Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
shipping doc -GY298035826.exe

Overview

General Information

Sample name:shipping doc -GY298035826.exe
Analysis ID:1562822
MD5:7f7f96415f135da958972a9069140286
SHA1:bf5e39f266506df01c20d217ea1d03ac5fb30414
SHA256:59189df2a774319d207c1a5a7d0ec820a7c37f89d2c4f8e4bc0a50001a3e2ba6
Tags:exeRedLineStealerShippinguser-cocaman
Infos:

Detection

AgentTesla, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • shipping doc -GY298035826.exe (PID: 6752 cmdline: "C:\Users\user\Desktop\shipping doc -GY298035826.exe" MD5: 7F7F96415F135DA958972A9069140286)
    • RegSvcs.exe (PID: 6844 cmdline: "C:\Users\user\Desktop\shipping doc -GY298035826.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.thelamalab.com", "Username": "billing@thelamalab.com", "Password": "Thel@malab@20!9"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.3248931051.0000000002A2F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.2021170596.0000000003650000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
      • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
      • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
      • 0x700:$s3: 83 EC 38 53 B0 69 88 44 24 2B 88 44 24 2F B0 A1 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
      • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
      • 0x1e9d0:$s5: delete[]
      • 0x1de88:$s6: constructor or from DllMain.
      00000002.00000002.3248931051.0000000002A37000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.3247237709.0000000000400000.00000040.80000000.00040000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
        • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
        • 0x1300:$s3: 83 EC 38 53 B0 69 88 44 24 2B 88 44 24 2F B0 A1 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
        • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
        • 0x1fdd0:$s5: delete[]
        • 0x1f288:$s6: constructor or from DllMain.
        00000002.00000002.3248730977.0000000002960000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.RegSvcs.exe.400000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x1300:$s3: 83 EC 38 53 B0 69 88 44 24 2B 88 44 24 2F B0 A1 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1fdd0:$s5: delete[]
          • 0x1f288:$s6: constructor or from DllMain.
          2.2.RegSvcs.exe.3a33190.7.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            2.2.RegSvcs.exe.3a33190.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.2.RegSvcs.exe.3a33190.7.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                2.2.RegSvcs.exe.3a33190.7.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x3d895:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3d907:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3d991:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x3da23:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x3da8d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3daff:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x3db95:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x3dc25:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                Click to see the 62 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Outbound SMTP Connections
                Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 162.251.80.30, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 6844, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-26T04:51:35.970951+010020301711A Network Trojan was detected192.168.2.549704162.251.80.30587TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-26T04:49:59.968103+010028555421A Network Trojan was detected192.168.2.549704162.251.80.30587TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-26T04:49:59.968103+010028552451A Network Trojan was detected192.168.2.549704162.251.80.30587TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-26T04:51:35.970951+010028397231Malware Command and Control Activity Detected192.168.2.549704162.251.80.30587TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-26T04:51:35.970951+010028400321A Network Trojan was detected192.168.2.549704162.251.80.30587TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 2.2.RegSvcs.exe.39e6458.5.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.thelamalab.com", "Username": "billing@thelamalab.com", "Password": "Thel@malab@20!9"}
                Multi AV Scanner detection for submitted file
                Source: shipping doc -GY298035826.exeReversingLabs: Detection: 44%
                Source: shipping doc -GY298035826.exeVirustotal: Detection: 34%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: shipping doc -GY298035826.exeJoe Sandbox ML: detected
                Source: shipping doc -GY298035826.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.3248730977.0000000002960000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3250003026.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3248298110.000000000266F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: shipping doc -GY298035826.exe, 00000000.00000003.2019802060.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, shipping doc -GY298035826.exe, 00000000.00000003.2020035232.0000000003B00000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: shipping doc -GY298035826.exe, 00000000.00000003.2019802060.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, shipping doc -GY298035826.exe, 00000000.00000003.2020035232.0000000003B00000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01036CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_01036CA9
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_010360DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_010360DD
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_010363F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_010363F9
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0103EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0103EB60
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0103F56F FindFirstFileW,FindClose,0_2_0103F56F
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0103F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0103F5FA
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01041B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_01041B2F
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01041C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_01041C8A
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01041F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_01041F94

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855245 - Severity 1 - ETPRO MALWARE Agent Tesla Exfil via SMTP : 192.168.2.5:49704 -> 162.251.80.30:587
                Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49704 -> 162.251.80.30:587
                Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.5:49704 -> 162.251.80.30:587
                Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.5:49704 -> 162.251.80.30:587
                Source: Network trafficSuricata IDS: 2840032 - Severity 1 - ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 : 192.168.2.5:49704 -> 162.251.80.30:587
                Source: global trafficTCP traffic: 192.168.2.5:49704 -> 162.251.80.30:587
                Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                Source: global trafficTCP traffic: 192.168.2.5:49704 -> 162.251.80.30:587
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01044EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_01044EB5
                Source: global trafficDNS traffic detected: DNS query: mail.thelamalab.com
                Source: RegSvcs.exe, 00000002.00000002.3248931051.0000000002A37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.thelamalab.com
                Source: RegSvcs.exe, 00000002.00000002.3250925828.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3248730977.0000000002960000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3250003026.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3248298110.000000000266F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to log keystrokes (.Net Source)
                Source: 2.2.RegSvcs.exe.4f00000.8.raw.unpack, abAX9N.cs.Net Code: K8VU1S
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01046B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_01046B0C
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01046D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_01046D07
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01046B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_01046B0C
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01032B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_01032B37
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0105F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0105F7FF

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 2.2.RegSvcs.exe.3a33190.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.2960ee8.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 2.2.RegSvcs.exe.39e5570.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.26af07e.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.2960000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.2960000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.26aff66.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 0.2.shipping doc -GY298035826.exe.3650000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 2.2.RegSvcs.exe.26af07e.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.39e6458.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.4f00000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.39e5570.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.39e6458.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.4f00000.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.3a33190.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.26aff66.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.RegSvcs.exe.2960ee8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 00000000.00000002.2021170596.0000000003650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000002.00000002.3247237709.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
                Source: 00000002.00000002.3248730977.0000000002960000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 00000002.00000002.3250925828.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: This is a third-party compiled AutoIt script.0_2_00FF3D19
                Source: shipping doc -GY298035826.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: shipping doc -GY298035826.exe, 00000000.00000000.2004621253.000000000109E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a8b59ffb-8
                Source: shipping doc -GY298035826.exe, 00000000.00000000.2004621253.000000000109E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_953925d9-a
                Source: shipping doc -GY298035826.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e65b0aef-6
                Source: shipping doc -GY298035826.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_31975c1c-2
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01036713: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_01036713
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0102ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_0102ACC5
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_010379D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_010379D3
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0101B0430_2_0101B043
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_010032000_2_01003200
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0102410F0_2_0102410F
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0102038E0_2_0102038E
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_00FFE3B00_2_00FFE3B0
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_010102A40_2_010102A4
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0102467F0_2_0102467F
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_010106D90_2_010106D9
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01024BEF0_2_01024BEF
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0105AACE0_2_0105AACE
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0101CCC10_2_0101CCC1
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_00FFAF500_2_00FFAF50
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_00FF6F070_2_00FF6F07
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0100B11F0_2_0100B11F
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0101D1B90_2_0101D1B9
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_010531BC0_2_010531BC
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_010313CA0_2_010313CA
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_00FF93F00_2_00FF93F0
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0101123A0_2_0101123A
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0102724D0_2_0102724D
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0100F5630_2_0100F563
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_00FF96C00_2_00FF96C0
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0105F7FF0_2_0105F7FF
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_00FF77B00_2_00FF77B0
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0103B6CC0_2_0103B6CC
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_010279C90_2_010279C9
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01003B700_2_01003B70
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0100FA570_2_0100FA57
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_00FF9B600_2_00FF9B60
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_00FF7D190_2_00FF7D19
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_00FF7FA30_2_00FF7FA3
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0100FE6F0_2_0100FE6F
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01019ED00_2_01019ED0
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_011E65C80_2_011E65C8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00408C602_2_00408C60
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0040DC112_2_0040DC11
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00407C3F2_2_00407C3F
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00418CCC2_2_00418CCC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00406CA02_2_00406CA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004028B02_2_004028B0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041A4BE2_2_0041A4BE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004182442_2_00418244
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004016502_2_00401650
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00402F202_2_00402F20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004193C42_2_004193C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004187882_2_00418788
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00402F892_2_00402F89
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00402B902_2_00402B90
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004073A02_2_004073A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0262DAC02_2_0262DAC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0262CEA82_2_0262CEA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_026210302_2_02621030
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0262D1F02_2_0262D1F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0601F4802_2_0601F480
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0601ADC82_2_0601ADC8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_060182902_2_06018290
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0601E2A02_2_0601E2A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_060150182_2_06015018
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0601E9F02_2_0601E9F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_060100072_2_06010007
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_060100402_2_06010040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_060596D02_2_060596D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_060543482_2_06054348
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_060506382_2_06050638
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_06057B982_2_06057B98
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0040E1D8 appears 44 times
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: String function: 0101F8A0 appears 35 times
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: String function: 0100EC2F appears 68 times
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: String function: 01016AC0 appears 42 times
                Source: shipping doc -GY298035826.exe, 00000000.00000003.2019535248.0000000003C23000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs shipping doc -GY298035826.exe
                Source: shipping doc -GY298035826.exe, 00000000.00000003.2018992746.0000000003DCD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs shipping doc -GY298035826.exe
                Source: shipping doc -GY298035826.exe, 00000000.00000002.2021170596.0000000003650000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilename9d02a015-5a5b-4340-adbb-c530e02a0bc4.exe4 vs shipping doc -GY298035826.exe
                Source: shipping doc -GY298035826.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 2.2.RegSvcs.exe.3a33190.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.2960ee8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 2.2.RegSvcs.exe.39e5570.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.26af07e.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.2960000.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.2960000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.26aff66.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 0.2.shipping doc -GY298035826.exe.3650000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 2.2.RegSvcs.exe.26af07e.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.39e6458.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.4f00000.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.39e5570.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.39e6458.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.4f00000.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.3a33190.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.26aff66.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.2960ee8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 00000000.00000002.2021170596.0000000003650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000002.00000002.3247237709.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
                Source: 00000002.00000002.3248730977.0000000002960000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 00000002.00000002.3250925828.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.RegSvcs.exe.39e6458.5.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 2.2.RegSvcs.exe.39e6458.5.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 2.2.RegSvcs.exe.26aff66.1.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 2.2.RegSvcs.exe.26aff66.1.raw.unpack, WP6RZJql8gZrNhVA9v.csCryptographic APIs: 'CreateDecryptor'
                Source: 2.2.RegSvcs.exe.4f00000.8.raw.unpack, RsYAkkzVoy.csCryptographic APIs: 'TransformFinalBlock'
                Source: 2.2.RegSvcs.exe.4f00000.8.raw.unpack, Kqqzixk.csCryptographic APIs: 'TransformFinalBlock'
                Source: 2.2.RegSvcs.exe.4f00000.8.raw.unpack, xROdzGigX.csCryptographic APIs: 'TransformFinalBlock'
                Source: 2.2.RegSvcs.exe.4f00000.8.raw.unpack, ywes.csCryptographic APIs: 'TransformFinalBlock'
                Source: 2.2.RegSvcs.exe.4f00000.8.raw.unpack, iPVW0zV.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                Source: 2.2.RegSvcs.exe.4f00000.8.raw.unpack, 1Pi9sgbHwoV.csCryptographic APIs: 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@1/1
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0103CE7A GetLastError,FormatMessageW,0_2_0103CE7A
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0102AB84 AdjustTokenPrivileges,CloseHandle,0_2_0102AB84
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0102B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_0102B134
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0103E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0103E1FD
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01036532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_01036532
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0104C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0104C18C
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_00FF406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00FF406B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeFile created: C:\Users\user\AppData\Local\Temp\aut88FB.tmpJump to behavior
                Source: shipping doc -GY298035826.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: shipping doc -GY298035826.exeReversingLabs: Detection: 44%
                Source: shipping doc -GY298035826.exeVirustotal: Detection: 34%
                Source: unknownProcess created: C:\Users\user\Desktop\shipping doc -GY298035826.exe "C:\Users\user\Desktop\shipping doc -GY298035826.exe"
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\shipping doc -GY298035826.exe"
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\shipping doc -GY298035826.exe"Jump to behavior
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                Source: shipping doc -GY298035826.exeStatic file information: File size 1206272 > 1048576
                Source: shipping doc -GY298035826.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: shipping doc -GY298035826.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: shipping doc -GY298035826.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: shipping doc -GY298035826.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: shipping doc -GY298035826.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: shipping doc -GY298035826.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: shipping doc -GY298035826.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.3248730977.0000000002960000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3250003026.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3248298110.000000000266F000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: shipping doc -GY298035826.exe, 00000000.00000003.2019802060.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, shipping doc -GY298035826.exe, 00000000.00000003.2020035232.0000000003B00000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: shipping doc -GY298035826.exe, 00000000.00000003.2019802060.0000000003CA0000.00000004.00001000.00020000.00000000.sdmp, shipping doc -GY298035826.exe, 00000000.00000003.2020035232.0000000003B00000.00000004.00001000.00020000.00000000.sdmp
                Source: shipping doc -GY298035826.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: shipping doc -GY298035826.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: shipping doc -GY298035826.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: shipping doc -GY298035826.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: shipping doc -GY298035826.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: 2.2.RegSvcs.exe.39e6458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 2.2.RegSvcs.exe.26aff66.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 2.2.RegSvcs.exe.4f00000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 2.2.RegSvcs.exe.2960ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: 2.2.RegSvcs.exe.3a33190.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0100E01E LoadLibraryA,GetProcAddress,0_2_0100E01E
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01016B05 push ecx; ret 0_2_01016B18
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041C40C push cs; iretd 2_2_0041C4E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00423149 push eax; ret 2_2_00423179
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041C50E push cs; iretd 2_2_0041C4E2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004231C8 push eax; ret 2_2_00423179
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0040E21D push ecx; ret 2_2_0040E230
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041C6BE push ebx; ret 2_2_0041C6BF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041BFCD pushad ; ret 2_2_0041BFCE
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02624358 push edi; iretd 2_2_0262435E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0262479F push es; retf 2_2_026247AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0601D7B1 pushad ; ret 2_2_0601D7B9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0601D5D8 pushad ; ret 2_2_0601D7B9
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0601E290 push esp; iretd 2_2_0601E291
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0605FE10 push es; ret 2_2_0605FE00
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0605FDF0 push es; ret 2_2_0605FE00
                Source: 2.2.RegSvcs.exe.39e6458.5.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'AqZaZwc5SFFOk', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 2.2.RegSvcs.exe.26aff66.1.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'AqZaZwc5SFFOk', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 2.2.RegSvcs.exe.4f00000.8.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'AqZaZwc5SFFOk', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 2.2.RegSvcs.exe.2960ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'AqZaZwc5SFFOk', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: 2.2.RegSvcs.exe.3a33190.7.raw.unpack, WP6RZJql8gZrNhVA9v.csHigh entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'AqZaZwc5SFFOk', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01058111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_01058111
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0100EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0100EB42
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0101123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0101123A
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeAPI/Special instruction interceptor: Address: 11E61EC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,2_2_004019F0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1544Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8014Jump to behavior
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeEvaded block: after key decisiongraph_0-95927
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-96521
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeAPI coverage: 4.2 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01036CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_01036CA9
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_010360DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_010360DD
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_010363F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_010363F9
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0103EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0103EB60
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0103F56F FindFirstFileW,FindClose,0_2_0103F56F
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0103F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0103F5FA
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01041B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_01041B2F
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01041C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_01041C8A
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01041F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_01041F94
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0100DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0100DDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99890Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99774Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99672Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99562Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99343Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99234Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99125Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98906Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98793Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98687Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98578Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98468Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98359Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98250Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98140Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98031Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97921Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97812Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97703Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97593Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97372Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97265Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97041Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96937Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96714Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96609Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96500Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96387Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96281Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96171Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96062Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95953Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95843Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95734Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95625Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95515Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95406Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95296Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95187Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95078Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94961Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: shipping doc -GY298035826.exe, 00000000.00000003.2005417929.00000000012AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exe
                Source: RegSvcs.exe, 00000002.00000002.3251154364.00000000050C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeAPI call chain: ExitProcess graph end nodegraph_0-95560
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeAPI call chain: ExitProcess graph end nodegraph_0-96266
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI call chain: ExitProcess graph end node
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01046AAF BlockInput,0_2_01046AAF
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_00FF3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00FF3D19
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01023920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_01023920
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,2_2_004019F0
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0100E01E LoadLibraryA,GetProcAddress,0_2_0100E01E
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_011E6458 mov eax, dword ptr fs:[00000030h]0_2_011E6458
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_011E64B8 mov eax, dword ptr fs:[00000030h]0_2_011E64B8
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_011E4E08 mov eax, dword ptr fs:[00000030h]0_2_011E4E08
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0102A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0102A66C
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01018189 SetUnhandledExceptionFilter,0_2_01018189
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_010181AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_010181AC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0040CE09
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0040E61C
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00416F6A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004123F1 SetUnhandledExceptionFilter,2_2_004123F1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 616008Jump to behavior
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0102B106 LogonUserW,0_2_0102B106
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_00FF3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00FF3D19
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0103411C SendInput,keybd_event,0_2_0103411C
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01037513 mouse_event,0_2_01037513
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\shipping doc -GY298035826.exe"Jump to behavior
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0102A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0102A66C
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_010371FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_010371FA
                Source: shipping doc -GY298035826.exeBinary or memory string: Shell_TrayWnd
                Source: shipping doc -GY298035826.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_010165C4 cpuid 0_2_010165C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoA,2_2_00417A20
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0104091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_0104091D
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0106B340 GetUserNameW,0_2_0106B340
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01021E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_01021E8E
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0100DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0100DDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: Yara matchFile source: 2.2.RegSvcs.exe.3a33190.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2960ee8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39e5570.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.26af07e.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2960000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2960000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.26aff66.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.26af07e.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39e6458.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4f00000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39e5570.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39e6458.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4f00000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.3a33190.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.26aff66.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2960ee8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.3248931051.0000000002A2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3248931051.0000000002A37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3248730977.0000000002960000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3250925828.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3248298110.000000000266F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3250003026.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3248931051.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6844, type: MEMORYSTR
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 2.2.RegSvcs.exe.3a33190.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2960ee8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39e5570.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.26af07e.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2960000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2960000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.26aff66.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.26af07e.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39e6458.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4f00000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39e5570.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39e6458.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4f00000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.3a33190.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.26aff66.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2960ee8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.3248730977.0000000002960000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3250925828.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3248298110.000000000266F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3250003026.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: shipping doc -GY298035826.exeBinary or memory string: WIN_81
                Source: shipping doc -GY298035826.exeBinary or memory string: WIN_XP
                Source: shipping doc -GY298035826.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                Source: shipping doc -GY298035826.exeBinary or memory string: WIN_XPe
                Source: shipping doc -GY298035826.exeBinary or memory string: WIN_VISTA
                Source: shipping doc -GY298035826.exeBinary or memory string: WIN_7
                Source: shipping doc -GY298035826.exeBinary or memory string: WIN_8
                Source: Yara matchFile source: 2.2.RegSvcs.exe.3a33190.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2960ee8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39e5570.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.26af07e.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2960000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2960000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.26aff66.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.26af07e.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39e6458.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4f00000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39e5570.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39e6458.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4f00000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.3a33190.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.26aff66.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2960ee8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.3248730977.0000000002960000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3250925828.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3248298110.000000000266F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3250003026.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3248931051.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6844, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: Yara matchFile source: 2.2.RegSvcs.exe.3a33190.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2960ee8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39e5570.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.26af07e.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2960000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2960000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.26aff66.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.26af07e.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39e6458.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4f00000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39e5570.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39e6458.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4f00000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.3a33190.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.26aff66.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2960ee8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.3248931051.0000000002A2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3248931051.0000000002A37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3248730977.0000000002960000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3250925828.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3248298110.000000000266F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3250003026.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3248931051.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6844, type: MEMORYSTR
                Yara detected PureLog Stealer
                Source: Yara matchFile source: 2.2.RegSvcs.exe.3a33190.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2960ee8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39e5570.6.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.26af07e.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2960000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2960000.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.26aff66.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.26af07e.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39e6458.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4f00000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39e5570.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.39e6458.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.4f00000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.3a33190.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.26aff66.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.RegSvcs.exe.2960ee8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.3248730977.0000000002960000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3250925828.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3248298110.000000000266F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3250003026.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_01048C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_01048C4F
                Source: C:\Users\user\Desktop\shipping doc -GY298035826.exeCode function: 0_2_0104923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0104923B

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		121
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		11
                Disable or Modify Tools                		2
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts3
                Native API                		2
                Valid Accounts                		1
                DLL Side-Loading                		11
                Deobfuscate/Decode Files or Information                		121
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol2
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                Valid Accounts                		2
                Obfuscated Files or Information                		1
                Credentials in Registry                		2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                Access Token Manipulation                		1
                Software Packing                		NTDS148
                System Information Discovery                		Distributed Component Object Model121
                Input Capture                		1
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                Process Injection                		1
                DLL Side-Loading                		LSA Secrets251
                Security Software Discovery                		SSH3
                Clipboard Data                		11
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                Valid Accounts                		Cached Domain Credentials121
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items121
                Virtualization/Sandbox Evasion                		DCSync2
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                shipping doc -GY298035826.exe45%ReversingLabsWin32.Trojan.AutoitInject
                shipping doc -GY298035826.exe35%VirustotalBrowse
                shipping doc -GY298035826.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                mail.thelamalab.com1%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://mail.thelamalab.com0%Avira URL Cloudsafe
                http://mail.thelamalab.com1%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                mail.thelamalab.com
                		162.251.80.30
                		truetrueunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://mail.thelamalab.comRegSvcs.exe, 00000002.00000002.3248931051.0000000002A37000.00000004.00000800.00020000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://account.dyn.com/RegSvcs.exe, 00000002.00000002.3250925828.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3248730977.0000000002960000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3250003026.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3248298110.000000000266F000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  162.251.80.30
                  		mail.thelamalab.comUnited States
                  		394695PUBLIC-DOMAIN-REGISTRYUStrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1562822
                  Start date and time:2024-11-26 04:49:05 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 6m 20s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:5
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:shipping doc -GY298035826.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@3/2@1/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 96%
                  • Number of executed functions: 48
                  • Number of non-executed functions: 294
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  22:49:54API Interceptor47x Sleep call for process: RegSvcs.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  162.251.80.30w6dnPra4mx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    shipping doc.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                      shipping advice.exeGet hashmaliciousAgentTeslaBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        mail.thelamalab.comw6dnPra4mx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                        • 162.251.80.30
                        shipping doc.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                        • 162.251.80.30
                        shipping advice.exeGet hashmaliciousAgentTeslaBrowse
                        • 162.251.80.30
                        new p o.exeGet hashmaliciousAgentTeslaBrowse
                        • 162.222.226.100
                        SecuriteInfo.com.Win32.PWSX-gen.27121.31008.exeGet hashmaliciousAgentTeslaBrowse
                        • 162.222.226.100
                        DOCUMENTS.exeGet hashmaliciousAgentTeslaBrowse
                        • 162.222.226.100
                        SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeGet hashmaliciousAgentTeslaBrowse
                        • 162.222.226.100
                        SHIPPING ORDER.exeGet hashmaliciousAgentTeslaBrowse
                        • 162.222.226.100
                        receipt-73633T36X90N.exeGet hashmaliciousAgentTeslaBrowse
                        • 162.222.226.100
                        AQQ-T7630-CVE8.exeGet hashmaliciousAgentTeslaBrowse
                        • 162.222.226.100

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        PUBLIC-DOMAIN-REGISTRYUSNew Purchase Order Document for PO1136908 000 SE.exeGet hashmaliciousAgentTeslaBrowse
                        • 208.91.199.225
                        Pigroots.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                        • 199.79.63.24
                        Shave.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                        • 199.79.63.24
                        https://www.google.com.bn/url?snf=vpsBrmjsMjZT0YKBELze&nuu=B4grUxP5T5pV5xJiiFp0&sa=t&ndg=e2p4qPDSQqlwr77oflqr&pdbr=npO0StsDFHvGF7jwYfWY&np=slEjuRPdabbflvaXgHau&cb=IhzFYfcuqq5m2vva4DTH&url=amp%2Fbeutopiantech.com%2Fchd%2FroghgehdjtiE-SURECHDDam9lbC5kZW5vZnJpb0BoYW5lc2NvbXBhbmllcy5jb20=Get hashmaliciousUnknownBrowse
                        • 103.211.216.144
                        Quote 40240333-REV2.exeGet hashmaliciousAgentTeslaBrowse
                        • 199.79.62.115
                        DOCS.exeGet hashmaliciousAgentTeslaBrowse
                        • 207.174.215.249
                        Ksciarillo_Reord_Adjustment.docxGet hashmaliciousUnknownBrowse
                        • 208.91.198.81
                        Ksciarillo_Reord_Adjustment.docxGet hashmaliciousUnknownBrowse
                        • 208.91.198.81
                        NoteID [4962398] _Secure_Document_Mrettinger-46568.docxGet hashmaliciousHTMLPhisherBrowse
                        • 208.91.198.81
                        SOA.exeGet hashmaliciousAgentTeslaBrowse
                        • 207.174.215.249

