instruction ID: ab0ddae9897c3ee72879365b7664d3abaf26280e48eaf7056af3340001df826b
                      • Opcode Fuzzy Hash: 57e4ab82a242456c184536177663147bec98f75e4771488733c5a753d8b9d6d0
                      • Instruction Fuzzy Hash: 70113A72610209AFEF11DFA8CD45EEE7BF8FB08354F004515F995E6250D779E8509B90
                      Function 0104CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                      Download Yara Rule
                      APIs
                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0104CD7D
                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0104CDA6
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Internet$OpenOption
                      • String ID: <local>
                      • API String ID: 942729171-4266983199
                      • Opcode ID: c5aa6b000b87ce6d376617803f54bc63139999bdfb93ff4b1f6c0dfd803b240c
                      • Instruction ID: 78e9e37e246de2ed616550a12d5f843f12cbc563380a6d99c1161c9a2981b378
                      • Opcode Fuzzy Hash: c5aa6b000b87ce6d376617803f54bc63139999bdfb93ff4b1f6c0dfd803b240c
                      • Instruction Fuzzy Hash: 0C1106B12026317BE7786A668D84EE7BEACEF026A4F00422AB1C983080D3759440C6F0
                      Function 01063429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                      Download Yara Rule
                      APIs
                      • GetWindowTextLengthW.USER32(00000000), ref: 010634AB
                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010634BA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: LengthMessageSendTextWindow
                      • String ID: edit
                      • API String ID: 2978978980-2167791130
                      • Opcode ID: 8e88538d751e03edf3a33c057393ed528c1df47572925ff370f4b9a076ee442c
                      • Instruction ID: 06b7080dae4719a3b0b6a3d17808dcb6dc14b822241334272673d0058fdb69d0
                      • Opcode Fuzzy Hash: 8e88538d751e03edf3a33c057393ed528c1df47572925ff370f4b9a076ee442c
                      • Instruction Fuzzy Hash: 9011B275100104ABEB624E68DC44AEB77AEFF05374F504314F9E89B1D4CB75EC519790
                      Function 01036C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                      • CharUpperBuffW.USER32(?,?,?), ref: 01036CB6
                      • _wcslen.LIBCMT ref: 01036CC2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _wcslen$BuffCharUpper
                      • String ID: STOP
                      • API String ID: 1256254125-2411985666
                      • Opcode ID: c27972536f8ad7846dd25a27fef1bde6b2ce1f27ac26d235ebc3d767077fe182
                      • Instruction ID: 960dcd8978e8cf357e70fd57faf32659b876aa30154f9aeff6403499b792b72a
                      • Opcode Fuzzy Hash: c27972536f8ad7846dd25a27fef1bde6b2ce1f27ac26d235ebc3d767077fe182
                      • Instruction Fuzzy Hash: BC010832E1052A9ACB21AFFDDC448BF77F9EA91614B000565E49296195EA37D640C750
                      Function 01031CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                        • Part of subcall function 01033CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01033CCA
                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 01031D4C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ClassMessageNameSend_wcslen
                      • String ID: ComboBox$ListBox
                      • API String ID: 624084870-1403004172
                      • Opcode ID: cfd6d3ab82d5f6db84c873985e60766f5a6ec24881753a5b52f270614550c89b
                      • Instruction ID: 7eb65ae739bac252bfb5e4362b5a2ea2334261254b9938262f13ab70fa0dc5b5
                      • Opcode Fuzzy Hash: cfd6d3ab82d5f6db84c873985e60766f5a6ec24881753a5b52f270614550c89b
                      • Instruction Fuzzy Hash: 2D012431600229AB9B08FBA4CC54CFE77ADFB9B350B44061AF8B25B3C0EA7458089760