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Temp\aut88FB.tmp

                        Download File
                        Process:C:\Users\user\Desktop\shipping doc -GY298035826.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):267776
                        Entropy (8bit):7.880793231121896
                        Encrypted:false
                        SSDEEP:6144:54soC/nQfBxWpBLenjf20CKmvMbVQIAMsUZdwUNUEwh2YPDUs:54HCCWpBLejJLNUbh2U4s
                        MD5:6964802B2B0F46FDB51A7E59603F18CB
                        SHA1:2B30287EFB523AFADB12C7532A935D821683B4DE
                        SHA-256:0A20C537398869D61675E5C1708E91B538E2D84C9B36F7D11F64BC12760B410C
                        SHA-512:D53E65A2BD3388C7D5E9A9E0C4121289214CF25753EA6D6F6A1CBB99EE3354A34B8BF40EE753AF6F1E63B0FE32B779D7F7DBEAD103611157CEF8679C3DD1015F
                        Malicious:false
                        Reputation:low
                        Preview:.m.1UCG2S8ZE..ZB.8ED77G7.1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB.8ED9(.9J._.f.Vt.d..31.H7+PE&ZjR7-)]#.8 u4/,.Q+dsx..'^2&i?Z2~EUFZB78-T..kF.Oz2.L{I.;ge%<.I.:<..Ia@.=kC.F.4.8haYFY5.Iu.#O.2.Le.!;x7.<eQ&,.F.IJ1VCG2W8ZEUFZB78;./QG7J1..G2.9^E!.Z.78ED77G7.1uBL3^8Z.TFZ858ED77h.J1VSG2W.[EUF.B7(ED75G7O1VCG2W8_EUFZB78E$37G3J1.xE2U8Z.UFJB7(ED77W7J!VCG2W8JEUFZB78ED77."H1.CG2WXXE..[B78ED77G7J1VCG2W8ZEUFZB78..67[7J1VCG2W8ZEUFZB78ED77G7J1VC.?U8.EUFZB78ED77G.K1.BG2W8ZEUFZB78ED77G7J1VCG2W8t10>.B78].67G'J1V.F2W<ZEUFZB78ED77G7j1V#i@3Y.$UF./78E.67GYJ1V.F2W8ZEUFZB78EDw7GwdU77&2W8.uUFZb58ER77G=H1VCG2W8ZEUFZBw8E..E4E)1VC..V8Z%WFZ.68Ed57G7J1VCG2W8ZE.FZ.78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8

                        C:\Users\user\AppData\Local\Temp\isochronally

                        Download File
                        Process:C:\Users\user\Desktop\shipping doc -GY298035826.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):267776
                        Entropy (8bit):7.880793231121896
                        Encrypted:false
                        SSDEEP:6144:54soC/nQfBxWpBLenjf20CKmvMbVQIAMsUZdwUNUEwh2YPDUs:54HCCWpBLejJLNUbh2U4s
                        MD5:6964802B2B0F46FDB51A7E59603F18CB
                        SHA1:2B30287EFB523AFADB12C7532A935D821683B4DE
                        SHA-256:0A20C537398869D61675E5C1708E91B538E2D84C9B36F7D11F64BC12760B410C
                        SHA-512:D53E65A2BD3388C7D5E9A9E0C4121289214CF25753EA6D6F6A1CBB99EE3354A34B8BF40EE753AF6F1E63B0FE32B779D7F7DBEAD103611157CEF8679C3DD1015F
                        Malicious:false
                        Reputation:low
                        Preview:.m.1UCG2S8ZE..ZB.8ED77G7.1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB.8ED9(.9J._.f.Vt.d..31.H7+PE&ZjR7-)]#.8 u4/,.Q+dsx..'^2&i?Z2~EUFZB78-T..kF.Oz2.L{I.;ge%<.I.:<..Ia@.=kC.F.4.8haYFY5.Iu.#O.2.Le.!;x7.<eQ&,.F.IJ1VCG2W8ZEUFZB78;./QG7J1..G2.9^E!.Z.78ED77G7.1uBL3^8Z.TFZ858ED77h.J1VSG2W.[EUF.B7(ED75G7O1VCG2W8_EUFZB78E$37G3J1.xE2U8Z.UFJB7(ED77W7J!VCG2W8JEUFZB78ED77."H1.CG2WXXE..[B78ED77G7J1VCG2W8ZEUFZB78..67[7J1VCG2W8ZEUFZB78ED77G7J1VC.?U8.EUFZB78ED77G.K1.BG2W8ZEUFZB78ED77G7J1VCG2W8t10>.B78].67G'J1V.F2W<ZEUFZB78ED77G7j1V#i@3Y.$UF./78E.67GYJ1V.F2W8ZEUFZB78EDw7GwdU77&2W8.uUFZb58ER77G=H1VCG2W8ZEUFZBw8E..E4E)1VC..V8Z%WFZ.68Ed57G7J1VCG2W8ZE.FZ.78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8ZEUFZB78ED77G7J1VCG2W8

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.14210611531414
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:shipping doc -GY298035826.exe
                        File size:1'206'272 bytes
                        MD5:7f7f96415f135da958972a9069140286
                        SHA1:bf5e39f266506df01c20d217ea1d03ac5fb30414
                        SHA256:59189df2a774319d207c1a5a7d0ec820a7c37f89d2c4f8e4bc0a50001a3e2ba6
                        SHA512:96458844f435d4cbdff02b3f086bdbb336963173d53e414414c08235dac89b0f84aa81c1ef4cc3f5cff894648c4b64e61afc51defa4877e671a8d498a774961d
                        SSDEEP:24576:Vtb20pkaCqT5TBWgNQ7arjgwCLQZraCfwJHRlX6A:GVg5tQ7arjGWNfixl5
                        TLSH:ED45C01273DEC361C3B25273BA55B701BEBB782506A1F96B2FD4093DE820162561EB73
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                        File Icon

                        Icon Hash:aaf3e3e3938382a0

                        Static PE Info

                        General

                        Entrypoint:0x425f74
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x6745112B [Tue Nov 26 00:07:07 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:3d95adbf13bbe79dc24dccb401c12091

                        Entrypoint Preview

                        Instruction
                        call 00007F343CC59BDFh
                        jmp 00007F343CC4CBF4h
                        int3
                        int3
                        push edi
                        push esi
                        mov esi, dword ptr [esp+10h]
                        mov ecx, dword ptr [esp+14h]
                        mov edi, dword ptr [esp+0Ch]
                        mov eax, ecx
                        mov edx, ecx
                        add eax, esi
                        cmp edi, esi
                        jbe 00007F343CC4CD7Ah
                        cmp edi, eax
                        jc 00007F343CC4D0DEh
                        bt dword ptr [004C0158h], 01h
                        jnc 00007F343CC4CD79h
                        rep movsb
                        jmp 00007F343CC4D08Ch
                        cmp ecx, 00000080h
                        jc 00007F343CC4CF44h
                        mov eax, edi
                        xor eax, esi
                        test eax, 0000000Fh
                        jne 00007F343CC4CD80h
                        bt dword ptr [004BA370h], 01h
                        jc 00007F343CC4D250h
                        bt dword ptr [004C0158h], 00000000h
                        jnc 00007F343CC4CF1Dh
                        test edi, 00000003h
                        jne 00007F343CC4CF2Eh
                        test esi, 00000003h
                        jne 00007F343CC4CF0Dh
                        bt edi, 02h
                        jnc 00007F343CC4CD7Fh
                        mov eax, dword ptr [esi]
                        sub ecx, 04h
                        lea esi, dword ptr [esi+04h]
                        mov dword ptr [edi], eax
                        lea edi, dword ptr [edi+04h]
                        bt edi, 03h
                        jnc 00007F343CC4CD83h
                        movq xmm1, qword ptr [esi]
                        sub ecx, 08h
                        lea esi, dword ptr [esi+08h]
                        movq qword ptr [edi], xmm1
                        lea edi, dword ptr [edi+08h]
                        test esi, 00000007h
                        je 00007F343CC4CDD5h
                        bt esi, 03h
                        jnc 00007F343CC4CE28h
                        movdqa xmm1, dqword ptr [esi+00h]

                        Rich Headers

                        Programming Language:
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [ASM] VS2012 UPD4 build 61030
                        • [RES] VS2012 UPD4 build 61030
                        • [LNK] VS2012 UPD4 build 61030

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x5d7f0.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1220000x6c4c.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0xc40000x5d7f00x5d8008b950d17869976c2c923850c4c33447cFalse0.9323038519385026data7.904466883989992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x1220000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0xc44a00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                        RT_ICON0xc45c80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                        RT_ICON0xc48b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                        RT_ICON0xc49d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                        RT_ICON0xc58800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                        RT_ICON0xc61280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                        RT_ICON0xc66900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                        RT_ICON0xc8c380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                        RT_ICON0xc9ce00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                        RT_STRING0xca1480x594dataEnglishGreat Britain0.3333333333333333
                        RT_STRING0xca6dc0x68adataEnglishGreat Britain0.2747909199522103
                        RT_STRING0xcad680x490dataEnglishGreat Britain0.3715753424657534
                        RT_STRING0xcb1f80x5fcdataEnglishGreat Britain0.3087467362924282
                        RT_STRING0xcb7f40x65cdataEnglishGreat Britain0.34336609336609336
                        RT_STRING0xcbe500x466dataEnglishGreat Britain0.3605683836589698
                        RT_STRING0xcc2b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                        RT_RCDATA0xcc4100x54ec7data1.000333479949518
                        RT_GROUP_ICON0x1212d80x76dataEnglishGreat Britain0.6610169491525424
                        RT_GROUP_ICON0x1213500x14dataEnglishGreat Britain1.15
                        RT_VERSION0x1213640xdcdataEnglishGreat Britain0.6181818181818182
                        RT_MANIFEST0x1214400x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                        Imports

                        DLLImport
                        WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                        VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                        COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                        MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                        WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                        PSAPI.DLLGetProcessMemoryInfo
                        IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                        USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                        UxTheme.dllIsThemeActive
                        KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                        USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                        GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                        ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                        SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                        OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                        Possible Origin

                        Language of compilation systemCountry where language is spokenMap
                        EnglishGreat Britain

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-11-26T04:49:59.968103+01002855245ETPRO MALWARE Agent Tesla Exfil via SMTP1192.168.2.549704162.251.80.30587TCP
                        2024-11-26T04:49:59.968103+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.549704162.251.80.30587TCP
                        2024-11-26T04:51:35.970951+01002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.549704162.251.80.30587TCP
                        2024-11-26T04:51:35.970951+01002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.549704162.251.80.30587TCP
                        2024-11-26T04:51:35.970951+01002840032ETPRO MALWARE Win32/AgentTesla/OriginLogger Data Exfil via SMTP M21192.168.2.549704162.251.80.30587TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Nov 26, 2024 04:49:55.986196041 CET49704587192.168.2.5162.251.80.30
                        Nov 26, 2024 04:49:56.106049061 CET58749704162.251.80.30192.168.2.5
                        Nov 26, 2024 04:49:56.106126070 CET49704587192.168.2.5162.251.80.30
                        Nov 26, 2024 04:49:57.386096001 CET58749704162.251.80.30192.168.2.5
                        Nov 26, 2024 04:49:57.386888027 CET49704587192.168.2.5162.251.80.30
                        Nov 26, 2024 04:49:57.506900072 CET58749704162.251.80.30192.168.2.5
                        Nov 26, 2024 04:49:57.770694017 CET58749704162.251.80.30192.168.2.5
                        Nov 26, 2024 04:49:57.771809101 CET49704587192.168.2.5162.251.80.30
                        Nov 26, 2024 04:49:57.891750097 CET58749704162.251.80.30192.168.2.5
                        Nov 26, 2024 04:49:58.154567003 CET58749704162.251.80.30192.168.2.5
                        Nov 26, 2024 04:49:58.155514956 CET49704587192.168.2.5162.251.80.30
                        Nov 26, 2024 04:49:58.275429964 CET58749704162.251.80.30192.168.2.5
                        Nov 26, 2024 04:49:58.685621023 CET58749704162.251.80.30192.168.2.5
                        Nov 26, 2024 04:49:58.685934067 CET49704587192.168.2.5162.251.80.30
                        Nov 26, 2024 04:49:58.805857897 CET58749704162.251.80.30192.168.2.5
                        Nov 26, 2024 04:49:59.083349943 CET58749704162.251.80.30192.168.2.5
                        Nov 26, 2024 04:49:59.083551884 CET49704587192.168.2.5162.251.80.30
                        Nov 26, 2024 04:49:59.203490019 CET58749704162.251.80.30192.168.2.5
                        Nov 26, 2024 04:49:59.579682112 CET58749704162.251.80.30192.168.2.5
                        Nov 26, 2024 04:49:59.579881907 CET49704587192.168.2.5162.251.80.30
                        Nov 26, 2024 04:49:59.699824095 CET58749704162.251.80.30192.168.2.5
                        Nov 26, 2024 04:49:59.967361927 CET58749704162.251.80.30192.168.2.5
                        Nov 26, 2024 04:49:59.968101978 CET49704587192.168.2.5162.251.80.30
                        Nov 26, 2024 04:49:59.968102932 CET49704587192.168.2.5162.251.80.30
                        Nov 26, 2024 04:49:59.968102932 CET49704587192.168.2.5162.251.80.30
                        Nov 26, 2024 04:49:59.968249083 CET49704587192.168.2.5162.251.80.30
                        Nov 26, 2024 04:50:00.088284969 CET58749704162.251.80.30192.168.2.5
                        Nov 26, 2024 04:50:00.088300943 CET58749704162.251.80.30192.168.2.5
                        Nov 26, 2024 04:50:00.088310957 CET58749704162.251.80.30192.168.2.5
                        Nov 26, 2024 04:50:00.088412046 CET58749704162.251.80.30192.168.2.5
                        Nov 26, 2024 04:50:00.472186089 CET58749704162.251.80.30192.168.2.5
                        Nov 26, 2024 04:50:00.522685051 CET49704587192.168.2.5162.251.80.30
                        Nov 26, 2024 04:51:35.382514954 CET49704587192.168.2.5162.251.80.30
                        Nov 26, 2024 04:51:35.502564907 CET58749704162.251.80.30192.168.2.5
                        Nov 26, 2024 04:51:35.970731020 CET58749704162.251.80.30192.168.2.5
                        Nov 26, 2024 04:51:35.970890045 CET58749704162.251.80.30192.168.2.5
                        Nov 26, 2024 04:51:35.970911980 CET49704587192.168.2.5162.251.80.30
                        Nov 26, 2024 04:51:35.970951080 CET49704587192.168.2.5162.251.80.30
                        Nov 26, 2024 04:51:36.090825081 CET58749704162.251.80.30192.168.2.5

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Nov 26, 2024 04:49:55.354451895 CET5582653192.168.2.51.1.1.1
                        Nov 26, 2024 04:49:55.978564024 CET53558261.1.1.1192.168.2.5

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Nov 26, 2024 04:49:55.354451895 CET192.168.2.51.1.1.10xabfbStandard query (0)mail.thelamalab.comA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Nov 26, 2024 04:49:55.978564024 CET1.1.1.1192.168.2.50xabfbNo error (0)mail.thelamalab.com162.251.80.30A (IP address)IN (0x0001)false

                        SMTP Packets

                        TimestampSource PortDest PortSource IPDest IPCommands
                        Nov 26, 2024 04:49:57.386096001 CET58749704162.251.80.30192.168.2.5220-md-114.webhostbox.net ESMTP Exim 4.96.2 #2 Tue, 26 Nov 2024 09:19:57 +0530
                        220-We do not authorize the use of this system to transport unsolicited,
                        220 and/or bulk e-mail.
                        Nov 26, 2024 04:49:57.386888027 CET49704587192.168.2.5162.251.80.30EHLO 258555
                        Nov 26, 2024 04:49:57.770694017 CET58749704162.251.80.30192.168.2.5250-md-114.webhostbox.net Hello 258555 [8.46.123.75]
                        250-SIZE 52428800
                        250-8BITMIME
                        250-PIPELINING
                        250-PIPECONNECT
                        250-AUTH PLAIN LOGIN
                        250-STARTTLS
                        250 HELP
                        Nov 26, 2024 04:49:57.771809101 CET49704587192.168.2.5162.251.80.30AUTH login YmlsbGluZ0B0aGVsYW1hbGFiLmNvbQ==
                        Nov 26, 2024 04:49:58.154567003 CET58749704162.251.80.30192.168.2.5334 UGFzc3dvcmQ6
                        Nov 26, 2024 04:49:58.685621023 CET58749704162.251.80.30192.168.2.5235 Authentication succeeded
                        Nov 26, 2024 04:49:58.685934067 CET49704587192.168.2.5162.251.80.30MAIL FROM:<billing@thelamalab.com>
                        Nov 26, 2024 04:49:59.083349943 CET58749704162.251.80.30192.168.2.5250 OK
                        Nov 26, 2024 04:49:59.083551884 CET49704587192.168.2.5162.251.80.30RCPT TO:<jinhux31@gmail.com>
                        Nov 26, 2024 04:49:59.579682112 CET58749704162.251.80.30192.168.2.5250 Accepted
                        Nov 26, 2024 04:49:59.579881907 CET49704587192.168.2.5162.251.80.30DATA
                        Nov 26, 2024 04:49:59.967361927 CET58749704162.251.80.30192.168.2.5354 Enter message, ending with "." on a line by itself
                        Nov 26, 2024 04:49:59.968249083 CET49704587192.168.2.5162.251.80.30.
                        Nov 26, 2024 04:50:00.472186089 CET58749704162.251.80.30192.168.2.5250 OK id=1tFmaN-002Mcx-2U
                        Nov 26, 2024 04:51:35.382514954 CET49704587192.168.2.5162.251.80.30QUIT
                        Nov 26, 2024 04:51:35.970731020 CET58749704162.251.80.30192.168.2.5221 md-114.webhostbox.net closing connection

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:22:49:52
                        Start date:25/11/2024
                        Path:C:\Users\user\Desktop\shipping doc -GY298035826.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\shipping doc -GY298035826.exe"
                        Imagebase:0xff0000
                        File size:1'206'272 bytes
                        MD5 hash:7F7F96415F135DA958972A9069140286
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.2021170596.0000000003650000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:2
                        Start time:22:49:53
                        Start date:25/11/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\shipping doc -GY298035826.exe"
                        Imagebase:0x530000
                        File size:45'984 bytes
                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3248931051.0000000002A2F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3248931051.0000000002A37000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.3247237709.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3248730977.0000000002960000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3248730977.0000000002960000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3248730977.0000000002960000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000002.00000002.3248730977.0000000002960000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3250925828.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3250925828.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3250925828.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                        • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000002.00000002.3250925828.0000000004F00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3248298110.000000000266F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3248298110.000000000266F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3248298110.000000000266F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3250003026.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3250003026.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.3250003026.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3248931051.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3248931051.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:high
                        Has exited:false

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:3.7%
                          Dynamic/Decrypted Code Coverage:1.5%
                          Signature Coverage:7.5%
                          Total number of Nodes:2000
                          Total number of Limit Nodes:63
                          execution_graph 95324 11e5348 95338 11e2f98 95324->95338 95326 11e5430 95341 11e5238 95326->95341 95344 11e6458 GetPEB 95338->95344 95340 11e3623 95340->95326 95342 11e5241 Sleep 95341->95342 95343 11e524f 95342->95343 95345 11e6482 95344->95345 95345->95340 95346 1069bec 95381 1000ae0 _memcpy_s Mailbox 95346->95381 95348 100f4ea 48 API calls 95348->95381 95351 100f4ea 48 API calls 95374 fffec8 95351->95374 95352 1000509 95524 103cc5c 86 API calls 4 library calls 95352->95524 95353 100146e 95361 ff6eed 48 API calls 95353->95361 95356 ff6eed 48 API calls 95356->95374 95357 1001473 95523 103cc5c 86 API calls 4 library calls 95357->95523 95359 106a246 95515 ff6eed 95359->95515 95360 106a922 95376 ffffe1 Mailbox 95361->95376 95366 106a873 95367 10297ed InterlockedDecrement 95367->95374 95368 106a30e 95368->95376 95519 10297ed InterlockedDecrement 95368->95519 95369 ffd7f7 48 API calls 95369->95374 95372 1010f0a 52 API calls __cinit 95372->95374 95373 106a973 95525 103cc5c 86 API calls 4 library calls 95373->95525 95374->95351 95374->95352 95374->95353 95374->95356 95374->95357 95374->95359 95374->95367 95374->95368 95374->95369 95374->95372 95374->95373 95374->95376 95378 10015b5 95374->95378 95512 1001820 335 API calls 2 library calls 95374->95512 95513 1001d10 59 API calls Mailbox 95374->95513 95377 106a982 95522 103cc5c 86 API calls 4 library calls 95378->95522 95381->95348 95381->95374 95381->95376 95382 106a706 95381->95382 95384 1001526 Mailbox 95381->95384 95385 10297ed InterlockedDecrement 95381->95385 95389 fffe30 95381->95389 95418 1050d1d 95381->95418 95421 1050d09 95381->95421 95424 103b55b 95381->95424 95428 104f0ac 95381->95428 95460 103a6ef 95381->95460 95466 ffce19 95381->95466 95472 104e822 95381->95472 95514 104ef61 82 API calls 2 library calls 95381->95514 95520 103cc5c 86 API calls 4 library calls 95382->95520 95521 103cc5c 86 API calls 4 library calls 95384->95521 95385->95381 95390 fffe50 95389->95390 95415 fffe7e 95389->95415 95526 100f4ea 95390->95526 95392 100146e 95393 ff6eed 48 API calls 95392->95393 95414 ffffe1 95393->95414 95394 ffd7f7 48 API calls 95394->95415 95395 1000509 95540 103cc5c 86 API calls 4 library calls 95395->95540 95398 ff6eed 48 API calls 95398->95415 95400 100f4ea 48 API calls 95400->95415 95401 106a246 95404 ff6eed 48 API calls 95401->95404 95402 1001473 95539 103cc5c 86 API calls 4 library calls 95402->95539 95403 106a922 95403->95381 95404->95414 95407 106a873 95407->95381 95408 10297ed InterlockedDecrement 95408->95415 95409 106a30e 95409->95414 95537 10297ed InterlockedDecrement 95409->95537 95410 1010f0a 52 API calls __cinit 95410->95415 95412 106a973 95541 103cc5c 86 API calls 4 library calls 95412->95541 95414->95381 95415->95392 95415->95394 95415->95395 95415->95398 95415->95400 95415->95401 95415->95402 95415->95408 95415->95409 95415->95410 95415->95412 95415->95414 95417 10015b5 95415->95417 95535 1001820 335 API calls 2 library calls 95415->95535 95536 1001d10 59 API calls Mailbox 95415->95536 95416 106a982 95538 103cc5c 86 API calls 4 library calls 95417->95538 95564 104f8ae 95418->95564 95420 1050d2d 95420->95381 95422 104f8ae 129 API calls 95421->95422 95423 1050d19 95422->95423 95423->95381 95425 103b564 95424->95425 95426 103b569 95424->95426 95729 103a4d5 95425->95729 95426->95381 95429 ffd7f7 48 API calls 95428->95429 95430 104f0c0 95429->95430 95431 ffd7f7 48 API calls 95430->95431 95432 104f0c8 95431->95432 95433 ffd7f7 48 API calls 95432->95433 95434 104f0d0 95433->95434 95435 ff936c 81 API calls 95434->95435 95443 104f0de 95435->95443 95436 ffc799 48 API calls 95436->95443 95437 ff6a63 48 API calls 95437->95443 95439 104f2b3 95762 ff518c 95439->95762 95440 ff6eed 48 API calls 95440->95443 95442 104f2f9 Mailbox 95442->95381 95443->95436 95443->95437 95443->95439 95443->95440 95443->95442 95444 104f2ce 95443->95444 95447 ffbdfa 48 API calls 95443->95447 95451 104f2cc 95443->95451 95453 ffbdfa 48 API calls 95443->95453 95457 ff518c 48 API calls 95443->95457 95458 ff936c 81 API calls 95443->95458 95459 ff510d 48 API calls 95443->95459 95446 ff518c 48 API calls 95444->95446 95449 104f2dd 95446->95449 95450 104f175 CharUpperBuffW 95447->95450 95452 ff510d 48 API calls 95449->95452 95751 ffd645 95450->95751 95451->95442 95781 ff6b68 48 API calls 95451->95781 95452->95451 95454 104f23a CharUpperBuffW 95453->95454 95761 100d922 55 API calls 2 library calls 95454->95761 95457->95443 95458->95443 95459->95443 95461 103a6fb 95460->95461 95462 100f4ea 48 API calls 95461->95462 95463 103a709 95462->95463 95464 103a717 95463->95464 95465 ffd7f7 48 API calls 95463->95465 95464->95381 95465->95464 95467 ffce28 __wsetenvp 95466->95467 95468 100ee75 48 API calls 95467->95468 95469 ffce50 _memcpy_s 95468->95469 95470 100f4ea 48 API calls 95469->95470 95471 ffce66 95470->95471 95471->95381 95473 104e84e 95472->95473 95474 104e868 95472->95474 95813 103cc5c 86 API calls 4 library calls 95473->95813 95814 104ccdc 48 API calls 95474->95814 95477 104e871 95478 fffe30 334 API calls 95477->95478 95479 104e8cf 95478->95479 95480 104e96a 95479->95480 95481 104e916 95479->95481 95505 104e860 Mailbox 95479->95505 95482 104e978 95480->95482 95486 104e9c7 95480->95486 95815 1039b72 48 API calls 95481->95815 95833 103a69d 48 API calls 95482->95833 95485 104e949 95816 10045e0 95485->95816 95489 ff936c 81 API calls 95486->95489 95486->95505 95487 104e99b 95834 ffbc74 48 API calls 95487->95834 95491 104e9e1 95489->95491 95493 ffbdfa 48 API calls 95491->95493 95492 104e9a3 Mailbox 95835 1003200 95492->95835 95494 104ea05 CharUpperBuffW 95493->95494 95495 104ea1f 95494->95495 95497 104ea26 95495->95497 95498 104ea72 95495->95498 95907 1039b72 48 API calls 95497->95907 95499 ff936c 81 API calls 95498->95499 95500 104ea7a 95499->95500 95908 ff1caa 49 API calls 95500->95908 95503 104ea54 95504 10045e0 334 API calls 95503->95504 95504->95505 95505->95381 95506 104ea84 95506->95505 95507 ff936c 81 API calls 95506->95507 95508 104ea9f 95507->95508 95909 ffbc74 48 API calls 95508->95909 95510 104eaaf 95511 1003200 334 API calls 95510->95511 95511->95505 95512->95374 95513->95374 95514->95381 95516 ff6ef8 95515->95516 95517 ff6f00 95515->95517 97036 ffdd47 48 API calls _memcpy_s 95516->97036 95517->95376 95519->95376 95520->95384 95521->95376 95522->95376 95523->95366 95524->95360 95525->95377 95529 100f4f2 __calloc_impl 95526->95529 95528 100f50c 95528->95415 95529->95528 95530 100f50e std::exception::exception 95529->95530 95542 101395c 95529->95542 95556 1016805 RaiseException 95530->95556 95532 100f538 95557 101673b 47 API calls _free 95532->95557 95534 100f54a 95534->95415 95535->95415 95536->95415 95537->95414 95538->95414 95539->95407 95540->95403 95541->95416 95543 10139d7 __calloc_impl 95542->95543 95553 1013968 __calloc_impl 95542->95553 95563 1017c0e 47 API calls __getptd_noexit 95543->95563 95544 1013973 95544->95553 95558 10181c2 47 API calls 2 library calls 95544->95558 95559 101821f 47 API calls 8 library calls 95544->95559 95560 1011145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 95544->95560 95547 101399b RtlAllocateHeap 95548 10139cf 95547->95548 95547->95553 95548->95529 95550 10139c3 95561 1017c0e 47 API calls __getptd_noexit 95550->95561 95553->95544 95553->95547 95553->95550 95554 10139c1 95553->95554 95562 1017c0e 47 API calls __getptd_noexit 95554->95562 95556->95532 95557->95534 95558->95544 95559->95544 95561->95554 95562->95548 95563->95548 95600 ff936c 95564->95600 95566 104f8ea 95581 104f92c Mailbox 95566->95581 95620 1050567 95566->95620 95568 104fb8b 95569 104fcfa 95568->95569 95573 104fb95 95568->95573 95683 1050688 89 API calls Mailbox 95569->95683 95572 104fd07 95572->95573 95575 104fd13 95572->95575 95633 104f70a 95573->95633 95574 ff936c 81 API calls 95586 104f984 Mailbox 95574->95586 95575->95581 95580 104fbc9 95647 100ed18 95580->95647 95581->95420 95584 104fbe3 95653 103cc5c 86 API calls 4 library calls 95584->95653 95585 104fbfd 95654 100c050 95585->95654 95586->95568 95586->95574 95586->95581 95651 10529e8 48 API calls _memcpy_s 95586->95651 95652 104fda5 60 API calls 2 library calls 95586->95652 95589 104fc14 95599 104fc3e 95589->95599 95665 1001b90 95589->95665 95590 104fbee GetCurrentProcess TerminateProcess 95590->95585 95592 104fd65 95592->95581 95596 104fd7e FreeLibrary 95592->95596 95593 104fc2d 95681 105040f 105 API calls _free 95593->95681 95595 1001b90 48 API calls 95595->95599 95596->95581 95599->95592 95599->95595 95682 ffdcae 50 API calls Mailbox 95599->95682 95684 105040f 105 API calls _free 95599->95684 95601 ff9384 95600->95601 95615 ff9380 95600->95615 95602 1064cbd __i64tow 95601->95602 95603 ff9398 95601->95603 95604 1064bbf 95601->95604 95611 ff93b0 __itow Mailbox _wcscpy 95601->95611 95685 101172b 80 API calls 3 library calls 95603->95685 95606 1064ca5 95604->95606 95607 1064bc8 95604->95607 95686 101172b 80 API calls 3 library calls 95606->95686 95607->95611 95612 1064be7 95607->95612 95608 100f4ea 48 API calls 95610 ff93ba 95608->95610 95614 ffce19 48 API calls 95610->95614 95610->95615 95611->95608 95613 100f4ea 48 API calls 95612->95613 95616 1064c04 95613->95616 95614->95615 95615->95566 95617 100f4ea 48 API calls 95616->95617 95618 1064c2a 95617->95618 95618->95615 95619 ffce19 48 API calls 95618->95619 95619->95615 95687 ffbdfa 95620->95687 95622 1050582 CharLowerBuffW 95693 1031f11 95622->95693 95629 10505d2 95706 ffb18b 95629->95706 95631 10505de Mailbox 95632 105061a Mailbox 95631->95632 95710 104fda5 60 API calls 2 library calls 95631->95710 95632->95586 95634 104f77a 95633->95634 95635 104f725 95633->95635 95639 1050828 95634->95639 95636 100f4ea 48 API calls 95635->95636 95638 104f747 95636->95638 95637 100f4ea 48 API calls 95637->95638 95638->95634 95638->95637 95640 1050a53 Mailbox 95639->95640 95645 105084b _strcat _wcscpy __wsetenvp 95639->95645 95640->95580 95641 ffcf93 58 API calls 95641->95645 95642 ffd286 48 API calls 95642->95645 95643 ff936c 81 API calls 95643->95645 95644 101395c 47 API calls __crtLCMapStringA_stat 95644->95645 95645->95640 95645->95641 95645->95642 95645->95643 95645->95644 95724 1038035 50 API calls __wsetenvp 95645->95724 95649 100ed2d 95647->95649 95648 100edc5 VirtualProtect 95650 100ed93 95648->95650 95649->95648 95649->95650 95650->95584 95650->95585 95651->95586 95652->95586 95653->95590 95655 100c064 95654->95655 95657 100c069 Mailbox 95654->95657 95725 100c1af 48 API calls 95655->95725 95660 100c077 95657->95660 95726 100c15c 48 API calls 95657->95726 95659 100f4ea 48 API calls 95662 100c108 95659->95662 95660->95659 95661 100c152 95660->95661 95661->95589 95663 100f4ea 48 API calls 95662->95663 95664 100c113 95663->95664 95664->95589 95664->95664 95666 1001cf6 95665->95666 95669 1001ba2 95665->95669 95666->95593 95667 1001bae 95672 1001bb9 95667->95672 95728 100c15c 48 API calls 95667->95728 95669->95667 95670 100f4ea 48 API calls 95669->95670 95671 10649c4 95670->95671 95674 100f4ea 48 API calls 95671->95674 95673 1001c5d 95672->95673 95675 100f4ea 48 API calls 95672->95675 95673->95593 95680 10649cf 95674->95680 95676 1001c9f 95675->95676 95677 1001cb2 95676->95677 95727 ff2925 48 API calls 95676->95727 95677->95593 95679 100f4ea 48 API calls 95679->95680 95680->95667 95680->95679 95681->95599 95682->95599 95683->95572 95684->95599 95685->95611 95686->95611 95688 ffbe0d 95687->95688 95692 ffbe0a _memcpy_s 95687->95692 95689 100f4ea 48 API calls 95688->95689 95690 ffbe17 95689->95690 95711 100ee75 95690->95711 95692->95622 95694 1031f3b __wsetenvp 95693->95694 95695 1031f79 95694->95695 95697 1031f6f 95694->95697 95699 1031ffa 95694->95699 95695->95631 95700 ffd7f7 95695->95700 95697->95695 95722 100d37a 60 API calls 95697->95722 95699->95695 95723 100d37a 60 API calls 95699->95723 95701 100f4ea 48 API calls 95700->95701 95702 ffd818 95701->95702 95703 100f4ea 48 API calls 95702->95703 95704 ffd826 95703->95704 95705 ff69e9 48 API calls _memcpy_s 95704->95705 95705->95629 95707 ffb199 95706->95707 95709 ffb1a2 _memcpy_s 95706->95709 95708 ffbdfa 48 API calls 95707->95708 95707->95709 95708->95709 95709->95631 95710->95632 95713 100f4ea __calloc_impl 95711->95713 95712 101395c __crtLCMapStringA_stat 47 API calls 95712->95713 95713->95712 95714 100f50c 95713->95714 95715 100f50e std::exception::exception 95713->95715 95714->95692 95720 1016805 RaiseException 95715->95720 95717 100f538 95721 101673b 47 API calls _free 95717->95721 95719 100f54a 95719->95692 95720->95717 95721->95719 95722->95697 95723->95699 95724->95645 95725->95657 95726->95660 95727->95677 95728->95672 95730 103a4ec 95729->95730 95741 103a5ee 95729->95741 95731 103a5d4 Mailbox 95730->95731 95733 103a58b 95730->95733 95735 103a4fd 95730->95735 95732 100f4ea 48 API calls 95731->95732 95748 103a54c _memcpy_s Mailbox 95732->95748 95734 100f4ea 48 API calls 95733->95734 95734->95748 95739 100f4ea 48 API calls 95735->95739 95745 103a51a 95735->95745 95736 103a555 95742 100f4ea 48 API calls 95736->95742 95737 103a545 95740 100f4ea 48 API calls 95737->95740 95738 100f4ea 48 API calls 95738->95741 95739->95745 95740->95748 95741->95426 95743 103a55b 95742->95743 95749 1039d2d 48 API calls 95743->95749 95745->95736 95745->95737 95745->95748 95746 103a567 95750 100e65e 50 API calls 95746->95750 95748->95738 95749->95746 95750->95748 95752 ffd654 95751->95752 95759 ffd67e 95751->95759 95753 ffd65b 95752->95753 95755 ffd6c2 95752->95755 95754 ffd666 95753->95754 95760 ffd6ab 95753->95760 95782 ffd9a0 53 API calls __cinit 95754->95782 95755->95760 95784 100dce0 53 API calls 95755->95784 95759->95443 95760->95759 95783 100dce0 53 API calls 95760->95783 95761->95443 95763 ff5197 95762->95763 95764 ff519f 95763->95764 95765 1061ace 95763->95765 95785 ff5130 95764->95785 95795 ff6b4a 95765->95795 95768 ff51aa 95772 ff510d 95768->95772 95769 1061adb __wsetenvp 95770 100ee75 48 API calls 95769->95770 95771 1061b07 _memcpy_s 95770->95771 95773 ff511f 95772->95773 95774 1061be7 95772->95774 95803 ffb384 95773->95803 95812 102a58f 48 API calls _memcpy_s 95774->95812 95777 ff512b 95777->95451 95778 1061bf1 95779 ff6eed 48 API calls 95778->95779 95780 1061bf9 Mailbox 95779->95780 95781->95442 95782->95759 95783->95759 95784->95760 95786 ff513f __wsetenvp 95785->95786 95787 1061b27 95786->95787 95788 ff5151 95786->95788 95790 ff6b4a 48 API calls 95787->95790 95798 ffbb85 95788->95798 95791 1061b34 95790->95791 95793 100ee75 48 API calls 95791->95793 95792 ff515e _memcpy_s 95792->95768 95794 1061b57 _memcpy_s 95793->95794 95796 100f4ea 48 API calls 95795->95796 95797 ff6b54 95796->95797 95797->95769 95799 ffbb9b 95798->95799 95801 ffbb96 _memcpy_s 95798->95801 95800 100ee75 48 API calls 95799->95800 95802 1061b77 95799->95802 95800->95801 95801->95792 95802->95802 95804 ffb392 95803->95804 95805 ffb3c5 _memcpy_s 95803->95805 95804->95805 95806 ffb3fd 95804->95806 95807 ffb3b8 95804->95807 95805->95777 95805->95805 95808 100f4ea 48 API calls 95806->95808 95809 ffbb85 48 API calls 95807->95809 95810 ffb407 95808->95810 95809->95805 95811 100f4ea 48 API calls 95810->95811 95811->95805 95812->95778 95813->95505 95814->95477 95815->95485 95817 1004637 95816->95817 95818 100479f 95816->95818 95820 1066e05 95817->95820 95821 1004643 95817->95821 95819 ffce19 48 API calls 95818->95819 95828 10046e4 Mailbox 95819->95828 95822 104e822 335 API calls 95820->95822 95969 1004300 335 API calls _memcpy_s 95821->95969 95825 1066e11 95822->95825 95824 1004739 Mailbox 95824->95505 95825->95824 95970 103cc5c 86 API calls 4 library calls 95825->95970 95827 1004659 95827->95824 95827->95825 95827->95828 95910 1046ff0 95828->95910 95919 1036524 95828->95919 95922 103fa0c 95828->95922 95963 ff4252 95828->95963 95833->95487 95834->95492 96832 ffbd30 95835->96832 95837 1003267 95838 10032f8 95837->95838 95839 106907a 95837->95839 95897 1003628 95837->95897 96905 100c36b 86 API calls 95838->96905 96911 103cc5c 86 API calls 4 library calls 95839->96911 95844 10691fa 96916 103cc5c 86 API calls 4 library calls 95844->96916 95845 100c3c3 48 API calls 95895 10034eb _memcpy_s Mailbox 95845->95895 95846 1003313 95846->95895 95846->95897 95901 10694df 95846->95901 96837 ff2b7a 95846->96837 95850 106926d 96920 103cc5c 86 API calls 4 library calls 95850->96920 95851 10693c5 95854 fffe30 335 API calls 95851->95854 95852 106909a 95852->95844 95855 ffd645 53 API calls 95852->95855 95856 1069407 95854->95856 95857 106910c 95855->95857 95856->95897 96925 ffd6e9 95856->96925 95861 1069114 95857->95861 95862 1069220 95857->95862 95859 10033ce 95864 1003465 95859->95864 95865 106945e 95859->95865 95859->95895 95869 1069128 95861->95869 95879 1069152 95861->95879 96917 ff1caa 49 API calls 95862->96917 95871 100f4ea 48 API calls 95864->95871 96930 103c942 50 API calls 95865->96930 96912 103cc5c 86 API calls 4 library calls 95869->96912 95885 100346c 95871->95885 95872 1069438 96929 103cc5c 86 API calls 4 library calls 95872->96929 95873 106923d 95876 1069252 95873->95876 95877 106925e 95873->95877 95874 fffe30 335 API calls 95874->95895 96918 103cc5c 86 API calls 4 library calls 95876->96918 96919 103cc5c 86 API calls 4 library calls 95877->96919 95882 1069177 95879->95882 95886 1069195 95879->95886 96913 104f320 335 API calls 95882->96913 95891 100351f 95885->95891 96844 ffe8d0 95885->96844 95888 106918b 95886->95888 96914 104f5ee 335 API calls 95886->96914 95887 100f4ea 48 API calls 95887->95895 95888->95897 96915 100c2d6 48 API calls _memcpy_s 95888->96915 95893 ff6eed 48 API calls 95891->95893 95894 1003540 95891->95894 95893->95894 95894->95897 95900 10694b0 95894->95900 95903 1003585 95894->95903 95895->95845 95895->95850 95895->95851 95895->95852 95895->95872 95895->95874 95895->95887 95895->95891 95896 1069394 95895->95896 95895->95897 96907 ffd9a0 53 API calls __cinit 95895->96907 96908 ffd8c0 53 API calls 95895->96908 96909 100c2d6 48 API calls _memcpy_s 95895->96909 96921 104cda2 82 API calls Mailbox 95895->96921 96922 10380e3 53 API calls 95895->96922 96923 ffd764 55 API calls 95895->96923 96924 ffdcae 50 API calls Mailbox 95895->96924 95899 100f4ea 48 API calls 95896->95899 95906 1003635 Mailbox 95897->95906 96910 103cc5c 86 API calls 4 library calls 95897->96910 95899->95851 96931 ffdcae 50 API calls Mailbox 95900->96931 95901->95897 96932 103cc5c 86 API calls 4 library calls 95901->96932 95903->95897 95903->95901 95904 1003615 95903->95904 96906 ffdcae 50 API calls Mailbox 95904->96906 95906->95505 95907->95503 95908->95506 95909->95510 95911 ff936c 81 API calls 95910->95911 95912 104702a 95911->95912 95971 ffb470 95912->95971 95914 104703a 95915 104705f 95914->95915 95916 fffe30 335 API calls 95914->95916 95918 1047063 95915->95918 95999 ffcdb9 48 API calls 95915->95999 95916->95915 95918->95824 96020 1036ca9 GetFileAttributesW 95919->96020 95923 103fa1c __ftell_nolock 95922->95923 95924 103fa44 95923->95924 96112 ffd286 48 API calls 95923->96112 95926 ff936c 81 API calls 95924->95926 95927 103fa5e 95926->95927 95928 103fa80 95927->95928 95929 103fb68 95927->95929 95938 103fb92 95927->95938 95930 ff936c 81 API calls 95928->95930 96024 ff41a9 95929->96024 95936 103fa8c _wcscpy _wcschr 95930->95936 95933 103fb8e 95934 ff936c 81 API calls 95933->95934 95933->95938 95937 103fbc7 95934->95937 95935 ff41a9 136 API calls 95935->95933 95942 103fab0 _wcscat _wcscpy 95936->95942 95946 103fade _wcscat 95936->95946 96048 1011dfc 95937->96048 95938->95824 95940 ff936c 81 API calls 95941 103fafc _wcscpy 95940->95941 96113 10372cb GetFileAttributesW 95941->96113 95944 ff936c 81 API calls 95942->95944 95944->95946 95945 103fb1c __wsetenvp 95945->95938 95948 ff936c 81 API calls 95945->95948 95946->95940 95947 