                      Function 01031BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                        • Part of subcall function 01033CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01033CCA
                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 01031C46
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ClassMessageNameSend_wcslen
                      • String ID: ComboBox$ListBox
                      • API String ID: 624084870-1403004172
                      • Opcode ID: ad77f1ce5a5afa618a62972c14921a686935dd3d90f210694c92ad1792db30a3
                      • Instruction ID: 563697851b7a4acaf70ba6249909281b05f5c56bedeab94490279645a306ec2e
                      • Opcode Fuzzy Hash: ad77f1ce5a5afa618a62972c14921a686935dd3d90f210694c92ad1792db30a3
                      • Instruction Fuzzy Hash: 2C01477171010D66DF04EBE2CE519FF77ED9B56340F04001AB49267281EA74AE0897B1
                      Function 01031C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                        • Part of subcall function 01033CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01033CCA
                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 01031CC8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ClassMessageNameSend_wcslen
                      • String ID: ComboBox$ListBox
                      • API String ID: 624084870-1403004172
                      • Opcode ID: 2c330cc9a0ba6b777744399cfc394ebbdfe437ecd69eaaa4bb615e8260ae1a4b
                      • Instruction ID: d7ef093abf0e493ed38da9c99dc941fef1a1500b4953c4e79ad1c0ba666c9271
                      • Opcode Fuzzy Hash: 2c330cc9a0ba6b777744399cfc394ebbdfe437ecd69eaaa4bb615e8260ae1a4b
                      • Instruction Fuzzy Hash: 2401267171011D67DF04EBE5DE11AFF77ECAB65340F04002AB88267281EA749E08D771
                      Function 01031D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FD9CB3: _wcslen.LIBCMT ref: 00FD9CBD
                        • Part of subcall function 01033CA7: GetClassNameW.USER32(?,?,000000FF), ref: 01033CCA
                      • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 01031DD3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ClassMessageNameSend_wcslen
                      • String ID: ComboBox$ListBox
                      • API String ID: 624084870-1403004172
                      • Opcode ID: 6fd57bb43b4ee2b12900f0a85e446413e69a419c665ccb29cdd157c07cc1b82a
                      • Instruction ID: bb19a0d1160db926fc4a7bdb5b8313831591d0608686b790aff16cc1552028ca
                      • Opcode Fuzzy Hash: 6fd57bb43b4ee2b12900f0a85e446413e69a419c665ccb29cdd157c07cc1b82a
                      • Instruction Fuzzy Hash: 12F04F30B1022966DB04F7E5DC95AFF77ACAF46340F08080AB8A2672C0EAB4590892A0
                      Function 0105747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: _wcslen
                      • String ID: 3, 3, 16, 1
                      • API String ID: 176396367-3042988571
                      • Opcode ID: 2bb586554f33403a0af5991ddeab46a70cdd7021613e2800ca60b4497247c158
                      • Instruction ID: c7834f9832c7fe5ae35c83dc12b96ef683d21a08dfcd2429d0f8057c0e3bc97d
                      • Opcode Fuzzy Hash: 2bb586554f33403a0af5991ddeab46a70cdd7021613e2800ca60b4497247c158
                      • Instruction Fuzzy Hash: 2BE0E5023112201093B1127A9CC197F7EC9CFC5650794182EFEC5C2266EF98DD91B3A0
                      Function 01030B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                      Download Yara Rule
                      APIs
                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 01030B23
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: Message
                      • String ID: AutoIt$Error allocating memory.