103fbeb _wcscat _wcscpy 95951 ff936c 81 API calls 95947->95951 95949 103fb48 95948->95949 96114 10360dd 77 API calls 4 library calls 95949->96114 95953 103fc82 95951->95953 95952 103fb5c 95952->95938 96051 103690b 95953->96051 95955 103fca2 95956 1036524 3 API calls 95955->95956 95957 103fcb1 95956->95957 95958 ff936c 81 API calls 95957->95958 95961 103fce2 95957->95961 95959 103fccb 95958->95959 96057 103bfa4 95959->96057 95962 ff4252 84 API calls 95961->95962 95962->95938 95964 ff425c 95963->95964 95965 ff4263 95963->95965 95966 10135e4 __fcloseall 83 API calls 95964->95966 95967 ff4283 FreeLibrary 95965->95967 95968 ff4272 95965->95968 95966->95965 95967->95968 95968->95824 95969->95827 95970->95824 96000 ff6b0f 95971->96000 95973 ffb69b 96007 ffba85 95973->96007 95975 ffb6b5 Mailbox 95975->95914 95978 106397b 96018 10326bc 88 API calls 4 library calls 95978->96018 95979 ffb9e4 96019 10326bc 88 API calls 4 library calls 95979->96019 95980 ffba85 48 API calls 95989 ffb495 95980->95989 95983 1063973 95983->95975 95986 1063989 95988 ffba85 48 API calls 95986->95988 95987 ffbcce 48 API calls 95987->95989 95988->95983 95989->95973 95989->95978 95989->95979 95989->95980 95989->95987 95990 1063909 95989->95990 95992 ffbb85 48 API calls 95989->95992 95995 ffbdfa 48 API calls 95989->95995 95998 1063939 _memcpy_s 95989->95998 96005 ffc413 59 API calls 95989->96005 96006 ffbc74 48 API calls 95989->96006 96015 ffc6a5 49 API calls 95989->96015 96016 ffc799 48 API calls _memcpy_s 95989->96016 95991 ff6b4a 48 API calls 95990->95991 95993 1063914 95991->95993 95992->95989 95997 100f4ea 48 API calls 95993->95997 95996 ffb66c CharUpperBuffW 95995->95996 95996->95989 95997->95998 96017 10326bc 88 API calls 4 library calls 95998->96017 95999->95918 96001 100f4ea 48 API calls 96000->96001 96002 ff6b34 96001->96002 96003 ff6b4a 48 API calls 96002->96003 96004 ff6b43 96003->96004 96004->95989 96005->95989 96006->95989 96008 ffbb25 96007->96008 96011 ffba98 _memcpy_s 96007->96011 96010 100f4ea 48 API calls 96008->96010 96009 100f4ea 48 API calls 96012 ffba9f 96009->96012 96010->96011 96011->96009 96013 ffbac8 96012->96013 96014 100f4ea 48 API calls 96012->96014 96013->95975 96014->96013 96015->95989 96016->95989 96017->95983 96018->95986 96019->95983 96021 1036529 96020->96021 96022 1036cc4 FindFirstFileW 96020->96022 96021->95824 96022->96021 96023 1036cd9 FindClose 96022->96023 96023->96021 96115 ff4214 96024->96115 96029 1064f73 96031 ff4252 84 API calls 96029->96031 96030 ff41d4 LoadLibraryExW 96125 ff4291 96030->96125 96034 1064f7a 96031->96034 96036 ff4291 3 API calls 96034->96036 96038 1064f82 96036->96038 96037 ff41fb 96037->96038 96039 ff4207 96037->96039 96151 ff44ed 96038->96151 96040 ff4252 84 API calls 96039->96040 96042 ff420c 96040->96042 96042->95933 96042->95935 96045 1064fa9 96159 ff4950 96045->96159 96464 1011e46 96048->96464 96052 1036918 _wcschr __ftell_nolock 96051->96052 96053 1011dfc __wsplitpath 47 API calls 96052->96053 96056 103692e _wcscat _wcscpy 96052->96056 96054 103695d 96053->96054 96055 1011dfc __wsplitpath 47 API calls 96054->96055 96055->96056 96056->95955 96058 103bfb1 __ftell_nolock 96057->96058 96059 100f4ea 48 API calls 96058->96059 96060 103c00e 96059->96060 96061 ff47b7 48 API calls 96060->96061 96062 103c018 96061->96062 96063 103bdb4 GetSystemTimeAsFileTime 96062->96063 96064 103c023 96063->96064 96065 ff4517 83 API calls 96064->96065 96066 103c036 _wcscmp 96065->96066 96067 103c107 96066->96067 96068 103c05a 96066->96068 96069 103c56d 94 API calls 96067->96069 96520 103c56d 96068->96520 96071 103c0d3 _wcscat 96069->96071 96074 ff44ed 64 API calls 96071->96074 96095 103c110 96071->96095 96073 1011dfc __wsplitpath 47 API calls 96078 103c088 _wcscat _wcscpy 96073->96078 96075 103c12c 96074->96075 96076 ff44ed 64 API calls 96075->96076 96077 103c13c 96076->96077 96079 ff44ed 64 API calls 96077->96079 96080 1011dfc __wsplitpath 47 API calls 96078->96080 96081 103c157 96079->96081 96080->96071 96082 ff44ed 64 API calls 96081->96082 96083 103c167 96082->96083 96084 ff44ed 64 API calls 96083->96084 96085 103c182 96084->96085 96086 ff44ed 64 API calls 96085->96086 96087 103c192 96086->96087 96088 ff44ed 64 API calls 96087->96088 96089 103c1a2 96088->96089 96090 ff44ed 64 API calls 96089->96090 96091 103c1b2 96090->96091 96490 103c71a GetTempPathW GetTempFileNameW 96091->96490 96093 103c1be 96094 1013499 117 API calls 96093->96094 96105 103c1cf 96094->96105 96095->95961 96096 103c289 96504 10135e4 96096->96504 96098 103c294 96100 103c29a DeleteFileW 96098->96100 96101 103c2ae 96098->96101 96099 ff44ed 64 API calls 96099->96105 96100->96095 96102 103c342 CopyFileW 96101->96102 96107 103c2b8 96101->96107 96103 103c36a DeleteFileW 96102->96103 96104 103c358 DeleteFileW 96102->96104 96517 103c6d9 CreateFileW 96103->96517 96104->96095 96105->96095 96105->96096 96105->96099 96491 1012aae 96105->96491 96526 103b965 96107->96526 96111 103c331 DeleteFileW 96111->96095 96112->95924 96113->95945 96114->95952 96164 ff4339 96115->96164 96118 ff41bb 96122 1013499 96118->96122 96119 ff4244 FreeLibrary 96119->96118 96121 ff423c 96121->96118 96121->96119 96172 10134ae 96122->96172 96124 ff41c8 96124->96029 96124->96030 96375 ff42e4 96125->96375 96129 ff41ec 96132 ff4380 96129->96132 96130 ff42c1 FreeLibrary 96130->96129 96131 ff42b8 96131->96129 96131->96130 96133 100f4ea 48 API calls 96132->96133 96134 ff4395 96133->96134 96383 ff47b7 96134->96383 96136 ff43a1 _memcpy_s 96137 ff4499 96136->96137 96138 ff44d1 96136->96138 96142 ff43dc 96136->96142 96386 ff406b CreateStreamOnHGlobal 96137->96386 96397 103c750 93 API calls 96138->96397 96139 ff4950 57 API calls 96148 ff43e5 96139->96148 96142->96139 96143 ff44ed 64 API calls 96143->96148 96145 ff4479 96145->96037 96146 1064ed7 96147 ff4517 83 API calls 96146->96147 96149 1064eeb 96147->96149 96148->96143 96148->96145 96148->96146 96392 ff4517 96148->96392 96150 ff44ed 64 API calls 96149->96150 96150->96145 96152 ff44ff 96151->96152 96153 1064fc0 96151->96153 96421 101381e 96152->96421 96156 103bf5a 96441 103bdb4 96156->96441 96158 103bf70 96158->96045 96160 ff495f 96159->96160 96163 1065002 96159->96163 96446 1013e65 96160->96446 96162 ff4967 96168 ff434b 96164->96168 96167 ff4321 LoadLibraryA GetProcAddress 96167->96121 96169 ff422f 96168->96169 96170 ff4354 LoadLibraryA 96168->96170 96169->96121 96169->96167 96170->96169 96171 ff4365 GetProcAddress 96170->96171 96171->96169 96175 10134ba __fcloseall 96172->96175 96173 10134cd 96220 1017c0e 47 API calls __getptd_noexit 96173->96220 96175->96173 96177 10134fe 96175->96177 96176 10134d2 96221 1016e10 8 API calls __mbsnbicoll_l 96176->96221 96191 101e4c8 96177->96191 96180 1013503 96181 1013519 96180->96181 96182 101350c 96180->96182 96184 1013543 96181->96184 96185 1013523 96181->96185 96222 1017c0e 47 API calls __getptd_noexit 96182->96222 96205 101e5e0 96184->96205 96223 1017c0e 47 API calls __getptd_noexit 96185->96223 96189 10134dd __fcloseall @_EH4_CallFilterFunc@8 96189->96124 96192 101e4d4 __fcloseall 96191->96192 96225 1017cf4 96192->96225 96194 101e559 96261 10169d0 47 API calls __crtLCMapStringA_stat 96194->96261 96195 101e552 96232 101e5d7 96195->96232 96198 101e560 96198->96195 96200 101e56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 96198->96200 96199 101e5cc __fcloseall 96199->96180 96200->96195 96203 101e4e2 96203->96194 96203->96195 96235 1017d7c 96203->96235 96259 1014e5b 48 API calls __lock 96203->96259 96260 1014ec5 LeaveCriticalSection LeaveCriticalSection _doexit 96203->96260 96214 101e600 __wopenfile 96205->96214 96206 101e61a 96280 1017c0e 47 API calls __getptd_noexit 96206->96280 96208 101e7d5 96208->96206 96212 101e838 96208->96212 96209 101e61f 96281 1016e10 8 API calls __mbsnbicoll_l 96209->96281 96211 101354e 96224 1013570 LeaveCriticalSection LeaveCriticalSection _fseek 96211->96224 96277 10263c9 96212->96277 96214->96206 96214->96208 96214->96214 96282 101185b 59 API calls 2 library calls 96214->96282 96216 101e7ce 96216->96208 96283 101185b 59 API calls 2 library calls 96216->96283 96218 101e7ed 96218->96208 96284 101185b 59 API calls 2 library calls 96218->96284 96220->96176 96221->96189 96222->96189 96223->96189 96224->96189 96226 1017d05 96225->96226 96227 1017d18 EnterCriticalSection 96225->96227 96228 1017d7c __mtinitlocknum 46 API calls 96226->96228 96227->96203 96229 1017d0b 96228->96229 96229->96227 96262 101115b 47 API calls 3 library calls 96229->96262 96263 1017e58 LeaveCriticalSection 96232->96263 96234 101e5de 96234->96199 96236 1017d88 __fcloseall 96235->96236 96237 1017d91 96236->96237 96238 1017da9 96236->96238 96264 10181c2 47 API calls 2 library calls 96237->96264 96240 1017da7 96238->96240 96246 1017e11 __fcloseall 96238->96246 96240->96238 96267 10169d0 47 API calls __crtLCMapStringA_stat 96240->96267 96241 1017d96 96265 101821f 47 API calls 8 library calls 96241->96265 96244 1017dbd 96247 1017dd3 96244->96247 96248 1017dc4 96244->96248 96245 1017d9d 96266 1011145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 96245->96266 96246->96203 96249 1017cf4 __lock 46 API calls 96247->96249 96268 1017c0e 47 API calls __getptd_noexit 96248->96268 96252 1017dda 96249->96252 96254 1017de9 InitializeCriticalSectionAndSpinCount 96252->96254 96255 1017dfe 96252->96255 96253 1017dc9 96253->96246 96256 1017e04 96254->96256 96269 1011c9d 96255->96269 96275 1017e1a LeaveCriticalSection _doexit 96256->96275 96259->96203 96260->96203 96261->96198 96263->96234 96264->96241 96265->96245 96267->96244 96268->96253 96270 1011ccf _free 96269->96270 96271 1011ca6 RtlFreeHeap 96269->96271 96270->96256 96271->96270 96272 1011cbb 96271->96272 96276 1017c0e 47 API calls __getptd_noexit 96272->96276 96274 1011cc1 GetLastError 96274->96270 96275->96246 96276->96274 96285 1025bb1 96277->96285 96279 10263e2 96279->96211 96280->96209 96281->96211 96282->96216 96283->96218 96284->96208 96288 1025bbd __fcloseall 96285->96288 96286 1025bcf 96372 1017c0e 47 API calls __getptd_noexit 96286->96372 96288->96286 96290 1025c06 96288->96290 96289 1025bd4 96373 1016e10 8 API calls __mbsnbicoll_l 96289->96373 96296 1025c78 96290->96296 96293 1025c23 96374 1025c4c LeaveCriticalSection __unlock_fhandle 96293->96374 96295 1025bde __fcloseall 96295->96279 96297 1025c98 96296->96297 96298 101273b __wsopen_helper 47 API calls 96297->96298 96302 1025cb4 96298->96302 96299 1025deb 96300 1016e20 __invoke_watson 8 API calls 96299->96300 96301 10263c8 96300->96301 96303 1025bb1 __wsopen_helper 104 API calls 96301->96303 96302->96299 96304 1025cee 96302->96304 96310 1025d11 96302->96310 96305 10263e2 96303->96305 96306 1017bda __set_osfhnd 47 API calls 96304->96306 96305->96293 96307 1025cf3 96306->96307 96308 1017c0e __mbsnbicoll_l 47 API calls 96307->96308 96309 1025d00 96308->96309 96312 1016e10 __mbsnbicoll_l 8 API calls 96309->96312 96311 1025dcf 96310->96311 96318 1025dad 96310->96318 96313 1017bda __set_osfhnd 47 API calls 96311->96313 96314 1025d0a 96312->96314 96315 1025dd4 96313->96315 96314->96293 96316 1017c0e __mbsnbicoll_l 47 API calls 96315->96316 96317 1025de1 96316->96317 96319 1016e10 __mbsnbicoll_l 8 API calls 96317->96319 96320 101a979 __wsopen_helper 52 API calls 96318->96320 96319->96299 96321 1025e7b 96320->96321 96322 1025ea6 96321->96322 96323 1025e85 96321->96323 96324 1025b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 96322->96324 96325 1017bda __set_osfhnd 47 API calls 96323->96325 96334 1025ec8 96324->96334 96326 1025e8a 96325->96326 96328 1017c0e __mbsnbicoll_l 47 API calls 96326->96328 96327 1025f46 GetFileType 96331 1025f93 96327->96331 96332 1025f51 GetLastError 96327->96332 96330 1025e94 96328->96330 96329 1025f14 GetLastError 96335 1017bed __dosmaperr 47 API calls 96329->96335 96336 1017c0e __mbsnbicoll_l 47 API calls 96330->96336 96342 101ac0b __set_osfhnd 48 API calls 96331->96342 96333 1017bed __dosmaperr 47 API calls 96332->96333 96337 1025f78 CloseHandle 96333->96337 96334->96327 96334->96329 96338 1025b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 96334->96338 96339 1025f39 96335->96339 96336->96314 96337->96339 96340 1025f86 96337->96340 96341 1025f09 96338->96341 96344 1017c0e __mbsnbicoll_l 47 API calls 96339->96344 96343 1017c0e __mbsnbicoll_l 47 API calls 96340->96343 96341->96327 96341->96329 96346 1025fb1 96342->96346 96345 1025f8b 96343->96345 96344->96299 96345->96339 96347 101f82f __lseeki64_nolock 49 API calls 96346->96347 96361 102616c 96346->96361 96363 1026032 96346->96363 96348 102601b 96347->96348 96352 1017bda __set_osfhnd 47 API calls 96348->96352 96368 102603a 96348->96368 96349 102633f CloseHandle 96350 1025b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 96349->96350 96351 1026366 96350->96351 96354 10261f6 96351->96354 96355 102636e GetLastError 96351->96355 96352->96363 96353 101ee0e 59 API calls __filbuf 96353->96368 96354->96299 96356 1017bed __dosmaperr 47 API calls 96355->96356 96357 102637a 96356->96357 96359 101ab1e __free_osfhnd 48 API calls 96357->96359 96358 101ea9c __close_nolock 50 API calls 96358->96368 96359->96354 96360 1026f40 __chsize_nolock 81 API calls 96360->96368 96361->96299 96361->96349 96362 101af61 __flush 78 API calls 96362->96363 96363->96361 96363->96362 96366 101f82f 49 API calls __lseeki64_nolock 96363->96366 96363->96368 96364 10261e9 96367 101ea9c __close_nolock 50 API calls 96364->96367 96365 10261d2 96365->96361 96366->96363 96370 10261f0 96367->96370 96368->96353 96368->96358 96368->96360 96368->96363 96368->96364 96368->96365 96369 101f82f 49 API calls __lseeki64_nolock 96368->96369 96369->96368 96371 1017c0e __mbsnbicoll_l 47 API calls 96370->96371 96371->96354 96372->96289 96373->96295 96374->96295 96379 ff42f6 96375->96379 96378 ff42cc LoadLibraryA GetProcAddress 96378->96131 96380 ff42aa 96379->96380 96381 ff42ff LoadLibraryA 96379->96381 96380->96131 96380->96378 96381->96380 96382 ff4310 GetProcAddress 96381->96382 96382->96380 96384 100f4ea 48 API calls 96383->96384 96385 ff47c9 96384->96385 96385->96136 96387 ff4085 FindResourceExW 96386->96387 96391 ff40a2 96386->96391 96388 1064f16 LoadResource 96387->96388 96387->96391 96389 1064f2b SizeofResource 96388->96389 96388->96391 96390 1064f3f LockResource 96389->96390 96389->96391 96390->96391 96391->96142 96393 1064fe0 96392->96393 96394 ff4526 96392->96394 96398 1013a8d 96394->96398 96396 ff4534 96396->96148 96397->96142 96401 1013a99 __fcloseall 96398->96401 96399 1013aa7 96411 1017c0e 47 API calls __getptd_noexit 96399->96411 96401->96399 96402 1013acd 96401->96402 96413 1014e1c 96402->96413 96403 1013aac 96412 1016e10 8 API calls __mbsnbicoll_l 96403->96412 96408 1013ae2 96420 1013b04 LeaveCriticalSection LeaveCriticalSection _fseek 96408->96420 96410 1013ab7 __fcloseall 96410->96396 96411->96403 96412->96410 96414 1014e2c 96413->96414 96415 1014e4e EnterCriticalSection 96413->96415 96414->96415 96416 1014e34 96414->96416 96417 1013ad3 96415->96417 96418 1017cf4 __lock 47 API calls 96416->96418 96419 10139fe 81 API calls 3 library calls 96417->96419 96418->96417 96419->96408 96420->96410 96424 1013839 96421->96424 96423 ff4510 96423->96156 96425 1013845 __fcloseall 96424->96425 96426 1013888 96425->96426 96427 101385b _memset 96425->96427 96428 1013880 __fcloseall 96425->96428 96429 1014e1c __lock_file 48 API calls 96426->96429 96437 1017c0e 47 API calls __getptd_noexit 96427->96437 96428->96423 96431 101388e 96429->96431 96439 101365b 62 API calls 5 library calls 96431->96439 96432 1013875 96438 1016e10 8 API calls __mbsnbicoll_l 96432->96438 96435 10138a4 96440 10138c2 LeaveCriticalSection LeaveCriticalSection _fseek 96435->96440 96437->96432 96438->96428 96439->96435 96440->96428 96444 101344a GetSystemTimeAsFileTime 96441->96444 96443 103bdc3 96443->96158 96445 1013478 __aulldiv 96444->96445 96445->96443 96447 1013e71 __fcloseall 96446->96447 96448 1013e94 96447->96448 96449 1013e7f 96447->96449 96451 1014e1c __lock_file 48 API calls 96448->96451 96460 1017c0e 47 API calls __getptd_noexit 96449->96460 96453 1013e9a 96451->96453 96452 1013e84 96461 1016e10 8 API calls __mbsnbicoll_l 96452->96461 96462 1013b0c 55 API calls 4 library calls 96453->96462 96456 1013ea5 96463 1013ec5 LeaveCriticalSection LeaveCriticalSection _fseek 96456->96463 96458 1013eb7 96459 1013e8f __fcloseall 96458->96459 96459->96162 96460->96452 96461->96459 96462->96456 96463->96458 96465 1011e61 96464->96465 96468 1011e55 96464->96468 96488 1017c0e 47 API calls __getptd_noexit 96465->96488 96467 1012019 96472 1011e41 96467->96472 96489 1016e10 8 API calls __mbsnbicoll_l 96467->96489 96468->96465 96478 1011ed4 96468->96478 96483 1019d6b 47 API calls __mbsnbicoll_l 96468->96483 96471 1011fa0 96471->96465 96471->96472 96474 1011fb0 96471->96474 96472->95947 96473 1011f5f 96473->96465 96475 1011f7b 96473->96475 96485 1019d6b 47 API calls __mbsnbicoll_l 96473->96485 96487 1019d6b 47 API calls __mbsnbicoll_l 96474->96487 96475->96465 96475->96472 96477 1011f91 96475->96477 96486 1019d6b 47 API calls __mbsnbicoll_l 96477->96486 96478->96465 96482 1011f41 96478->96482 96484 1019d6b 47 API calls __mbsnbicoll_l 96478->96484 96482->96471 96482->96473 96483->96478 96484->96482 96485->96475 96486->96472 96487->96472 96488->96467 96489->96472 96490->96093 96492 1012aba __fcloseall 96491->96492 96493 1012ae4 __fcloseall 96492->96493 96494 1012ad4 96492->96494 96495 1012aec 96492->96495 96493->96105 96569 1017c0e 47 API calls __getptd_noexit 96494->96569 96496 1014e1c __lock_file 48 API calls 96495->96496 96498 1012af2 96496->96498 96557 1012957 96498->96557 96499 1012ad9 96570 1016e10 8 API calls __mbsnbicoll_l 96499->96570 96505 10135f0 __fcloseall 96504->96505 96506 1013604 96505->96506 96507 101361c 96505->96507 96747 1017c0e 47 API calls __getptd_noexit 96506->96747 96510 1013614 __fcloseall 96507->96510 96511 1014e1c __lock_file 48 API calls 96507->96511 96509 1013609 96748 1016e10 8 API calls __mbsnbicoll_l 96509->96748 96510->96098 96513 101362e 96511->96513 96731 1013578 96513->96731 96518 103c715 96517->96518 96519 103c6ff SetFileTime CloseHandle 96517->96519 96518->96095 96519->96518 96524 103c581 __tzset_nolock _wcscmp 96520->96524 96521 103bf5a GetSystemTimeAsFileTime 96521->96524 96522 103c05f 96522->96073 96522->96095 96523 ff44ed 64 API calls 96523->96524 96524->96521 96524->96522 96524->96523 96525 ff4517 83 API calls 96524->96525 96525->96524 96527 103b970 96526->96527 96528 103b97e 96526->96528 96529 1013499 117 API calls 96527->96529 96530 103b9c3 96528->96530 96531 1013499 117 API calls 96528->96531 96541 103b987 96528->96541 96529->96528 96821 103bbe8 64 API calls 3 library calls 96530->96821 96533 103b9a8 96531->96533 96533->96530 96535 103b9b1 96533->96535 96534 103ba07 96536 103ba0b 96534->96536 96537 103ba2c 96534->96537 96538 10135e4 __fcloseall 83 API calls 96535->96538 96535->96541 96540 103ba18 96536->96540 96543 10135e4 __fcloseall 83 API calls 96536->96543 96822 103b7e5 47 API calls __crtLCMapStringA_stat 96537->96822 96538->96541 96540->96541 96546 10135e4 __fcloseall 83 API calls 96540->96546 96541->96103 96541->96111 96542 103ba34 96544 103ba5a 96542->96544 96545 103ba3a 96542->96545 96543->96540 96823 103ba8a 90 API calls 96544->96823 96548 10135e4 __fcloseall 83 API calls 96545->96548 96549 103ba47 96545->96549 96546->96541 96548->96549 96549->96541 96552 10135e4 __fcloseall 83 API calls 96549->96552 96550 103ba61 96824 103bb64 96550->96824 96552->96541 96554 103ba75 96554->96541 96556 10135e4 __fcloseall 83 API calls 96554->96556 96555 10135e4 __fcloseall 83 API calls 96555->96554 96556->96541 96558 1012984 96557->96558 96561 1012966 96557->96561 96571 1012b24 LeaveCriticalSection LeaveCriticalSection _fseek 96558->96571 96559 1012974 96604 1017c0e 47 API calls __getptd_noexit 96559->96604 96561->96558 96561->96559 96563 101299c _memcpy_s 96561->96563 96562 1012979 96605 1016e10 8 API calls __mbsnbicoll_l 96562->96605 96563->96558 96572 1012933 96563->96572 96579 101af61 96563->96579 96606 1012c84 96563->96606 96612 1018e63 78 API calls 6 library calls 96563->96612 96569->96499 96570->96493 96571->96493 96573 1012952 96572->96573 96574 101293d 96572->96574 96573->96563 96613 1017c0e 47 API calls __getptd_noexit 96574->96613 96576 1012942 96614 1016e10 8 API calls __mbsnbicoll_l 96576->96614 96578 101294d 96578->96563 96580 101af6d __fcloseall 96579->96580 96581 101af75 96580->96581 96582 101af8d 96580->96582 96688 1017bda 47 API calls __getptd_noexit 96581->96688 96584 101b022 96582->96584 96589 101afbf 96582->96589 96693 1017bda 47 API calls __getptd_noexit 96584->96693 96585 101af7a 96689 1017c0e 47 API calls __getptd_noexit 96585->96689 96588 101b027 96694 1017c0e 47 API calls __getptd_noexit 96588->96694 96615 101a8ed 96589->96615 96592 101b02f 96695 1016e10 8 API calls __mbsnbicoll_l 96592->96695 96593 101afc5 96595 101afd8 96593->96595 96596 101afeb 96593->96596 96624 101b043 96595->96624 96690 1017c0e 47 API calls __getptd_noexit 96596->96690 96597 101af82 __fcloseall 96597->96563 96600 101afe4 96692 101b01a LeaveCriticalSection __unlock_fhandle 96600->96692 96601 101aff0 96691 1017bda 47 API calls __getptd_noexit 96601->96691 96604->96562 96605->96558 96607 1012cbb 96606->96607 96608 1012c97 96606->96608 96607->96563 96608->96607 96609 1012933 __ftell_nolock 47 API calls 96608->96609 96610 1012cb4 96609->96610 96611 101af61 __flush 78 API calls 96610->96611 96611->96607 96612->96563 96613->96576 96614->96578 96616 101a8f9 __fcloseall 96615->96616 96617 101a946 EnterCriticalSection 96616->96617 96618 1017cf4 __lock 47 API calls 96616->96618 96619 101a96c __fcloseall 96617->96619 96620 101a91d 96618->96620 96619->96593 96621 101a928 InitializeCriticalSectionAndSpinCount 96620->96621 96622 101a93a 96620->96622 96621->96622 96696 101a970 LeaveCriticalSection _doexit 96622->96696 96625 101b050 __ftell_nolock 96624->96625 96626 101b08d 96625->96626 96627 101b0ac 96625->96627 96658 101b082 96625->96658 96706 1017bda 47 API calls __getptd_noexit 96626->96706 96632 101b105 96627->96632 96633 101b0e9 96627->96633 96630 101b86b 96630->96600 96631 101b092 96707 1017c0e 47 API calls __getptd_noexit 96631->96707 96635 101b11c 96632->96635 96712 101f82f 49 API calls 3 library calls 96632->96712 96709 1017bda 47 API calls __getptd_noexit 96633->96709 96697 1023bf2 96635->96697 96637 101b099 96708 1016e10 8 API calls __mbsnbicoll_l 96637->96708 96640 101b0ee 96710 1017c0e 47 API calls __getptd_noexit 96640->96710 96643 101b12a 96645 101b44b 96643->96645 96713 1017a0d 47 API calls 2 library calls 96643->96713 96644 101b0f5 96711 1016e10 8 API calls __mbsnbicoll_l 96644->96711 96647 101b463 96645->96647 96648 101b7b8 WriteFile 96645->96648 96649 101b55a 96647->96649 96656 101b479 96647->96656 96650 101b7e1 GetLastError 96648->96650 96660 101b410 96648->96660 96662 101b663 96649->96662 96665 101b565 96649->96665 96650->96660 96652 101b81b 96652->96658 96718 1017c0e 47 API calls __getptd_noexit 96652->96718 96653 101b150 GetConsoleMode 96653->96645 96654 101b189 96653->96654 96654->96645 96655 101b199 GetConsoleCP 96654->96655 96655->96660 96683 101b1c2 96655->96683 96656->96652 96657 101b4e9 WriteFile 96656->96657 96657->96650 96661 101b526 96657->96661 96720 101a70c 96658->96720 96660->96652 96660->96658 96664 101b7f7 96660->96664 96661->96656 96661->96660 96673 101b555 96661->96673 96662->96652 96666 101b6d8 WideCharToMultiByte 96662->96666 96663 101b843 96719 1017bda 47 API calls __getptd_noexit 96663->96719 96668 101b812 96664->96668 96669 101b7fe 96664->96669 96665->96652 96670 101b5de WriteFile 96665->96670 96666->96650 96680 101b71f 96666->96680 96717 1017bed 47 API calls 3 library calls 96668->96717 96715 1017c0e 47 API calls __getptd_noexit 96669->96715 96670->96650 96672 101b62d 96670->96672 96672->96660 96672->96665 96672->96673 96673->96660 96675 101b727 WriteFile 96677 101b77a GetLastError 96675->96677 96675->96680 96676 101b803 96716 1017bda 47 API calls __getptd_noexit 96676->96716 96677->96680 96680->96660 96680->96662 96680->96673 96680->96675 96681 10240f7 59 API calls __chsize_nolock 96681->96683 96682 1025884 WriteConsoleW CreateFileW __chsize_nolock 96685 101b2f6 96682->96685 96683->96660 96683->96681 96684 101b28f WideCharToMultiByte 96683->96684 96683->96685 96714 1011688 57 API calls __isleadbyte_l 96683->96714 96684->96660 96686 101b2ca WriteFile 96684->96686 96685->96650 96685->96660 96685->96682 96685->96683 96687 101b321 WriteFile 96685->96687 96686->96650 96686->96685 96687->96650 96687->96685 96688->96585 96689->96597 96690->96601 96691->96600 96692->96597 96693->96588 96694->96592 96695->96597 96696->96617 96698 1023c0a 96697->96698 96699 1023bfd 96697->96699 96702 1023c16 96698->96702 96728 1017c0e 47 API calls __getptd_noexit 96698->96728 96727 1017c0e 47 API calls __getptd_noexit 96699->96727 96701 1023c02 96701->96643 96702->96643 96704 1023c37 96729 1016e10 8 API calls __mbsnbicoll_l 96704->96729 96706->96631 96707->96637 96708->96658 96709->96640 96710->96644 96711->96658 96712->96635 96713->96653 96714->96683 96715->96676 96716->96658 96717->96658 96718->96663 96719->96658 96721 101a714 96720->96721 96722 101a716 IsProcessorFeaturePresent 96720->96722 96721->96630 96724 10237b0 96722->96724 96730 102375f 5 API calls 2 library calls 96724->96730 96726 1023893 96726->96630 96727->96701 96728->96704 96729->96701 96730->96726 96732 1013587 96731->96732 96733 101359b 96731->96733 96777 1017c0e 47 API calls __getptd_noexit 96732->96777 96736 1012c84 __flush 78 API calls 96733->96736 96739 1013597 96733->96739 96735 101358c 96778 1016e10 8 API calls __mbsnbicoll_l 96735->96778 96738 10135a7 96736->96738 96750 101eb36 96738->96750 96749 1013653 LeaveCriticalSection LeaveCriticalSection _fseek 96739->96749 96742 1012933 __ftell_nolock 47 API calls 96743 10135b5 96742->96743 96754 101e9d2 96743->96754 96745 10135bb 96745->96739 96746 1011c9d _free 47 API calls 96745->96746 96746->96739 96747->96509 96748->96510 96749->96510 96751 10135af 96750->96751 96752 101eb43 96750->96752 96751->96742 96752->96751 96753 1011c9d _free 47 API calls 96752->96753 96753->96751 96755 101e9de __fcloseall 96754->96755 96756 101e9e6 96755->96756 96761 101e9fe 96755->96761 96794 1017bda 47 API calls __getptd_noexit 96756->96794 96758 101ea7b 96798 1017bda 47 API calls __getptd_noexit 96758->96798 96759 101e9eb 96795 1017c0e 47 API calls __getptd_noexit 96759->96795 96761->96758 96764 101ea28 96761->96764 96763 101ea80 96799 1017c0e 47 API calls __getptd_noexit 96763->96799 96766 101a8ed ___lock_fhandle 49 API calls 96764->96766 96767 101ea2e 96766->96767 96769 101ea41 96767->96769 96770 101ea4c 96767->96770 96768 101ea88 96800 1016e10 8 API calls __mbsnbicoll_l 96768->96800 96779 101ea9c 96769->96779 96796 1017c0e 47 API calls __getptd_noexit 96770->96796 96773 101e9f3 __fcloseall 96773->96745 96775 101ea47 96797 101ea73 LeaveCriticalSection __unlock_fhandle 96775->96797 96777->96735 96778->96739 96801 101aba4 96779->96801 96781 101eb00 96814 101ab1e 48 API calls 2 library calls 96781->96814 96783 101eaaa 96783->96781 96784 101aba4 __chsize_nolock 47 API calls 96783->96784 96793 101eade 96783->96793 96788 101ead5 96784->96788 96785 101aba4 __chsize_nolock 47 API calls 96789 101eaea CloseHandle 96785->96789 96786 101eb2a 96786->96775 96787 101eb08 96787->96786 96815 1017bed 47 API calls 3 library calls 96787->96815 96791 101aba4 __chsize_nolock 47 API calls 96788->96791 96789->96781 96792 101eaf6 GetLastError 96789->96792 96791->96793 96792->96781 96793->96781 96793->96785 96794->96759 96795->96773 96796->96775 96797->96773 96798->96763 96799->96768 96800->96773 96802 101abc4 96801->96802 96803 101abaf 96801->96803 96808 101abe9 96802->96808 96818 1017bda 47 API calls __getptd_noexit 96802->96818 96816 1017bda 47 API calls __getptd_noexit 96803->96816 96805 101abb4 96817 1017c0e 47 API calls __getptd_noexit 96805->96817 96808->96783 96809 101abf3 96819 1017c0e 47 API calls __getptd_noexit 96809->96819 96810 101abbc 96810->96783 96812 101abfb 96820 1016e10 8 API calls __mbsnbicoll_l 96812->96820 96814->96787 96815->96786 96816->96805 96817->96810 96818->96809 96819->96812 96820->96810 96821->96534 96822->96542 96823->96550 96825 103bb71 96824->96825 96828 103bb77 96824->96828 96826 1011c9d _free 47 API calls 96825->96826 96826->96828 96827 103ba68 96827->96554 96827->96555 96829 1011c9d _free 47 API calls 96828->96829 96831 103bb88 96828->96831 96829->96831 96830 1011c9d _free 47 API calls 96830->96827 96831->96827 96831->96830 96833 ffbd3f 96832->96833 96836 ffbd5a 96832->96836 96834 ffbdfa 48 API calls 96833->96834 96835 ffbd47 CharUpperBuffW 96834->96835 96835->96836 96836->95837 96838 ff2b8b 96837->96838 96839 106436a 96837->96839 96840 100f4ea 48 API calls 96838->96840 96841 ff2b92 96840->96841 96842 ff2bb3 96841->96842 96933 ff2bce 48 API calls 96841->96933 96842->95859 96845 ffe8d1 96844->96845 96846 ffed52 96845->96846 96902 ffe906 Mailbox 96845->96902 97003 100e3cd 335 API calls 96846->97003 96847 103cc5c 86 API calls 96847->96902 96849 ffebdd 96849->95895 96851 ffed63 96851->96849 96852 ffed70 96851->96852 97005 100e312 335 API calls Mailbox 96852->97005 96853 ffe94c PeekMessageW 96853->96902 96855 ffed77 LockWindowUpdate DestroyWindow GetMessageW 96855->96849 96858 ffeda9 96855->96858 96856 106526e Sleep 96856->96902 96860 10659ef TranslateMessage DispatchMessageW GetMessageW 96858->96860 96859 ffebc7 96859->96849 97004 ff2ff6 16 API calls 96859->97004 96860->96860 96862 1065a1f 96860->96862 96862->96849 96863 ffed21 PeekMessageW 96863->96902 96864 ffebf7 timeGetTime 96864->96902 96866 100f4ea 48 API calls 96866->96902 96867 ff6eed 48 API calls 96867->96902 96868 ffed3a TranslateMessage DispatchMessageW 96868->96863 96869 1065557 WaitForSingleObject 96870 1065574 GetExitCodeProcess CloseHandle 96869->96870 96869->96902 96870->96902 96871 ffd7f7 48 API calls 96899 1065429 Mailbox 96871->96899 96872 106588f Sleep 96872->96899 96873 ffedae timeGetTime 97006 ff1caa 49 API calls 96873->97006 96874 1065733 Sleep 96874->96899 96878 1065926 GetExitCodeProcess 96883 1065952 CloseHandle 96878->96883 96884 106593c WaitForSingleObject 96878->96884 96880 ff2aae 311 API calls 96880->96902 96881 100dc38 timeGetTime 96881->96899 96882 1065445 Sleep 96882->96902 96883->96899 96884->96883 96884->96902 96885 1065432 Sleep 96885->96882 96886 1058c4b 108 API calls 96886->96899 96887 ff2c79 107 API calls 96887->96899 96889 10659ae Sleep 96889->96902 96890 ff1caa 49 API calls 96890->96902 96893 ffce19 48 API calls 96893->96899 96895 fffe30 311 API calls 96895->96902 96896 ffd6e9 55 API calls 96896->96899 96897 10045e0 311 API calls 96897->96902 96898 1003200 311 API calls 96898->96902 96899->96871 96899->96878 96899->96881 96899->96882 96899->96885 96899->96886 96899->96887 96899->96889 96899->96893 96899->96896 96899->96902 97008 1034cbe 49 API calls Mailbox 96899->97008 97009 ff1caa 49 API calls 96899->97009 97010 ff2aae 335 API calls 96899->97010 97011 104ccb2 50 API calls 96899->97011 97012 1037a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 96899->97012 97013 1036532 63 API calls 3 library calls 96899->97013 96902->96847 96902->96853 96902->96856 96902->96859 96902->96863 96902->96864 96902->96866 96902->96867 96902->96868 96902->96869 96902->96872 96902->96873 96902->96874 96902->96880 96902->96882 96902->96890 96902->96895 96902->96897 96902->96898 96902->96899 96903 ffce19 48 API calls 96902->96903 96904 ffd6e9 55 API calls 96902->96904 96934 fff110 96902->96934 96999 ffeed0 335 API calls Mailbox 96902->96999 97000 ffef00 335 API calls 96902->97000 97001 100e244 TranslateAcceleratorW 96902->97001 97002 100dc5f IsDialogMessageW GetClassLongW 96902->97002 97007 1058d23 48 API calls 96902->97007 96903->96902 96904->96902 96905->95846 96906->95897 96907->95895 96908->95895 96909->95895 96910->95906 96911->95846 96912->95897 96913->95888 96914->95888 96915->95844 96916->95897 96917->95873 96918->95897 96919->95897 96920->95897 96921->95895 96922->95895 96923->95895 96924->95895 96926 ffd6f4 96925->96926 96928 ffd71b 96926->96928 97035 ffd764 55 API calls 96926->97035 96928->95872 96929->95897 96930->95891 96931->95901 96932->95897 96933->96842 96935 fff130 96934->96935 96937 fffe30 335 API calls 96935->96937 96942 fff199 96935->96942 96936 fff595 96944 ffd7f7 48 API calls 96936->96944 96988 fff431 Mailbox 96936->96988 96938 1068728 96937->96938 96938->96942 97015 103cc5c 86 API calls 4 library calls 96938->97015 96939 10687c8 97018 103cc5c 86 API calls 4 library calls 96939->97018 96940 fff418 96948 1068b1b 96940->96948 96978 fff6aa 96940->96978 96940->96988 96942->96936 96945 ffd7f7 48 API calls 96942->96945 96982 fff229 96942->96982 96986 fff3dd 96942->96986 96946 10687a3 96944->96946 96949 1068772 96945->96949 97017 1010f0a 52 API calls __cinit 96946->97017 96947 fff3f2 96947->96940 97019 1039af1 48 API calls 96947->97019 96964 1068bcf 96948->96964 96965 1068b2c 96948->96965 97016 1010f0a 52 API calls __cinit 96949->97016 96952 fff770 96956 1068a45 96952->96956 96963 fff77a 96952->96963 96954 ffd6e9 55 API calls 96954->96988 96955 1068810 97020 104eef8 335 API calls 96955->97020 97025 100c1af 48 API calls 96956->97025 96957 fffe30 335 API calls 96957->96978 96958 103cc5c 86 API calls 96958->96988 96959 1068b7e 97028 104e40a 335 API calls Mailbox 96959->97028 96960 1068c53 97033 103cc5c 86 API calls 4 library calls 96960->97033 96971 1001b90 48 API calls 96963->96971 97030 103cc5c 86 API calls 4 library calls 96964->97030 97027 104f5ee 335 API calls 96965->97027 96966 1068beb 97031 104bdbd 335 API calls Mailbox 96966->97031 96968 fffe30 335 API calls 96968->96988 96971->96988 96973 fffce0 96998 fff537 Mailbox 96973->96998 97029 103cc5c 86 API calls 4 library calls 96973->97029 96976 1001b90 48 API calls 96976->96988 96977 1068c00 96977->96998 97032 103cc5c 86 API calls 4 library calls 96977->97032 96978->96952 96978->96957 96978->96973 96978->96988 96978->96998 96979 1068823 96979->96940 96981 106884b 96979->96981 97021 104ccdc 48 API calls 96981->97021 96982->96936 96982->96940 96982->96986 96982->96988 96986->96939 96986->96947 96986->96988 96987 1068857 96990 1068865 96987->96990 96991 10688aa 96987->96991 96988->96954 96988->96958 96988->96959 96988->96960 96988->96966 96988->96968 96988->96973 96988->96976 96988->96998 97014 ffdd47 48 API calls _memcpy_s 96988->97014 97026 10297ed InterlockedDecrement 96988->97026 97034 100c1af 48 API calls 96988->97034 97022 1039b72 48 API calls 96990->97022 96994 10688a0 Mailbox 96991->96994 97023 103a69d 48 API calls 96991->97023 96992 fffe30 335 API calls 96992->96998 96994->96992 96996 10688e7 97024 ffbc74 48 API calls 96996->97024 96998->96902 96999->96902 97000->96902 97001->96902 97002->96902 97003->96859 97004->96851 97005->96855 97006->96902 97007->96902 97008->96899 97009->96899 97010->96899 97011->96899 97012->96899 97013->96899 97014->96988 97015->96942 97016->96982 97017->96988 97018->96998 97019->96955 97020->96979 97021->96987 97022->96994 97023->96996 97024->96994 97025->96988 97026->96988 97027->96988 97028->96973 97029->96998 97030->96998 97031->96977 97032->96998 97033->96998 97034->96988 97035->96928 97036->95517 97037 10619dd 97042 ff4a30 97037->97042 97039 10619f1 97062 1010f0a 52 API calls __cinit 97039->97062 97041 10619fb 97043 ff4a40 __ftell_nolock 97042->97043 97044 ffd7f7 48 API calls 97043->97044 97045 ff4af6 97044->97045 97063 ff5374 97045->97063 97047 ff4aff 97070 ff363c 97047->97070 97050 ff518c 48 API calls 97051 ff4b18 97050->97051 97076 ff64cf 97051->97076 97054 ffd7f7 48 API calls 97055 ff4b32 97054->97055 97082 ff49fb 97055->97082 97057 ff4b43 Mailbox 97057->97039 97058 ffce19 48 API calls 97060 ff4b3d _wcscat Mailbox __wsetenvp 97058->97060 97059 ff64cf 48 API calls 97059->97060 97060->97057 97060->97058 97060->97059 97061 ff61a6 48 API calls 97060->97061 97061->97060 97062->97041 97096 101f8a0 97063->97096 97066 ffce19 48 API calls 97067 ff53a7 97066->97067 97098 ff660f 97067->97098 97069 ff53b1 Mailbox 97069->97047 97071 ff3649 __ftell_nolock 97070->97071 97121 ff366c GetFullPathNameW 97071->97121 97073 ff365a 97074 ff6a63 48 API calls 97073->97074 97075 ff3669 97074->97075 97075->97050 97077 ff651b 97076->97077 97081 ff64dd _memcpy_s 97076->97081 97080 100f4ea 48 API calls 97077->97080 97078 100f4ea 48 API calls 97079 ff4b29 97078->97079 97079->97054 97080->97081 97081->97078 97123 ffbcce 97082->97123 97085 ff4a2b 97085->97060 97086 10641cc RegQueryValueExW 97087 1064246 RegCloseKey 97086->97087 97088 10641e5 97086->97088 97089 100f4ea 48 API calls 97088->97089 97090 10641fe 97089->97090 97091 ff47b7 48 API calls 97090->97091 97092 1064208 RegQueryValueExW 97091->97092 97093 1064224 97092->97093 97094 106423b 97092->97094 97095 ff6a63 48 API calls 97093->97095 97094->97087 97095->97094 97097 ff5381 GetModuleFileNameW 97096->97097 97097->97066 97099 101f8a0 __ftell_nolock 97098->97099 97100 ff661c GetFullPathNameW 97099->97100 97105 ff6a63 97100->97105 97102 ff6643 97116 ff6571 97102->97116 97106 ff6adf 97105->97106 97108 ff6a6f __wsetenvp 97105->97108 97107 ffb18b 48 API calls 97106->97107 97115 ff6ab6 _memcpy_s 97107->97115 97109 ff6a8b 97108->97109 97110 ff6ad7 97108->97110 97112 ff6b4a 48 API calls 97109->97112 97120 ffc369 48 API calls 97110->97120 97113 ff6a95 97112->97113 97114 100ee75 48 API calls 97113->97114 97114->97115 97115->97102 97117 ff657f 97116->97117 97118 ffb18b 48 API calls 97117->97118 97119 ff658f 97118->97119 97119->97069 97120->97115 97122 ff368a 97121->97122 97122->97073 97124 ffbce8 97123->97124 97128 ff4a0a RegOpenKeyExW 97123->97128 97125 100f4ea 48 API calls 97124->97125 97126 ffbcf2 97125->97126 97127 100ee75 48 API calls 97126->97127 97127->97128 97128->97085 97128->97086 97129 10619ba 97134 100c75a 97129->97134 97133 10619c9 97135 ffd7f7 48 API calls 97134->97135 97136 100c7c8 97135->97136 97142 100d26c 97136->97142 97139 100c865 97140 100c881 97139->97140 97145 100d1fa 48 API calls _memcpy_s 97139->97145 97141 1010f0a 52 API calls __cinit 97140->97141 97141->97133 97146 100d298 97142->97146 97145->97139 97147 100d28b 97146->97147 97148 100d2a5 97146->97148 97147->97139 97148->97147 97149 100d2ac RegOpenKeyExW 97148->97149 97149->97147 97150 100d2c6 RegQueryValueExW 97149->97150 97151 100d2fc RegCloseKey 97150->97151 97152 100d2e7 97150->97152 97151->97147 97152->97151 97153 1015dfd 97154 1015e09 __fcloseall 97153->97154 97190 1017eeb GetStartupInfoW 97154->97190 97156 1015e0e 97192 1019ca7 GetProcessHeap 97156->97192 97158 1015e66 97159 1015e71 97158->97159 97277 1015f4d 47 API calls 3 library calls 97158->97277 97193 1017b47 97159->97193 97162 1015e77 97163 1015e82 __RTC_Initialize 97162->97163 97278 1015f4d 47 API calls 3 library calls 97162->97278 97214 101acb3 97163->97214 97166 1015e91 97167 1015e9d GetCommandLineW 97166->97167 97279 1015f4d 47 API calls 3 library calls 97166->97279 97233 1022e7d GetEnvironmentStringsW 97167->97233 97170 1015e9c 97170->97167 97174 1015ec2 97246 1022cb4 97174->97246 97177 1015ec8 97178 1015ed3 97177->97178 97281 101115b 47 API calls 3 library calls 97177->97281 97260 1011195 97178->97260 97181 1015edb 97182 1015ee6 __wwincmdln 97181->97182 97282 101115b 47 API calls 3 library calls 97181->97282 97264 ff3a0f 97182->97264 97185 1015efa 97186 1015f09 97185->97186 97283 10113f1 47 API calls _doexit 97185->97283 97284 1011186 47 API calls _doexit 97186->97284 97189 1015f0e __fcloseall 97191 1017f01 97190->97191 97191->97156 97192->97158 97285 101123a 30 API calls 2 library calls 97193->97285 97195 1017b4c 97286 1017e23 InitializeCriticalSectionAndSpinCount 97195->97286 97197 1017b51 97198 1017b55 97197->97198 97288 1017e6d TlsAlloc 97197->97288 97287 1017bbd 50 API calls 2 library calls 97198->97287 97201 1017b5a 97201->97162 97202 1017b67 97202->97198 97203 1017b72 97202->97203 97289 1016986 97203->97289 97206 1017bb4 97297 1017bbd 50 API calls 2 library calls 97206->97297 97209 