                      • API String ID: 2030045667-4017498283
                      • Opcode ID: 93012a3edfc2d08cd4f9114daeb149bca2283529cf8b5701cfe7110e747e4d87
                      • Instruction ID: 6eead795e3612027ea779cc3ef8643bab27495dc083cfdc098e13e687c59f56d
                      • Opcode Fuzzy Hash: 93012a3edfc2d08cd4f9114daeb149bca2283529cf8b5701cfe7110e747e4d87
                      • Instruction Fuzzy Hash: 15E0D83124434C36E32436567D03F897A888F05F20F10442BF7D8995C38ADA245022A9
                      Function 00FF0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00FEF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00FF0D71,?,?,?,00FD100A), ref: 00FEF7CE
                      • IsDebuggerPresent.KERNEL32(?,?,?,00FD100A), ref: 00FF0D75
                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00FD100A), ref: 00FF0D84
                      Strings
                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00FF0D7F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                      • API String ID: 55579361-631824599
                      • Opcode ID: a70f140f35858573a67155f0e4c1b70fe5bdc0166f821d53d6593278f35603c6
                      • Instruction ID: f55ddc6e0259c8ac388cbdf8b67a97e2262a00fa348e7481cb837b88ed893b51
                      • Opcode Fuzzy Hash: a70f140f35858573a67155f0e4c1b70fe5bdc0166f821d53d6593278f35603c6
                      • Instruction Fuzzy Hash: C1E092742007528BE3309FB9E90875A7BE4AF04B44F04892DE9C6C7756DFBAE4449B91
                      Function 0102D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: LocalTime
                      • String ID: %.3d$X64
                      • API String ID: 481472006-1077770165
                      • Opcode ID: 91d265535195b94fcfe945213ff31ebc3e5145c4d863809d88d0025aaecc6f35
                      • Instruction ID: c2605fdff3a6a12a798048c8cc77502039c16bb4c3b68affc619abf43114d398
                      • Opcode Fuzzy Hash: 91d265535195b94fcfe945213ff31ebc3e5145c4d863809d88d0025aaecc6f35
                      • Instruction Fuzzy Hash: BED01271804129E9DB5096E1CC459BDB37CAB69211F40C452F986D1000D628C90C9B61
                      Function 01062322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                      Download Yara Rule
                      APIs
                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0106232C
                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0106233F
                        • Part of subcall function 0103E97B: Sleep.KERNEL32 ref: 0103E9F3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: FindMessagePostSleepWindow
                      • String ID: Shell_TrayWnd
                      • API String ID: 529655941-2988720461
                      • Opcode ID: 5b64c25f4ae78e2588b92b7cd2d8c77b671507061dc3c6a744c021c29acf0103
                      • Instruction ID: 065754b167a40f88ba17c41289aaddedee89bb37441931858c097f6eabfae5fa
                      • Opcode Fuzzy Hash: 5b64c25f4ae78e2588b92b7cd2d8c77b671507061dc3c6a744c021c29acf0103
                      • Instruction Fuzzy Hash: F0D02232390300B7FA74B330EC0FFCABA08AB04B00F000A06B3C6AA1D4C9F5A800CB04
                      Function 01062356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                      Download Yara Rule
                      APIs
                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0106236C
                      • PostMessageW.USER32(00000000), ref: 01062373
                        • Part of subcall function 0103E97B: Sleep.KERNEL32 ref: 0103E9F3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: FindMessagePostSleepWindow
                      • String ID: Shell_TrayWnd
                      • API String ID: 529655941-2988720461
                      • Opcode ID: 962dba05881bdfb36587e7609565c75362cecdb4c829e92382bd813e88f8a68e
                      • Instruction ID: fa14ebe6dda5564a093d81f50c0751174b859044498ac8e2ce33a0ff10faeef6
                      • Opcode Fuzzy Hash: 962dba05881bdfb36587e7609565c75362cecdb4c829e92382bd813e88f8a68e
                      • Instruction Fuzzy Hash: 26D0C73139131176F6747671DD0EFC675145754710F004516B6C5991D4D5B568418754
                      Function 0100BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0100BE93
                      • GetLastError.KERNEL32 ref: 0100BEA1
                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0100BEFC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1849024814.0000000000FD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FD0000, based on PE: true
                      • Associated: 00000000.00000002.1849006241.0000000000FD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.000000000106C000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849088871.0000000001092000.00000002.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849128401.000000000109C000.00000004.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1849143781.00000000010A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_fd0000_shipping doc.jbxd
                      Similarity
                      • API ID: ByteCharMultiWide$ErrorLast
                      • String ID:
                      • API String ID: 1717984340-0
                      • Opcode ID: bab199c16eb2a2156af3ee7202441b0a57e9915ce419fae056258cc4f4cc603d
                      • Instruction ID: bc403a280f34f076900621885b3f4e1979b6eca2cabfbe7435821262d6cd359e
                      • Opcode Fuzzy Hash: bab199c16eb2a2156af3ee7202441b0a57e9915ce419fae056258cc4f4cc603d
                      • Instruction Fuzzy Hash: A741B738604646AFFB738F68C844ABA7BE5AF41710F1441ADFAD9971E1DB328901CB60