1017bb9 97209->97162 97210 1017b93 97210->97206 97211 1017b99 97210->97211 97296 1017a94 47 API calls 4 library calls 97211->97296 97213 1017ba1 GetCurrentThreadId 97213->97162 97215 101acbf __fcloseall 97214->97215 97216 1017cf4 __lock 47 API calls 97215->97216 97217 101acc6 97216->97217 97218 1016986 __calloc_crt 47 API calls 97217->97218 97219 101acd7 97218->97219 97220 101ad42 GetStartupInfoW 97219->97220 97221 101ace2 __fcloseall @_EH4_CallFilterFunc@8 97219->97221 97228 101ae80 97220->97228 97230 101ad57 97220->97230 97221->97166 97222 101af44 97306 101af58 LeaveCriticalSection _doexit 97222->97306 97224 101aec9 GetStdHandle 97224->97228 97225 1016986 __calloc_crt 47 API calls 97225->97230 97226 101aedb GetFileType 97226->97228 97227 101ada5 97227->97228 97231 101ade5 InitializeCriticalSectionAndSpinCount 97227->97231 97232 101add7 GetFileType 97227->97232 97228->97222 97228->97224 97228->97226 97229 101af08 InitializeCriticalSectionAndSpinCount 97228->97229 97229->97228 97230->97225 97230->97227 97230->97228 97231->97227 97232->97227 97232->97231 97234 1015ead 97233->97234 97235 1022e8e 97233->97235 97240 1022a7b GetModuleFileNameW 97234->97240 97307 10169d0 47 API calls __crtLCMapStringA_stat 97235->97307 97238 1022eb4 _memcpy_s 97239 1022eca FreeEnvironmentStringsW 97238->97239 97239->97234 97241 1022aaf _wparse_cmdline 97240->97241 97242 1015eb7 97241->97242 97243 1022ae9 97241->97243 97242->97174 97280 101115b 47 API calls 3 library calls 97242->97280 97308 10169d0 47 API calls __crtLCMapStringA_stat 97243->97308 97245 1022aef _wparse_cmdline 97245->97242 97247 1022ccd __wsetenvp 97246->97247 97248 1022cc5 97246->97248 97249 1016986 __calloc_crt 47 API calls 97247->97249 97248->97177 97253 1022cf6 __wsetenvp 97249->97253 97250 1022d4d 97251 1011c9d _free 47 API calls 97250->97251 97251->97248 97252 1016986 __calloc_crt 47 API calls 97252->97253 97253->97248 97253->97250 97253->97252 97254 1022d72 97253->97254 97257 1022d89 97253->97257 97309 1022567 47 API calls __mbsnbicoll_l 97253->97309 97255 1011c9d _free 47 API calls 97254->97255 97255->97248 97310 1016e20 IsProcessorFeaturePresent 97257->97310 97259 1022d95 97259->97177 97261 10111a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 97260->97261 97263 10111e0 __IsNonwritableInCurrentImage 97261->97263 97325 1010f0a 52 API calls __cinit 97261->97325 97263->97181 97265 ff3a29 97264->97265 97266 1061ebf 97264->97266 97267 ff3a63 IsThemeActive 97265->97267 97326 1011405 97267->97326 97271 ff3a8f 97338 ff3adb SystemParametersInfoW SystemParametersInfoW 97271->97338 97273 ff3a9b 97339 ff3d19 97273->97339 97275 ff3aa3 SystemParametersInfoW 97276 ff3ac8 97275->97276 97276->97185 97277->97159 97278->97163 97279->97170 97283->97186 97284->97189 97285->97195 97286->97197 97287->97201 97288->97202 97291 101698d 97289->97291 97292 10169ca 97291->97292 97293 10169ab Sleep 97291->97293 97298 10230aa 97291->97298 97292->97206 97295 1017ec9 TlsSetValue 97292->97295 97294 10169c2 97293->97294 97294->97291 97294->97292 97295->97210 97296->97213 97297->97209 97299 10230b5 97298->97299 97304 10230d0 __calloc_impl 97298->97304 97300 10230c1 97299->97300 97299->97304 97305 1017c0e 47 API calls __getptd_noexit 97300->97305 97302 10230e0 RtlAllocateHeap 97303 10230c6 97302->97303 97302->97304 97303->97291 97304->97302 97304->97303 97305->97303 97306->97221 97307->97238 97308->97245 97309->97253 97311 1016e2b 97310->97311 97316 1016cb5 97311->97316 97315 1016e46 97315->97259 97317 1016ccf _memset __call_reportfault 97316->97317 97318 1016cef IsDebuggerPresent 97317->97318 97324 10181ac SetUnhandledExceptionFilter UnhandledExceptionFilter 97318->97324 97320 101a70c __crtLCMapStringA_stat 6 API calls 97322 1016dd6 97320->97322 97321 1016db3 __call_reportfault 97321->97320 97323 1018197 GetCurrentProcess TerminateProcess 97322->97323 97323->97315 97324->97321 97325->97263 97327 1017cf4 __lock 47 API calls 97326->97327 97328 1011410 97327->97328 97391 1017e58 LeaveCriticalSection 97328->97391 97330 ff3a88 97331 101146d 97330->97331 97332 1011491 97331->97332 97333 1011477 97331->97333 97332->97271 97333->97332 97392 1017c0e 47 API calls __getptd_noexit 97333->97392 97335 1011481 97393 1016e10 8 API calls __mbsnbicoll_l 97335->97393 97337 101148c 97337->97271 97338->97273 97340 ff3d26 __ftell_nolock 97339->97340 97341 ffd7f7 48 API calls 97340->97341 97342 ff3d31 GetCurrentDirectoryW 97341->97342 97394 ff61ca 97342->97394 97344 ff3d57 IsDebuggerPresent 97345 1061cc1 MessageBoxA 97344->97345 97346 ff3d65 97344->97346 97349 1061cd9 97345->97349 97347 ff3e3a 97346->97347 97346->97349 97350 ff3d82 97346->97350 97348 ff3e41 SetCurrentDirectoryW 97347->97348 97351 ff3e4e Mailbox 97348->97351 97510 100c682 48 API calls 97349->97510 97468 ff40e5 97350->97468 97351->97275 97355 1061ce9 97359 1061cff SetCurrentDirectoryW 97355->97359 97359->97351 97391->97330 97392->97335 97393->97337 97512 100e99b 97394->97512 97398 ff61eb 97399 ff5374 50 API calls 97398->97399 97400 ff61ff 97399->97400 97401 ffce19 48 API calls 97400->97401 97402 ff620c 97401->97402 97529 ff39db 97402->97529 97404 ff6216 Mailbox 97405 ff6eed 48 API calls 97404->97405 97406 ff622b 97405->97406 97541 ff9048 97406->97541 97409 ffce19 48 API calls 97410 ff6244 97409->97410 97411 ffd6e9 55 API calls 97410->97411 97412 ff6254 Mailbox 97411->97412 97413 ffce19 48 API calls 97412->97413 97414 ff627c 97413->97414 97415 ffd6e9 55 API calls 97414->97415 97416 ff628f Mailbox 97415->97416 97417 ffce19 48 API calls 97416->97417 97418 ff62a0 97417->97418 97419 ffd645 53 API calls 97418->97419 97420 ff62b2 Mailbox 97419->97420 97421 ffd7f7 48 API calls 97420->97421 97422 ff62c5 97421->97422 97544 ff63fc 97422->97544 97426 ff62df 97427 ff62e9 97426->97427 97428 1061c08 97426->97428 97429 1010fa7 _W_store_winword 59 API calls 97427->97429 97430 ff63fc 48 API calls 97428->97430 97431 ff62f4 97429->97431 97432 1061c1c 97430->97432 97431->97432 97433 ff62fe 97431->97433 97435 ff63fc 48 API calls 97432->97435 97434 1010fa7 _W_store_winword 59 API calls 97433->97434 97437 ff6309 97434->97437 97436 1061c38 97435->97436 97439 ff5374 50 API calls 97436->97439 97437->97436 97438 ff6313 97437->97438 97440 1010fa7 _W_store_winword 59 API calls 97438->97440 97441 1061c5d 97439->97441 97442 ff631e 97440->97442 97443 ff63fc 48 API calls 97441->97443 97444 ff635f 97442->97444 97446 1061c86 97442->97446 97449 ff63fc 48 API calls 97442->97449 97447 1061c69 97443->97447 97445 ff636c 97444->97445 97444->97446 97452 100c050 48 API calls 97445->97452 97450 ff6eed 48 API calls 97446->97450 97448 ff6eed 48 API calls 97447->97448 97453 1061c77 97448->97453 97454 ff6342 97449->97454 97451 1061ca8 97450->97451 97455 ff63fc 48 API calls 97451->97455 97456 ff6384 97452->97456 97457 ff63fc 48 API calls 97453->97457 97458 ff6eed 48 API calls 97454->97458 97460 1061cb5 97455->97460 97461 1001b90 48 API calls 97456->97461 97457->97446 97459 ff6350 97458->97459 97462 ff63fc 48 API calls 97459->97462 97460->97460 97465 ff6394 97461->97465 97462->97444 97463 1001b90 48 API calls 97463->97465 97465->97463 97466 ff63fc 48 API calls 97465->97466 97467 ff63d6 Mailbox 97465->97467 97560 ff6b68 48 API calls 97465->97560 97466->97465 97467->97344 97469 ff40f2 __ftell_nolock 97468->97469 97470 ff410b 97469->97470 97471 106370e _memset 97469->97471 97472 ff660f 49 API calls 97470->97472 97473 106372a GetOpenFileNameW 97471->97473 97474 ff4114 97472->97474 97475 1063779 97473->97475 97602 ff40a7 97474->97602 97478 ff6a63 48 API calls 97475->97478 97480 106378e 97478->97480 97480->97480 97481 ff4129 97620 ff4139 97481->97620 97510->97355 97513 ffd7f7 48 API calls 97512->97513 97514 ff61db 97513->97514 97515 ff6009 97514->97515 97516 ff6016 __ftell_nolock 97515->97516 97517 ff617c Mailbox 97516->97517 97518 ff6a63 48 API calls 97516->97518 97517->97398 97519 ff6048 97518->97519 97527 ff607e Mailbox 97519->97527 97561 ff61a6 97519->97561 97521 ff61a6 48 API calls 97521->97527 97522 ff614f 97522->97517 97523 ffce19 48 API calls 97522->97523 97525 ff6170 97523->97525 97524 ffce19 48 API calls 97524->97527 97526 ff64cf 48 API calls 97525->97526 97526->97517 97527->97517 97527->97521 97527->97522 97527->97524 97528 ff64cf 48 API calls 97527->97528 97528->97527 97530 ff41a9 136 API calls 97529->97530 97531 ff39fe 97530->97531 97532 ff3a06 97531->97532 97564 103c396 97531->97564 97532->97404 97535 1062ff0 97537 1011c9d _free 47 API calls 97535->97537 97536 ff4252 84 API calls 97536->97535 97538 1062ffd 97537->97538 97539 ff4252 84 API calls 97538->97539 97540 1063006 97539->97540 97540->97540 97542 100f4ea 48 API calls 97541->97542 97543 ff6237 97542->97543 97543->97409 97545 ff641f 97544->97545 97546 ff6406 97544->97546 97548 ff6a63 48 API calls 97545->97548 97547 ff6eed 48 API calls 97546->97547 97549 ff62d1 97547->97549 97548->97549 97550 1010fa7 97549->97550 97551 1010fb3 97550->97551 97552 1011028 97550->97552 97559 1010fd8 97551->97559 97599 1017c0e 47 API calls __getptd_noexit 97551->97599 97601 101103a 59 API calls 3 library calls 97552->97601 97554 1011035 97554->97426 97556 1010fbf 97600 1016e10 8 API calls __mbsnbicoll_l 97556->97600 97558 1010fca 97558->97426 97559->97426 97560->97465 97562 ffbdfa 48 API calls 97561->97562 97563 ff61b1 97562->97563 97563->97519 97565 ff4517 83 API calls 97564->97565 97566 103c405 97565->97566 97567 103c56d 94 API calls 97566->97567 97568 103c417 97567->97568 97569 ff44ed 64 API calls 97568->97569 97597 103c41b 97568->97597 97570 103c432 97569->97570 97571 ff44ed 64 API calls 97570->97571 97572 103c442 97571->97572 97573 ff44ed 64 API calls 97572->97573 97574 103c45d 97573->97574 97575 ff44ed 64 API calls 97574->97575 97576 103c478 97575->97576 97577 ff4517 83 API calls 97576->97577 97578 103c48f 97577->97578 97579 101395c __crtLCMapStringA_stat 47 API calls 97578->97579 97580 103c496 97579->97580 97581 101395c __crtLCMapStringA_stat 47 API calls 97580->97581 97582 103c4a0 97581->97582 97583 ff44ed 64 API calls 97582->97583 97584 103c4b4 97583->97584 97585 103bf5a GetSystemTimeAsFileTime 97584->97585 97586 103c4c7 97585->97586 97587 103c4f1 97586->97587 97588 103c4dc 97586->97588 97589 103c4f7 97587->97589 97590 103c556 97587->97590 97591 1011c9d _free 47 API calls 97588->97591 97592 103b965 118 API calls 97589->97592 97593 1011c9d _free 47 API calls 97590->97593 97594 103c4e2 97591->97594 97596 103c54e 97592->97596 97593->97597 97595 1011c9d _free 47 API calls 97594->97595 97595->97597 97598 1011c9d _free 47 API calls 97596->97598 97597->97535 97597->97536 97598->97597 97599->97556 97600->97558 97601->97554 97603 101f8a0 __ftell_nolock 97602->97603 97604 ff40b4 GetLongPathNameW 97603->97604 97605 ff6a63 48 API calls 97604->97605 97606 ff40dc 97605->97606 97607 ff49a0 97606->97607 97608 ffd7f7 48 API calls 97607->97608 97609 ff49b2 97608->97609 97610 ff660f 49 API calls 97609->97610 97611 ff49bd 97610->97611 97612 1062e35 97611->97612 97613 ff49c8 97611->97613 97618 1062e4f 97612->97618 97660 100d35e 60 API calls 97612->97660 97615 ff64cf 48 API calls 97613->97615 97616 ff49d4 97615->97616 97654 ff28a6 97616->97654 97619 ff49e7 Mailbox 97619->97481 97621 ff41a9 136 API calls 97620->97621 97622 ff415e 97621->97622 97623 1063489 97622->97623 97625 ff41a9 136 API calls 97622->97625 97624 103c396 122 API calls 97623->97624 97626 106349e 97624->97626 97627 ff4172 97625->97627 97628 10634a2 97626->97628 97629 10634bf 97626->97629 97627->97623 97630 ff417a 97627->97630 97631 ff4252 84 API calls 97628->97631 97632 100f4ea 48 API calls 97629->97632 97633 ff4186 97630->97633 97634 10634aa 97630->97634 97631->97634 97651 1063504 Mailbox 97632->97651 97661 ffc833 97633->97661 97755 1036b49 87 API calls _wprintf 97634->97755 97638 10634b8 97638->97629 97639 10636b4 97643 ffba85 48 API calls 97643->97651 97647 10636c5 97650 ffce19 48 API calls 97650->97651 97651->97639 97651->97643 97651->97647 97651->97650 97749 ff4dd9 97651->97749 97756 1032551 48 API calls _memcpy_s 97651->97756 97757 1032472 60 API calls 2 library calls 97651->97757 97758 1039c12 48 API calls 97651->97758 97655 ff28b8 97654->97655 97659 ff28d7 _memcpy_s 97654->97659 97657 100f4ea 48 API calls 97655->97657 97656 100f4ea 48 API calls 97658 ff28ee 97656->97658 97657->97659 97658->97619 97659->97656 97660->97612 97662 ffc843 __ftell_nolock 97661->97662 97663 1063095 97662->97663 97664 ffc860 97662->97664 97755->97638 97756->97651 97757->97651 97758->97651 97812 106197b 97817 100dd94 97812->97817 97816 106198a 97818 100f4ea 48 API calls 97817->97818 97819 100dd9c 97818->97819 97820 100ddb0 97819->97820 97825 100df3d 97819->97825 97824 1010f0a 52 API calls __cinit 97820->97824 97824->97816 97826 100df46 97825->97826 97827 100dda8 97825->97827 97857 1010f0a 52 API calls __cinit 97826->97857 97829 100ddc0 97827->97829 97830 ffd7f7 48 API calls 97829->97830 97831 100ddd7 GetVersionExW 97830->97831 97832 ff6a63 48 API calls 97831->97832 97833 100de1a 97832->97833 97858 100dfb4 97833->97858 97836 ff6571 48 API calls 97842 100de2e 97836->97842 97839 10624c8 97840 100dea4 GetCurrentProcess 97871 100df5f LoadLibraryA GetProcAddress 97840->97871 97841 100debb 97844 100df31 GetSystemInfo 97841->97844 97845 100dee3 97841->97845 97842->97839 97862 100df77 97842->97862 97846 100df0e 97844->97846 97865 100e00c 97845->97865 97848 100df21 97846->97848 97849 100df1c FreeLibrary 97846->97849 97848->97820 97849->97848 97851 100df29 GetSystemInfo 97853 100df03 97851->97853 97852 100def9 97868 100dff4 97852->97868 97853->97846 97855 100df09 FreeLibrary 97853->97855 97855->97846 97857->97827 97859 100dfbd 97858->97859 97860 ffb18b 48 API calls 97859->97860 97861 100de22 97860->97861 97861->97836 97872 100df89 97862->97872 97876 100e01e 97865->97876 97869 100e00c 2 API calls 97868->97869 97870 100df01 GetNativeSystemInfo 97869->97870 97870->97853 97871->97841 97873 100dea0 97872->97873 97874 100df92 LoadLibraryA 97872->97874 97873->97840 97873->97841 97874->97873 97875 100dfa3 GetProcAddress 97874->97875 97875->97873 97877 100def1 97876->97877 97878 100e027 LoadLibraryA 97876->97878 97877->97851 97877->97852 97878->97877 97879 100e038 GetProcAddress 97878->97879 97879->97877 97880 10619cb 97885 ff2322 97880->97885 97882 10619d1 97918 1010f0a 52 API calls __cinit 97882->97918 97884 10619db 97886 ff2344 97885->97886 97919 ff26df 97886->97919 97891 ffd7f7 48 API calls 97892 ff2384 97891->97892 97893 ffd7f7 48 API calls 97892->97893 97894 ff238e 97893->97894 97895 ffd7f7 48 API calls 97894->97895 97896 ff2398 97895->97896 97897 ffd7f7 48 API calls 97896->97897 97898 ff23de 97897->97898 97899 ffd7f7 48 API calls 97898->97899 97900 ff24c1 97899->97900 97927 ff263f 97900->97927 97904 ff24f1 97905 ffd7f7 48 API calls 97904->97905 97906 ff24fb 97905->97906 97956 ff2745 97906->97956 97908 ff2546 97909 ff2556 GetStdHandle 97908->97909 97910 106501d 97909->97910 97911 ff25b1 97909->97911 97910->97911 97913 1065026 97910->97913 97912 ff25b7 CoInitialize 97911->97912 97912->97882 97963 10392d4 53 API calls 97913->97963 97915 106502d 97964 10399f9 CreateThread 97915->97964 97917 1065039 CloseHandle 97917->97912 97918->97884 97965 ff2854 97919->97965 97922 ff6a63 48 API calls 97923 ff234a 97922->97923 97924 ff272e 97923->97924 97979 ff27ec 6 API calls 97924->97979 97926 ff237a 97926->97891 97928 ffd7f7 48 API calls 97927->97928 97929 ff264f 97928->97929 97930 ffd7f7 48 API calls 97929->97930 97931 ff2657 97930->97931 97980 ff26a7 97931->97980 97934 ff26a7 48 API calls 97935 ff2667 97934->97935 97936 ffd7f7 48 API calls 97935->97936 97937 ff2672 97936->97937 97938 100f4ea 48 API calls 97937->97938 97939 ff24cb 97938->97939 97940 ff22a4 97939->97940 97941 ff22b2 97940->97941 97942 ffd7f7 48 API calls 97941->97942 97943 ff22bd 97942->97943 97944 ffd7f7 48 API calls 97943->97944 97945 ff22c8 97944->97945 97946 ffd7f7 48 API calls 97945->97946 97947 ff22d3 97946->97947 97948 ffd7f7 48 API calls 97947->97948 97949 ff22de 97948->97949 97950 ff26a7 48 API calls 97949->97950 97951 ff22e9 97950->97951 97952 100f4ea 48 API calls 97951->97952 97953 ff22f0 97952->97953 97954 1061fe7 97953->97954 97955 ff22f9 RegisterWindowMessageW 97953->97955 97955->97904 97957 ff2755 97956->97957 97958 1065f4d 97956->97958 97959 100f4ea 48 API calls 97957->97959 97985 103c942 50 API calls 97958->97985 97961 ff275d 97959->97961 97961->97908 97962 1065f58 97963->97915 97964->97917 97986 10399df 54 API calls 97964->97986 97972 ff2870 97965->97972 97968 ff2870 48 API calls 97969 ff2864 97968->97969 97970 ffd7f7 48 API calls 97969->97970 97971 ff2716 97970->97971 97971->97922 97973 ffd7f7 48 API calls 97972->97973 97974 ff287b 97973->97974 97975 ffd7f7 48 API calls 97974->97975 97976 ff2883 97975->97976 97977 ffd7f7 48 API calls 97976->97977 97978 ff285c 97977->97978 97978->97968 97979->97926 97981 ffd7f7 48 API calls 97980->97981 97982 ff26b0 97981->97982 97983 ffd7f7 48 API calls 97982->97983 97984 ff265f 97983->97984 97984->97934 97985->97962 97987 ff3742 97988 ff374b 97987->97988 97989 ff3769 97988->97989 97990 ff37c8 97988->97990 98027 ff37c6 97988->98027 97991 ff382c PostQuitMessage 97989->97991 97992 ff3776 97989->97992 97994 ff37ce 97990->97994 97995 1061e00 97990->97995 97999 ff37b9 97991->97999 97997 1061e88 97992->97997 97998 ff3781 97992->97998 97993 ff37ab DefWindowProcW 97993->97999 98000 ff37f6 SetTimer RegisterWindowMessageW 97994->98000 98001 ff37d3 97994->98001 98036 ff2ff6 16 API calls 97995->98036 98042 1034ddd 60 API calls _memset 97997->98042 98003 ff3789 97998->98003 98004 ff3836 97998->98004 98000->97999 98005 ff381f CreatePopupMenu 98000->98005 98007 1061da3 98001->98007 98008 ff37da KillTimer 98001->98008 98002 1061e27 98037 100e312 335 API calls Mailbox 98002->98037 98010 1061e6d 98003->98010 98011 ff3794 98003->98011 98034 100eb83 53 API calls _memset 98004->98034 98005->97999 98014 1061ddc MoveWindow 98007->98014 98015 1061da8 98007->98015 98032 ff3847 Shell_NotifyIconW _memset 98008->98032 98010->97993 98041 102a5f3 48 API calls 98010->98041 98017 ff379f 98011->98017 98018 1061e58 98011->98018 98012 1061e9a 98012->97993 98012->97999 98014->97999 98020 1061dac 98015->98020 98021 1061dcb SetFocus 98015->98021 98017->97993 98038 ff3847 Shell_NotifyIconW _memset 98017->98038 98040 10355bd 70 API calls _memset 98018->98040 98019 ff3845 98019->97999 98020->98017 98024 1061db5 98020->98024 98021->97999 98022 ff37ed 98033 ff390f DeleteObject DestroyWindow Mailbox 98022->98033 98035 ff2ff6 16 API calls 98024->98035 98027->97993 98030 1061e4c 98039 ff4ffc 67 API calls _memset 98030->98039 98032->98022 98033->97999 98034->98019 98035->97999 98036->98002 98037->98017 98038->98030 98039->98027 98040->98019 98041->98027 98042->98012 98043 11e58f3 98044 11e58fa 98043->98044 98045 11e5998 98044->98045 98046 11e5902 98044->98046 98063 11e6248 9 API calls 98045->98063 98050 11e55a8 98046->98050 98049 11e597f 98051 11e2f98 GetPEB 98050->98051 98052 11e5647 98051->98052 98055 11e56a1 VirtualAlloc 98052->98055 98057 11e5685 98052->98057 98061 11e57a8 CloseHandle 98052->98061 98062 11e57b8 VirtualFree 98052->98062 98064 11e64b8 GetPEB 98052->98064 98054 11e5678 CreateFileW 98054->98052 98054->98057 98056 11e56c2 ReadFile 98055->98056 98055->98057 98056->98057 98060 11e56e0 VirtualAlloc 98056->98060 98058 11e5894 VirtualFree 98057->98058 98059 11e58a2 98057->98059 98058->98059 98059->98049 98060->98052 98060->98057 98061->98052 98062->98052 98063->98049 98065 11e64e2 98064->98065 98065->98054 98066 1068eb8 98070 103a635 98066->98070 98068 1068ec3 98069 103a635 84 API calls 98068->98069 98069->98068 98075 103a66f 98070->98075 98078 103a642 98070->98078 98071 103a671 98082 100ec4e 81 API calls 98071->98082 98072 103a676 98074 ff936c 81 API calls 98072->98074 98076 103a67d 98074->98076 98075->98068 98077 ff510d 48 API calls 98076->98077 98077->98075 98078->98071 98078->98072 98078->98075 98079 103a669 98078->98079 98081 1004525 61 API calls _memcpy_s 98079->98081 98081->98075 98082->98072

                          Executed Functions

                          Function 0101B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 644 101b043-101b080 call 101f8a0 647 101b082-101b084 644->647 648 101b089-101b08b 644->648 649 101b860-101b86c call 101a70c 647->649 650 101b08d-101b0a7 call 1017bda call 1017c0e call 1016e10 648->650 651 101b0ac-101b0d9 648->651 650->649 654 101b0e0-101b0e7 651->654 655 101b0db-101b0de 651->655 659 101b105 654->659 660 101b0e9-101b100 call 1017bda call 1017c0e call 1016e10 654->660 655->654 658 101b10b-101b110 655->658 662 101b112-101b11c call 101f82f 658->662 663 101b11f-101b12d call 1023bf2 658->663 659->658 689 101b851-101b854 660->689 662->663 675 101b133-101b145 663->675 676 101b44b-101b45d 663->676 675->676 678 101b14b-101b183 call 1017a0d GetConsoleMode 675->678 679 101b463-101b473 676->679 680 101b7b8-101b7d5 WriteFile 676->680 678->676 694 101b189-101b18f 678->694 681 101b479-101b484 679->681 682 101b55a-101b55f 679->682 684 101b7e1-101b7e7 GetLastError 680->684 685 101b7d7-101b7df 680->685 687 101b81b-101b833 681->687 688 101b48a-101b49a 681->688 691 101b663-101b66e 682->691 692 101b565-101b56e 682->692 690 101b7e9 684->690 685->690 696 101b835-101b838 687->696 697 101b83e-101b84e call 1017c0e call 1017bda 687->697 695 101b4a0-101b4a3 688->695 701 101b85e-101b85f 689->701 699 101b7ef-101b7f1 690->699 691->687 698 101b674 691->698 692->687 700 101b574 692->700 702 101b191-101b193 694->702 703 101b199-101b1bc GetConsoleCP 694->703 704 101b4a5-101b4be 695->704 705 101b4e9-101b520 WriteFile 695->705 696->697 706 101b83a-101b83c 696->706 697->689 707 101b67e-101b693 698->707 709 101b7f3-101b7f5 699->709 710 101b856-101b85c 699->710 711 101b57e-101b595 700->711 701->649 702->676 702->703 712 101b440-101b446 703->712 713 101b1c2-101b1ca 703->713 714 101b4c0-101b4ca 704->714 715 101b4cb-101b4e7 704->715 705->684 716 101b526-101b538 705->716 706->701 717 101b699-101b69b 707->717 709->687 719 101b7f7-101b7fc 709->719 710->701 720 101b59b-101b59e 711->720 712->709 721 101b1d4-101b1d6 713->721 714->715 715->695 715->705 716->699 722 101b53e-101b54f 716->722 723 101b6d8-101b719 WideCharToMultiByte 717->723 724 101b69d-101b6b3 717->724 726 101b812-101b819 call 1017bed 719->726 727 101b7fe-101b810 call 1017c0e call 1017bda 719->727 728 101b5a0-101b5b6 720->728 729 101b5de-101b627 WriteFile 720->729 734 101b36b-101b36e 721->734 735 101b1dc-101b1fe 721->735 722->688 736 101b555 722->736 723->684 740 101b71f-101b721 723->740 737 101b6b5-101b6c4 724->737 738 101b6c7-101b6d6 724->738 726->689 727->689 730 101b5b8-101b5ca 728->730 731 101b5cd-101b5dc 728->731 729->684 733 101b62d-101b645 729->733 730->731 731->720 731->729 733->699 743 101b64b-101b658 733->743 746 101b370-101b373 734->746 747 101b375-101b3a2 734->747 744 101b200-101b215 735->744 745 101b217-101b223 call 1011688 735->745 736->699 737->738 738->717 738->723 748 101b727-101b75a WriteFile 740->748 743->711 753 101b65e 743->753 754 101b271-101b283 call 10240f7 744->754 768 101b225-101b239 745->768 769 101b269-101b26b 745->769 746->747 756 101b3a8-101b3ab 746->756 747->756 750 101b77a-101b78e GetLastError 748->750 751 101b75c-101b776 748->751 760 101b794-101b796 750->760 751->748 757 101b778 751->757 753->699 771 101b435-101b43b 754->771 772 101b289 754->772 762 101b3b2-101b3c5 call 1025884 756->762 763 101b3ad-101b3b0 756->763 757->760 760->690 767 101b798-101b7b0 760->767 762->684 777 101b3cb-101b3d5 762->777 763->762 764 101b407-101b40a 763->764 764->721 774 101b410 764->774 767->707 773 101b7b6 767->773 775 101b412-101b42d 768->775 776 101b23f-101b254 call 10240f7 768->776 769->754 771->690 778 101b28f-101b2c4 WideCharToMultiByte 772->778 773->699 774->771 775->771 776->771 786 101b25a-101b267 776->786 780 101b3d7-101b3ee call 1025884 777->780 781 101b3fb-101b401 777->781 778->771 782 101b2ca-101b2f0 WriteFile 778->782 780->684 789 101b3f4-101b3f5 780->789 781->764 782->684 785 101b2f6-101b30e 782->785 785->771 788 101b314-101b31b 785->788 786->778 788->781 790 101b321-101b34c WriteFile 788->790 789->781 790->684 791 101b352-101b359 790->791 791->771 792 101b35f-101b366 791->792 792->781
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f976a10aaa1cf6005f44ed18a7d72f330bd930c2d5084a4bbd2681056265ddf0
                          • Instruction ID: 18395edee9f786786cb12f63bd8c1ed60303d27a3eb639dd38d129a2504a18a6
                          • Opcode Fuzzy Hash: f976a10aaa1cf6005f44ed18a7d72f330bd930c2d5084a4bbd2681056265ddf0
                          • Instruction Fuzzy Hash: C0323075B022298FDB358F58D8806E9B7F5FF46310F4841D9E48AE7A48D7389A81CF52
                          Function 00FF3D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00FF3AA3,?), ref: 00FF3D45
                          • IsDebuggerPresent.KERNEL32(?,?,?,?,00FF3AA3,?), ref: 00FF3D57
                          • GetFullPathNameW.KERNEL32(00007FFF,?,?,010B1148,010B1130,?,?,?,?,00FF3AA3,?), ref: 00FF3DC8
                            • Part of subcall function 00FF6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00FF3DEE,010B1148,?,?,?,?,?,00FF3AA3,?), ref: 00FF6471
                          • SetCurrentDirectoryW.KERNEL32(?,?,?,00FF3AA3,?), ref: 00FF3E48
                          • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,010A28F4,00000010), ref: 01061CCE
                          • SetCurrentDirectoryW.KERNEL32(?,010B1148,?,?,?,?,?,00FF3AA3,?), ref: 01061D06
                          • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0108DAB4,010B1148,?,?,?,?,?,00FF3AA3,?), ref: 01061D89
                          • ShellExecuteW.SHELL32(00000000,?,?,?,?,00FF3AA3), ref: 01061D90
                            • Part of subcall function 00FF3E6E: GetSysColorBrush.USER32(0000000F), ref: 00FF3E79
                            • Part of subcall function 00FF3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00FF3E88
                            • Part of subcall function 00FF3E6E: LoadIconW.USER32(00000063), ref: 00FF3E9E
                            • Part of subcall function 00FF3E6E: LoadIconW.USER32(000000A4), ref: 00FF3EB0
                            • Part of subcall function 00FF3E6E: LoadIconW.USER32(000000A2), ref: 00FF3EC2
                            • Part of subcall function 00FF3E6E: RegisterClassExW.USER32(?), ref: 00FF3F30
                            • Part of subcall function 00FF36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FF36E6
                            • Part of subcall function 00FF36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FF3707
                            • Part of subcall function 00FF36B8: ShowWindow.USER32(00000000,?,?,?,?,00FF3AA3,?), ref: 00FF371B
                            • Part of subcall function 00FF36B8: ShowWindow.USER32(00000000,?,?,?,?,00FF3AA3,?), ref: 00FF3724
                            • Part of subcall function 00FF4FFC: _memset.LIBCMT ref: 00FF5022
                            • Part of subcall function 00FF4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00FF50CB
                          Strings
                          • This is a third-party compiled AutoIt script., xrefs: 01061CC8
                          • runas, xrefs: 01061D84
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                          • String ID: This is a third-party compiled AutoIt script.$runas
                          • API String ID: 438480954-3287110873
                          • Opcode ID: 1e99659f4c8dd4b61fb8fb1f6d77ff0c3876fbbb00fe34ac6b281ca4f1fb0291
                          • Instruction ID: 8e7613c418de24d11bb6859b6f5538e27623b955463ad519e8d3b363df6d977d
                          • Opcode Fuzzy Hash: 1e99659f4c8dd4b61fb8fb1f6d77ff0c3876fbbb00fe34ac6b281ca4f1fb0291
                          • Instruction Fuzzy Hash: 96511731E0424DBACB21ABF4EC91EFE7B79AF54B00F004168F3D166166DA795609EB21
                          Function 0100DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1138 100ddc0-100de4f call ffd7f7 GetVersionExW call ff6a63 call 100dfb4 call ff6571 1147 100de55-100de56 1138->1147 1148 10624c8-10624cb 1138->1148 1151 100de92-100dea2 call 100df77 1147->1151 1152 100de58-100de63 1147->1152 1149 10624e4-10624e8 1148->1149 1150 10624cd 1148->1150 1155 10624d3-10624dc 1149->1155 1156 10624ea-10624f3 1149->1156 1154 10624d0 1150->1154 1165 100dea4-100dec1 GetCurrentProcess call 100df5f 1151->1165 1166 100dec7-100dee1 1151->1166 1157 106244e-1062454 1152->1157 1158 100de69-100de6b 1152->1158 1154->1155 1155->1149 1156->1154 1162 10624f5-10624f8 1156->1162 1160 1062456-1062459 1157->1160 1161 106245e-1062464 1157->1161 1163 100de71-100de74 1158->1163 1164 1062469-1062475 1158->1164 1160->1151 1161->1151 1162->1155 1169 1062495-1062498 1163->1169 1170 100de7a-100de89 1163->1170 1167 1062477-106247a 1164->1167 1168 106247f-1062485 1164->1168 1165->1166 1189 100dec3 1165->1189 1172 100df31-100df3b GetSystemInfo 1166->1172 1173 100dee3-100def7 call 100e00c 1166->1173 1167->1151 1168->1151 1169->1151 1174 106249e-10624b3 1169->1174 1175 106248a-1062490 1170->1175 1176 100de8f 1170->1176 1178 100df0e-100df1a 1172->1178 1186 100df29-100df2f GetSystemInfo 1173->1186 1187 100def9-100df01 call 100dff4 GetNativeSystemInfo 1173->1187 1180 10624b5-10624b8 1174->1180 1181 10624bd-10624c3 1174->1181 1175->1151 1176->1151 1182 100df21-100df26 1178->1182 1183 100df1c-100df1f FreeLibrary 1178->1183 1180->1151 1181->1151 1183->1182 1188 100df03-100df07 1186->1188 1187->1188 1188->1178 1191 100df09-100df0c FreeLibrary 1188->1191 1189->1166 1191->1178
                          APIs
                          • GetVersionExW.KERNEL32(?), ref: 0100DDEC
                          • GetCurrentProcess.KERNEL32(00000000,0108DC38,?,?), ref: 0100DEAC
                          • GetNativeSystemInfo.KERNELBASE(?,0108DC38,?,?), ref: 0100DF01
                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 0100DF0C
                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 0100DF1F
                          • GetSystemInfo.KERNEL32(?,0108DC38,?,?), ref: 0100DF29
                          • GetSystemInfo.KERNEL32(?,0108DC38,?,?), ref: 0100DF35
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                          • String ID:
                          • API String ID: 3851250370-0
                          • Opcode ID: f09d344bca18996065e5cea22d688a4226599560fddee1daa242b461caf8ae31
                          • Instruction ID: bb2a9e8d524bcc6afecb478fe6b8399c4b0ec9cd708cbcaad67cd937583a3439
                          • Opcode Fuzzy Hash: f09d344bca18996065e5cea22d688a4226599560fddee1daa242b461caf8ae31
                          • Instruction Fuzzy Hash: 1A6172B180A3C4DFDF16DFE894C05EDBFB46F29200F1989D9D9849B24BC624C549CB65
                          Function 00FF406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1210 ff406b-ff4083 CreateStreamOnHGlobal 1211 ff4085-ff409c FindResourceExW 1210->1211 1212 ff40a3-ff40a6 1210->1212 1213 1064f16-1064f25 LoadResource 1211->1213 1214 ff40a2 1211->1214 1213->1214 1215 1064f2b-1064f39 SizeofResource 1213->1215 1214->1212 1215->1214 1216 1064f3f-1064f4a LockResource 1215->1216 1216->1214 1217 1064f50-1064f6e 1216->1217 1217->1214
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00FF449E,?,?,00000000,00000001), ref: 00FF407B
                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00FF449E,?,?,00000000,00000001), ref: 00FF4092
                          • LoadResource.KERNEL32(?,00000000,?,?,00FF449E,?,?,00000000,00000001,?,?,?,?,?,?,00FF41FB), ref: 01064F1A
                          • SizeofResource.KERNEL32(?,00000000,?,?,00FF449E,?,?,00000000,00000001,?,?,?,?,?,?,00FF41FB), ref: 01064F2F
                          • LockResource.KERNEL32(00FF449E,?,?,00FF449E,?,?,00000000,00000001,?,?,?,?,?,?,00FF41FB,00000000), ref: 01064F42
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                          • String ID: SCRIPT
                          • API String ID: 3051347437-3967369404
                          • Opcode ID: 37402ebbff0a1adaba4a1e457451363bb8800209116409e139521932adc5df1b
                          • Instruction ID: 6f1e3af8300e6c1a1c2c1019cb721d576338cdb15fc6dfa6066158b433bd968d
                          • Opcode Fuzzy Hash: 37402ebbff0a1adaba4a1e457451363bb8800209116409e139521932adc5df1b
                          • Instruction Fuzzy Hash: 2B112A71600705AFE7318B65EC48F277BB9EFC5B61F10456CF642962A4DA76EC01AB30
                          Function 01036CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetFileAttributesW.KERNELBASE(?,01062F49), ref: 01036CB9
                          • FindFirstFileW.KERNELBASE(?,?), ref: 01036CCA
                          • FindClose.KERNEL32(00000000), ref: 01036CDA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: FileFind$AttributesCloseFirst
                          • String ID:
                          • API String ID: 48322524-0
                          • Opcode ID: 98fa856ab69be5ab16f0db401b94175cff7f0c2e6117a545884c707567d4470c
                          • Instruction ID: 39573237f9705dc4468a3a98912d30c2beb5af1b627d048db930f55bd680d040
                          • Opcode Fuzzy Hash: 98fa856ab69be5ab16f0db401b94175cff7f0c2e6117a545884c707567d4470c
                          • Instruction Fuzzy Hash: 4EE0D831C214147782206778FC0D8F977ACDE4523AF100755F8B1D11C0E776DA0087E5
                          Function 01003200 Relevance: 1.0, Instructions: 986COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: BuffCharUpper
                          • String ID:
                          • API String ID: 3964851224-0
                          • Opcode ID: 92227d8e874055189dc31c45f7a1bab09dfa682b861c62b95101ece5ab3e170c
                          • Instruction ID: 4d1092c38afbd8b18a2a20da750808b86de99242c8392bd1088e4aafb42ff783
                          • Opcode Fuzzy Hash: 92227d8e874055189dc31c45f7a1bab09dfa682b861c62b95101ece5ab3e170c
                          • Instruction Fuzzy Hash: 2F927F70608341CFE766DF18C494B6ABBE5BF85308F04885DE9CA8B3A2D775E845CB52
                          Function 00FFE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                          Download Yara Rule
                          APIs
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FFE959
                          • timeGetTime.WINMM ref: 00FFEBFA
                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FFED2E
                          • TranslateMessage.USER32(?), ref: 00FFED3F
                          • DispatchMessageW.USER32(?), ref: 00FFED4A
                          • LockWindowUpdate.USER32(00000000), ref: 00FFED79
                          • DestroyWindow.USER32 ref: 00FFED85
                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FFED9F
                          • Sleep.KERNEL32(0000000A), ref: 01065270
                          • TranslateMessage.USER32(?), ref: 010659F7
                          • DispatchMessageW.USER32(?), ref: 01065A05
                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 01065A19
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                          • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                          • API String ID: 2641332412-570651680
                          • Opcode ID: bcc162f5874113a4b3032d72cdff1942044561dba2c613e5be9a049e8b3dca3a
                          • Instruction ID: c0ee279967300a78047b54406691159b4f5cbd53c4417d156e7366392b4ce6b3
                          • Opcode Fuzzy Hash: bcc162f5874113a4b3032d72cdff1942044561dba2c613e5be9a049e8b3dca3a
                          • Instruction Fuzzy Hash: 2F62D170504345DFEB20DF24C894BBA77E8BF94304F04496DEAC69B2A1DB79D848DB62
                          Function 01025C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___createFile.LIBCMT ref: 01025EC3
                          • ___createFile.LIBCMT ref: 01025F04
                          • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 01025F2D
                          • __dosmaperr.LIBCMT ref: 01025F34
                          • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 01025F47
                          • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 01025F6A
                          • __dosmaperr.LIBCMT ref: 01025F73
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 01025F7C
                          • __set_osfhnd.LIBCMT ref: 01025FAC
                          • __lseeki64_nolock.LIBCMT ref: 01026016
                          • __close_nolock.LIBCMT ref: 0102603C
                          • __chsize_nolock.LIBCMT ref: 0102606C
                          • __lseeki64_nolock.LIBCMT ref: 0102607E
                          • __lseeki64_nolock.LIBCMT ref: 01026176
                          • __lseeki64_nolock.LIBCMT ref: 0102618B
                          • __close_nolock.LIBCMT ref: 010261EB
                            • Part of subcall function 0101EA9C: CloseHandle.KERNELBASE(00000000,0109EEF4,00000000,?,01026041,0109EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0101EAEC
                            • Part of subcall function 0101EA9C: GetLastError.KERNEL32(?,01026041,0109EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0101EAF6
                            • Part of subcall function 0101EA9C: __free_osfhnd.LIBCMT ref: 0101EB03
                            • Part of subcall function 0101EA9C: __dosmaperr.LIBCMT ref: 0101EB25
                            • Part of subcall function 01017C0E: __getptd_noexit.LIBCMT ref: 01017C0E
                          • __lseeki64_nolock.LIBCMT ref: 0102620D
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 01026342
                          • ___createFile.LIBCMT ref: 01026361
                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0102636E
                          • __dosmaperr.LIBCMT ref: 01026375
                          • __free_osfhnd.LIBCMT ref: 01026395
                          • __invoke_watson.LIBCMT ref: 010263C3
                          • __wsopen_helper.LIBCMT ref: 010263DD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                          • String ID: @
                          • API String ID: 3896587723-2766056989
                          • Opcode ID: 70b5c8f8c183ef9e86628eefff13506b5d7b7ca5c712d9b759d0d82b82a7ac2e
                          • Instruction ID: 3ad2bd803fc253ca88d7c3077c37d519c80a74208252921e295dfa0f875d1337
                          • Opcode Fuzzy Hash: 70b5c8f8c183ef9e86628eefff13506b5d7b7ca5c712d9b759d0d82b82a7ac2e
                          • Instruction Fuzzy Hash: 8722377190012A9BEF2A9E6CCC84BFE7FB1EB15314F2442A8EED1972D5C33A8941C751
                          Function 0103FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • _wcscpy.LIBCMT ref: 0103FA96
                          • _wcschr.LIBCMT ref: 0103FAA4
                          • _wcscpy.LIBCMT ref: 0103FABB
                          • _wcscat.LIBCMT ref: 0103FACA
                          • _wcscat.LIBCMT ref: 0103FAE8
                          • _wcscpy.LIBCMT ref: 0103FB09
                          • __wsplitpath.LIBCMT ref: 0103FBE6
                          • _wcscpy.LIBCMT ref: 0103FC0B
                          • _wcscpy.LIBCMT ref: 0103FC1D
                          • _wcscpy.LIBCMT ref: 0103FC32
                          • _wcscat.LIBCMT ref: 0103FC47
                          • _wcscat.LIBCMT ref: 0103FC59
                          • _wcscat.LIBCMT ref: 0103FC6E
                            • Part of subcall function 0103BFA4: _wcscmp.LIBCMT ref: 0103C03E
                            • Part of subcall function 0103BFA4: __wsplitpath.LIBCMT ref: 0103C083
                            • Part of subcall function 0103BFA4: _wcscpy.LIBCMT ref: 0103C096
                            • Part of subcall function 0103BFA4: _wcscat.LIBCMT ref: 0103C0A9
                            • Part of subcall function 0103BFA4: __wsplitpath.LIBCMT ref: 0103C0CE
                            • Part of subcall function 0103BFA4: _wcscat.LIBCMT ref: 0103C0E4
                            • Part of subcall function 0103BFA4: _wcscat.LIBCMT ref: 0103C0F7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                          • String ID: >>>AUTOIT SCRIPT<<<
                          • API String ID: 2955681530-2806939583
                          • Opcode ID: 435d95ce3c728e383507e97a4282e61ae3b4d0faa3cdfd741527f634d8a78506
                          • Instruction ID: 514cec537576d243a0ec7c2466befa812a0fb3ef0afabce33523d4da335f816a
                          • Opcode Fuzzy Hash: 435d95ce3c728e383507e97a4282e61ae3b4d0faa3cdfd741527f634d8a78506
                          • Instruction Fuzzy Hash: FC91A17150470AAFDB21EB54C850F9EB3EDBF94300F004859F9D9972A1DB35EA44CB92
                          Function 00FF3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetSysColorBrush.USER32(0000000F), ref: 00FF3F86
                          • RegisterClassExW.USER32(00000030), ref: 00FF3FB0
                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FF3FC1
                          • InitCommonControlsEx.COMCTL32(?), ref: 00FF3FDE
                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FF3FEE
                          • LoadIconW.USER32(000000A9), ref: 00FF4004
                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FF4013
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                          • API String ID: 2914291525-1005189915
                          • Opcode ID: eb0e84eccb0a4c265a6ab5fc8a36eef4954792ca39c1e4e59f9a146c0e9e9d6c
                          • Instruction ID: b56dc40887ab4dc875bcc3a3466e6da1bd268ed7bfeeebab45a009d840d193a3
                          • Opcode Fuzzy Hash: eb0e84eccb0a4c265a6ab5fc8a36eef4954792ca39c1e4e59f9a146c0e9e9d6c
                          • Instruction Fuzzy Hash: 5E21B2B5D00318AFDB209FE4E889BCDBBB4FB08700F10421AFA91B6284D7BA4544CF91
                          Function 0103BFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 0103BDB4: __time64.LIBCMT ref: 0103BDBE
                            • Part of subcall function 00FF4517: _fseek.LIBCMT ref: 00FF452F
                          • __wsplitpath.LIBCMT ref: 0103C083
                            • Part of subcall function 01011DFC: __wsplitpath_helper.LIBCMT ref: 01011E3C
                          • _wcscpy.LIBCMT ref: 0103C096
                          • _wcscat.LIBCMT ref: 0103C0A9
                          • __wsplitpath.LIBCMT ref: 0103C0CE
                          • _wcscat.LIBCMT ref: 0103C0E4
                          • _wcscat.LIBCMT ref: 0103C0F7
                          • _wcscmp.LIBCMT ref: 0103C03E
                            • Part of subcall function 0103C56D: _wcscmp.LIBCMT ref: 0103C65D
                            • Part of subcall function 0103C56D: _wcscmp.LIBCMT ref: 0103C670
                          • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0103C2A1
                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0103C338
                          • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0103C34E
                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0103C35F
                          • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0103C371
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                          • String ID:
                          • API String ID: 2378138488-0
                          • Opcode ID: 93e148146dc5ec8803e6da395688d9e84f0153ea3ff116f7ddebde40399d6d23
                          • Instruction ID: 6cbd54ca6c0db2de40fb3ba8d21ed32dd19cf169aed5aae58897dd242ec11eec
                          • Opcode Fuzzy Hash: 93e148146dc5ec8803e6da395688d9e84f0153ea3ff116f7ddebde40399d6d23
                          • Instruction Fuzzy Hash: F1C11CB1E00219ABDF21DF95CD80EEEB7BDAF99310F0040A6E649F7151DB749A848F61
                          Function 00FF3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 958 ff3742-ff3762 960 ff3764-ff3767 958->960 961 ff37c2-ff37c4 958->961 963 ff3769-ff3770 960->963 964 ff37c8 960->964 961->960 962 ff37c6 961->962 967 ff37ab-ff37b3 DefWindowProcW 962->967 965 ff382c-ff3834 PostQuitMessage 963->965 966 ff3776-ff377b 963->966 968 ff37ce-ff37d1 964->968 969 1061e00-1061e2e call ff2ff6 call 100e312 964->969 973 ff37f2-ff37f4 965->973 971 1061e88-1061e9c call 1034ddd 966->971 972 ff3781-ff3783 966->972 974 ff37b9-ff37bf 967->974 975 ff37f6-ff381d SetTimer RegisterWindowMessageW 968->975 976 ff37d3-ff37d4 968->976 1002 1061e33-1061e3a 969->1002 971->973 995 1061ea2 971->995 978 ff3789-ff378e 972->978 979 ff3836-ff3845 call 100eb83 972->979 973->974 975->973 980 ff381f-ff382a CreatePopupMenu 975->980 982 1061da3-1061da6 976->982 983 ff37da-ff37ed KillTimer call ff3847 call ff390f 976->983 985 1061e6d-1061e74 978->985 986 ff3794-ff3799 978->986 979->973 980->973 989 1061ddc-1061dfb MoveWindow 982->989 990 1061da8-1061daa 982->990 983->973 985->967 1000 1061e7a-1061e83 call 102a5f3 985->1000 993 ff379f-ff37a5 986->993 994 1061e58-1061e68 call 10355bd 986->994 989->973 997 1061dac-1061daf 990->997 998 1061dcb-1061dd7 SetFocus 990->998 993->967 993->1002 994->973 995->967 997->993 1003 1061db5-1061dc6 call ff2ff6 997->1003 998->973 1000->967 1002->967 1007 1061e40-1061e53 call ff3847 call ff4ffc 1002->1007 1003->973 1007->967
                          APIs
                          • DefWindowProcW.USER32(?,?,?,?), ref: 00FF37B3
                          • KillTimer.USER32(?,00000001), ref: 00FF37DD
                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00FF3800
                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FF380B
                          • CreatePopupMenu.USER32 ref: 00FF381F
                          • PostQuitMessage.USER32(00000000), ref: 00FF382E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                          • String ID: TaskbarCreated
                          • API String ID: 129472671-2362178303
                          • Opcode ID: 26c8a406bf221a20c419b52891c30584b4e71cad530d0c80c65020e1a6f561c8
                          • Instruction ID: 2c5f98a1a489283f1c71b9458e276279fdadf30c3a0dfbcacb34a6b9db9db805
                          • Opcode Fuzzy Hash: 26c8a406bf221a20c419b52891c30584b4e71cad530d0c80c65020e1a6f561c8
                          • Instruction Fuzzy Hash: 1D412BF761814EA7DB207B78EC9DBBA3699FF44310F100555F781D21A4CB799900B7A1
                          Function 00FF3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetSysColorBrush.USER32(0000000F), ref: 00FF3E79
                          • LoadCursorW.USER32(00000000,00007F00), ref: 00FF3E88
                          • LoadIconW.USER32(00000063), ref: 00FF3E9E
                          • LoadIconW.USER32(000000A4), ref: 00FF3EB0
                          • LoadIconW.USER32(000000A2), ref: 00FF3EC2
                            • Part of subcall function 00FF4024: LoadImageW.USER32(00FF0000,00000063,00000001,00000010,00000010,00000000), ref: 00FF4048
                          • RegisterClassExW.USER32(?), ref: 00FF3F30
                            • Part of subcall function 00FF3F53: GetSysColorBrush.USER32(0000000F), ref: 00FF3F86
                            • Part of subcall function 00FF3F53: RegisterClassExW.USER32(00000030), ref: 00FF3FB0
                            • Part of subcall function 00FF3F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00FF3FC1
                            • Part of subcall function 00FF3F53: InitCommonControlsEx.COMCTL32(?), ref: 00FF3FDE
                            • Part of subcall function 00FF3F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00FF3FEE
                            • Part of subcall function 00FF3F53: LoadIconW.USER32(000000A9), ref: 00FF4004
                            • Part of subcall function 00FF3F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00FF4013
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                          • String ID: #$0$AutoIt v3
                          • API String ID: 423443420-4155596026
                          • Opcode ID: 39127df7fddd18f0475710e66fe62d58d50c4e70bfdbb05c77e061daa2d6d2d8
                          • Instruction ID: 86cca55f3f5b363bfe5d22a1796428eab7a73c83e4318c900dba382c7b1f8017
                          • Opcode Fuzzy Hash: 39127df7fddd18f0475710e66fe62d58d50c4e70bfdbb05c77e061daa2d6d2d8
                          • Instruction Fuzzy Hash: C92141B0E04308ABCB20DFA9F896A9ABFF5FB48310F10451AE244B2294D77A4610CB91
                          Function 0101ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1022 101acb3-101ace0 call 1016ac0 call 1017cf4 call 1016986 1029 101ace2-101acf8 call 101e880 1022->1029 1030 101acfd-101ad02 1022->1030 1036 101af52-101af57 call 1016b05 1029->1036 1032 101ad08-101ad0f 1030->1032 1034 101ad11-101ad40 1032->1034 1035 101ad42-101ad51 GetStartupInfoW 1032->1035 1034->1032 1037 101ae80-101ae86 1035->1037 1038 101ad57-101ad5c 1035->1038 1041 101af44-101af50 call 101af58 1037->1041 1042 101ae8c-101ae9d 1037->1042 1038->1037 1040 101ad62-101ad79 1038->1040 1047 101ad80-101ad83 1040->1047 1048 101ad7b-101ad7d 1040->1048 1041->1036 1043 101aeb2-101aeb8 1042->1043 1044 101ae9f-101aea2 1042->1044 1050 101aeba-101aebd 1043->1050 1051 101aebf-101aec6 1043->1051 1044->1043 1049 101aea4-101aead 1044->1049 1053 101ad86-101ad8c 1047->1053 1048->1047 1054 101af3e-101af3f 1049->1054 1055 101aec9-101aed5 GetStdHandle 1050->1055 1051->1055 1056 101adae-101adb6 1053->1056 1057 101ad8e-101ad9f call 1016986 1053->1057 1054->1037 1059 101aed7-101aed9 1055->1059 1060 101af1c-101af32 1055->1060 1058 101adb9-101adbb 1056->1058 1069 101ae33-101ae3a 1057->1069 1070 101ada5-101adab 1057->1070 1058->1037 1062 101adc1-101adc6 1058->1062 1059->1060 1063 101aedb-101aee4 GetFileType 1059->1063 1060->1054 1065 101af34-101af37 1060->1065 1066 101ae20-101ae31 1062->1066 1067 101adc8-101adcb 1062->1067 1063->1060 1068 101aee6-101aef0 1063->1068 1065->1054 1066->1058 1067->1066 1071 101adcd-101add1 1067->1071 1072 101aef2-101aef8 1068->1072 1073 101aefa-101aefd 1068->1073 1074 101ae40-101ae4e 1069->1074 1070->1056 1071->1066 1075 101add3-101add5 1071->1075 1076 101af05 1072->1076 1077 101af08-101af1a InitializeCriticalSectionAndSpinCount 1073->1077 1078 101aeff-101af03 1073->1078 1079 101ae50-101ae72 1074->1079 1080 101ae74-101ae7b 1074->1080 1081 101ade5-101ae1a InitializeCriticalSectionAndSpinCount 1075->1081 1082 101add7-101ade3 GetFileType 1075->1082 1076->1077 1077->1054 1078->1076 1079->1074 1080->1053 1083 101ae1d 1081->1083 1082->1081 1082->1083 1083->1066
                          APIs
                          • __lock.LIBCMT ref: 0101ACC1
                            • Part of subcall function 01017CF4: __mtinitlocknum.LIBCMT ref: 01017D06
                            • Part of subcall function 01017CF4: EnterCriticalSection.KERNEL32(00000000,?,01017ADD,0000000D), ref: 01017D1F
                          • __calloc_crt.LIBCMT ref: 0101ACD2
                            • Part of subcall function 01016986: __calloc_impl.LIBCMT ref: 01016995
                            • Part of subcall function 01016986: Sleep.KERNEL32(00000000,000003BC,0100F507,?,0000000E), ref: 010169AC
                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 0101ACED
                          • GetStartupInfoW.KERNEL32(?,010A6E28,00000064,01015E91,010A6C70,00000014), ref: 0101AD46
                          • __calloc_crt.LIBCMT ref: 0101AD91
                          • GetFileType.KERNEL32(00000001), ref: 0101ADD8
                          • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0101AE11
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                          • String ID:
                          • API String ID: 1426640281-0
                          • Opcode ID: 751227fddfd120a91bfb0621637d390920b88ad2746781ec526c2e354e4273b5
                          • Instruction ID: c6d8f2594e424b504e37632863865e5d144d616214a68ec644551e7ccafe00f4
                          • Opcode Fuzzy Hash: 751227fddfd120a91bfb0621637d390920b88ad2746781ec526c2e354e4273b5
                          • Instruction Fuzzy Hash: E181A271A06685CFDB24CFA8C8805ADBBF0AF05324B14425DD4E6AB3C9D73D9803CB54
                          Function 011E55A8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1084 11e55a8-11e5656 call 11e2f98 1087 11e565d-11e5683 call 11e64b8 CreateFileW 1084->1087 1090 11e568a-11e569a 1087->1090 1091 11e5685 1087->1091 1096 11e569c 1090->1096 1097 11e56a1-11e56bb VirtualAlloc 1090->1097 1092 11e57d5-11e57d9 1091->1092 1094 11e581b-11e581e 1092->1094 1095 11e57db-11e57df 1092->1095 1098 11e5821-11e5828 1094->1098 1099 11e57eb-11e57ef 1095->1099 1100 11e57e1-11e57e4 1095->1100 1096->1092 1101 11e56bd 1097->1101 1102 11e56c2-11e56d9 ReadFile 1097->1102 1103 11e587d-11e5892 1098->1103 1104 11e582a-11e5835 1098->1104 1105 11e57ff-11e5803 1099->1105 1106 11e57f1-11e57fb 1099->1106 1100->1099 1101->1092 1111 11e56db 1102->1111 1112 11e56e0-11e5720 VirtualAlloc 1102->1112 1107 11e5894-11e589f VirtualFree 1103->1107 1108 11e58a2-11e58aa 1103->1108 1113 11e5839-11e5845 1104->1113 1114 11e5837 1104->1114 1109 11e5805-11e580f 1105->1109 1110 11e5813 1105->1110 1106->1105 1107->1108 1109->1110 1110->1094 1111->1092 1115 11e5727-11e5742 call 11e6708 1112->1115 1116 11e5722 1112->1116 1117 11e5859-11e5865 1113->1117 1118 11e5847-11e5857 1113->1118 1114->1103 1124 11e574d-11e5757 1115->1124 1116->1092 1121 11e5867-11e5870 1117->1121 1122 11e5872-11e5878 1117->1122 1120 11e587b 1118->1120 1120->1098 1121->1120 1122->1120 1125 11e578a-11e579e call 11e6518 1124->1125 1126 11e5759-11e5788 call 11e6708 1124->1126 1132 11e57a2-11e57a6 1125->1132 1133 11e57a0 1125->1133 1126->1124 1134 11e57a8-11e57ac CloseHandle 1132->1134 1135 11e57b2-11e57b6 1132->1135 1133->1092 1134->1135 1136 11e57b8-11e57c3 VirtualFree 1135->1136 1137 11e57c6-11e57cf 1135->1137 1136->1137 1137->1087 1137->1092
                          APIs
                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 011E5679
                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 011E589F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020955679.00000000011E2000.00000040.00000020.00020000.00000000.sdmp, Offset: 011E2000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_11e2000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CreateFileFreeVirtual
                          • String ID:
                          • API String ID: 204039940-0
                          • Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                          • Instruction ID: 83eedf8d5db6d79bb7eb384064cb2e9a90b632b622e01e57cad9ca4982a97ede
                          • Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                          • Instruction Fuzzy Hash: 30A10B74E40609EBDB58CFE4C898BEEBBB6BF48318F208159E501BB281D7759A40CF55
                          Function 00FF49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00FF4A1D
                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 010641DB
                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0106421A
                          • RegCloseKey.ADVAPI32(?), ref: 01064249
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: QueryValue$CloseOpen
                          • String ID: Include$Software\AutoIt v3\AutoIt
                          • API String ID: 1586453840-614718249
                          • Opcode ID: 72c3bb55ea6e640ca163093997a6710601e4af90e752fb316f27c0284c50aa93
                          • Instruction ID: 1c117566de77b997dfb81c6a7d90e3f8f010d1c67cd335242b608b4e242ef284
                          • Opcode Fuzzy Hash: 72c3bb55ea6e640ca163093997a6710601e4af90e752fb316f27c0284c50aa93
                          • Instruction Fuzzy Hash: 58113071A0010DBFEB15AAE4DD85EBF7BACEF04344F101059B546E6191EA75AE01A750
                          Function 00FF36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1220 ff36b8-ff3728 CreateWindowExW * 2 ShowWindow * 2
                          APIs
                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00FF36E6
                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00FF3707
                          • ShowWindow.USER32(00000000,?,?,?,?,00FF3AA3,?), ref: 00FF371B
                          • ShowWindow.USER32(00000000,?,?,?,?,00FF3AA3,?), ref: 00FF3724
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Window$CreateShow
                          • String ID: AutoIt v3$edit
                          • API String ID: 1584632944-3779509399
                          • Opcode ID: 6da6859cdd1b501de3d865242ff3e08e8fe7e32514a3f7f0a4c40b303378f301
                          • Instruction ID: f20ffaebc6b81e462f21f067a21baaf180d26e9f75243fdc6ae0fd24789a3de1
                          • Opcode Fuzzy Hash: 6da6859cdd1b501de3d865242ff3e08e8fe7e32514a3f7f0a4c40b303378f301
                          • Instruction Fuzzy Hash: 2DF05471A582D07AD7305657BC58EB77E7DE7C6F20F10001FBA84A2194C1BA0841CB70
                          Function 011E5348 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156fileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1325 11e5348-11e54a6 call 11e2f98 call 11e5238 CreateFileW 1332 11e54ad-11e54bd 1325->1332 1333 11e54a8 1325->1333 1336 11e54bf 1332->1336 1337 11e54c4-11e54de VirtualAlloc 1332->1337 1334 11e555d-11e5562 1333->1334 1336->1334 1338 11e54e2-11e54f9 ReadFile 1337->1338 1339 11e54e0 1337->1339 1340 11e54fd-11e5537 call 11e5278 call 11e4238 1338->1340 1341 11e54fb 1338->1341 1339->1334 1346 11e5539-11e554e call 11e52c8 1340->1346 1347 11e5553-11e555b ExitProcess 1340->1347 1341->1334 1346->1347 1347->1334
                          APIs
                            • Part of subcall function 011E5238: Sleep.KERNELBASE(000001F4), ref: 011E5249
                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 011E549C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020955679.00000000011E2000.00000040.00000020.00020000.00000000.sdmp, Offset: 011E2000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_11e2000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CreateFileSleep
                          • String ID: G7J1VCG2W8ZEUFZB78ED77
                          • API String ID: 2694422964-3782330461
                          • Opcode ID: 2abaec76de498787047cf98724badc54971b31649b6ad6e35c2bd7faa4ea59ac
                          • Instruction ID: a199683611f8876d9a40756e15ea69b753f6d1e958351971c2ee36fd41762128
                          • Opcode Fuzzy Hash: 2abaec76de498787047cf98724badc54971b31649b6ad6e35c2bd7faa4ea59ac
                          • Instruction Fuzzy Hash: 3F618430D04249DAEF15DBE4D848BEEBBB5AF15304F044199E248BB2C1D7BA1B45CB66
                          Function 00FF4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00FF41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00FF39FE,?,00000001), ref: 00FF41DB
                          • _free.LIBCMT ref: 010636B7
                          • _free.LIBCMT ref: 010636FE
                            • Part of subcall function 00FFC833: __wsplitpath.LIBCMT ref: 00FFC93E
                            • Part of subcall function 00FFC833: _wcscpy.LIBCMT ref: 00FFC953
                            • Part of subcall function 00FFC833: _wcscat.LIBCMT ref: 00FFC968
                            • Part of subcall function 00FFC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00FFC978
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                          • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                          • API String ID: 805182592-1757145024
                          • Opcode ID: d65942dbdaa65993475ac6a5f1261f9d64c977c32bafde1fd46f92a4d42083f8
                          • Instruction ID: db52d809fa8b50dc1f2fc52bd00febae9a53fd16914f9f2f35497864d8e4870a
                          • Opcode Fuzzy Hash: d65942dbdaa65993475ac6a5f1261f9d64c977c32bafde1fd46f92a4d42083f8
                          • Instruction Fuzzy Hash: C891827191021DAFDF05EFA8CC519FEB7B8BF18314F00406AF59AAB291DB74A904CB90
                          Function 00FF4A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00FF5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010B1148,?,00FF61FF,?,00000000,00000001,00000000), ref: 00FF5392
                            • Part of subcall function 00FF49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00FF4A1D
                          • _wcscat.LIBCMT ref: 01062D80
                          • _wcscat.LIBCMT ref: 01062DB5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: _wcscat$FileModuleNameOpen
                          • String ID: \$\Include\
                          • API String ID: 3592542968-2640467822
                          • Opcode ID: ddd301dc0b88801595f4ae33a95d5c616c2a8413045966764926abdfc75a502e
                          • Instruction ID: 5770a872074d12498806a87c3afa8b0270d11286082b9e24b3a7a91f74ef620a
                          • Opcode Fuzzy Hash: ddd301dc0b88801595f4ae33a95d5c616c2a8413045966764926abdfc75a502e
                          • Instruction Fuzzy Hash: FE515D794043449B8324EF59E9C18EAB7F8BFA9310B40492EF7C493254EB39A548DB56
                          Function 010134AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                          Download Yara Rule
                          APIs
                          • __getstream.LIBCMT ref: 010134FE
                            • Part of subcall function 01017C0E: __getptd_noexit.LIBCMT ref: 01017C0E
                          • @_EH4_CallFilterFunc@8.LIBCMT ref: 01013539
                          • __wopenfile.LIBCMT ref: 01013549
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                          • String ID: <G
                          • API String ID: 1820251861-2138716496
                          • Opcode ID: ea402d93d988ce1d2861fd99151631d6b5c23075a54983263a903c540d9b32e3
                          • Instruction ID: 4f76cedd1fd7f2662cc9cf778df6c1714f4802d62352886a34a504de7eef7427
                          • Opcode Fuzzy Hash: ea402d93d988ce1d2861fd99151631d6b5c23075a54983263a903c540d9b32e3
                          • Instruction Fuzzy Hash: 41113670A40207DBDB52BFB48C406AE3AE0BF15770B048469E895CF288EF7CC901CBA1
                          Function 0100D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0100D28B,SwapMouseButtons,00000004,?), ref: 0100D2BC
                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0100D28B,SwapMouseButtons,00000004,?,?,?,?,0100C865), ref: 0100D2DD
                          • RegCloseKey.KERNELBASE(00000000,?,?,0100D28B,SwapMouseButtons,00000004,?,?,?,?,0100C865), ref: 0100D2FF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CloseOpenQueryValue
                          • String ID: Control Panel\Mouse
                          • API String ID: 3677997916-824357125
                          • Opcode ID: b6381279e84123b5c73c1a71331754b6e17f5aa711fe24bb1e82a9b6d3011a43
                          • Instruction ID: ad2848a3491b1005629549458762ed7c8895536f197c5b19a522f4248a48fa94
                          • Opcode Fuzzy Hash: b6381279e84123b5c73c1a71331754b6e17f5aa711fe24bb1e82a9b6d3011a43
                          • Instruction Fuzzy Hash: 2C113C75A11208BFEB228FE8C884EAF7BF8EF44754F008469F945E7150D631AA419B60
                          Function 011E4238 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessW.KERNELBASE(?,00000000), ref: 011E4A65
                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 011E4A89
                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 011E4AAB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020955679.00000000011E2000.00000040.00000020.00020000.00000000.sdmp, Offset: 011E2000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_11e2000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                          • String ID:
                          • API String ID: 2438371351-0
                          • Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                          • Instruction ID: a3cb2324c3dfb7500b44b159c2ce0b7b06122d6e505b5b2aee14ed2ae7c7e9f5
                          • Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                          • Instruction Fuzzy Hash: 62620D30A146589BEB28CFA4C844BDEB776FF58300F1091A9D10DEB790E7769E81CB59
                          Function 0103C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00FF4517: _fseek.LIBCMT ref: 00FF452F
                            • Part of subcall function 0103C56D: _wcscmp.LIBCMT ref: 0103C65D
                            • Part of subcall function 0103C56D: _wcscmp.LIBCMT ref: 0103C670
                          • _free.LIBCMT ref: 0103C4DD
                          • _free.LIBCMT ref: 0103C4E4
                          • _free.LIBCMT ref: 0103C54F
                            • Part of subcall function 01011C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,01017A85), ref: 01011CB1
                            • Part of subcall function 01011C9D: GetLastError.KERNEL32(00000000,?,01017A85), ref: 01011CC3
                          • _free.LIBCMT ref: 0103C557
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                          • String ID:
                          • API String ID: 1552873950-0
                          • Opcode ID: 5855495d8b716de12843966f04efea6feebcbf0da52c17cc05b2843a1aa341a9
                          • Instruction ID: 88c0da03ae901c441578bf2f30c6eb2359ab58262c6d093865c459082c229b3d
                          • Opcode Fuzzy Hash: 5855495d8b716de12843966f04efea6feebcbf0da52c17cc05b2843a1aa341a9
                          • Instruction Fuzzy Hash: C2514CB1904219AFDF149F68DC80AEEBBB9FF48314F0000AEA659F7251DB755A808F58
                          Function 00FF40E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 01063725
                          • GetOpenFileNameW.COMDLG32 ref: 0106376F
                            • Part of subcall function 00FF660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FF53B1,?,?,00FF61FF,?,00000000,00000001,00000000), ref: 00FF662F
                            • Part of subcall function 00FF40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FF40C6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Name$Path$FileFullLongOpen_memset
                          • String ID: X
                          • API String ID: 3777226403-3081909835
                          • Opcode ID: c37956c97a4a22142d7c085b0d2b1eb9c2f80ab3d0fe3cbc1e1e87759953e0b5
                          • Instruction ID: 62138f86ab4b6a2845f18c37d99af00e99a33871243c1535466ec5e78e4ad0f9
                          • Opcode Fuzzy Hash: c37956c97a4a22142d7c085b0d2b1eb9c2f80ab3d0fe3cbc1e1e87759953e0b5
                          • Instruction Fuzzy Hash: 6521C671A1015CABCB11DFD8CC457EEBBF8AF48300F004059E545EB241DBB865899FA1
                          Function 0103C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          • GetTempPathW.KERNEL32(00000104,?), ref: 0103C72F
                          • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0103C746
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Temp$FileNamePath
                          • String ID: aut
                          • API String ID: 3285503233-3010740371
                          • Opcode ID: 02da018cd06a907cc88760cc8224d20a3b556af867b5bedca5732155513888fc
                          • Instruction ID: f326faa9f6e06f5c611b03ce85376259693f1a96eac36ea490d524a79263e5f9
                          • Opcode Fuzzy Hash: 02da018cd06a907cc88760cc8224d20a3b556af867b5bedca5732155513888fc
                          • Instruction Fuzzy Hash: 05D05B7154030E6BDB5096D0DC0DF86776C5B10704F0001507690A50A1DA79D5978B54
                          Function 0104F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b39b6e885990274fb06df40e52fc0d4465f695d5dc86497c1e29579ebe27a9e3
                          • Instruction ID: 81078a8410c4f08ef3088c0bb9a49b3ef3ea0a3a92be8ff22a1fe8b47941fe46
                          • Opcode Fuzzy Hash: b39b6e885990274fb06df40e52fc0d4465f695d5dc86497c1e29579ebe27a9e3
                          • Instruction Fuzzy Hash: D6F17AB16043069FD710DF28C984B6EBBE5FF88314F14896EE9D59B291DB34E905CB82
                          Function 0101395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __FF_MSGBANNER.LIBCMT ref: 01013973
                            • Part of subcall function 010181C2: __NMSG_WRITE.LIBCMT ref: 010181E9
                            • Part of subcall function 010181C2: __NMSG_WRITE.LIBCMT ref: 010181F3
                          • __NMSG_WRITE.LIBCMT ref: 0101397A
                            • Part of subcall function 0101821F: GetModuleFileNameW.KERNEL32(00000000,010B0312,00000104,00000000,00000001,00000000), ref: 010182B1
                            • Part of subcall function 0101821F: ___crtMessageBoxW.LIBCMT ref: 0101835F
                            • Part of subcall function 01011145: ___crtCorExitProcess.LIBCMT ref: 0101114B
                            • Part of subcall function 01011145: ExitProcess.KERNEL32 ref: 01011154
                            • Part of subcall function 01017C0E: __getptd_noexit.LIBCMT ref: 01017C0E
                          • RtlAllocateHeap.NTDLL(011A0000,00000000,00000001,00000001,00000000,?,?,0100F507,?,0000000E), ref: 0101399F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                          • String ID:
                          • API String ID: 1372826849-0
                          • Opcode ID: 60e378ea4013ad7f38d6ebc035acb4f07337364df63e9049df9f242da9514bce
                          • Instruction ID: e6aa594104080909c1cc6ebdf64c7ae3256e664057cc213cf744cec1729ab1e3
                          • Opcode Fuzzy Hash: 60e378ea4013ad7f38d6ebc035acb4f07337364df63e9049df9f242da9514bce
                          • Instruction Fuzzy Hash: 8601F5363812129AF6663B78E841BAE3399BF91634F10002AF6C59F18CDF7CD80087A0
                          Function 0103C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0103C385,?,?,?,?,?,00000004), ref: 0103C6F2
                          • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0103C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0103C708
                          • CloseHandle.KERNEL32(00000000,?,0103C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0103C70F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: File$CloseCreateHandleTime
                          • String ID:
                          • API String ID: 3397143404-0
                          • Opcode ID: 9d05517bc31204b9585ce3686d5f84762cce46e24f551760a3cdc8a5081e7caa
                          • Instruction ID: e3d44f3fddb10ecc574db6f9a17da4b97965f9dc942e7ae243056468e924065c
                          • Opcode Fuzzy Hash: 9d05517bc31204b9585ce3686d5f84762cce46e24f551760a3cdc8a5081e7caa
                          • Instruction Fuzzy Hash: E3E08632580214B7E7312A94AC09FCA7F59AF05761F104110FB94790D097B625118798
                          Function 0103BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 0103BB72
                            • Part of subcall function 01011C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,01017A85), ref: 01011CB1
                            • Part of subcall function 01011C9D: GetLastError.KERNEL32(00000000,?,01017A85), ref: 01011CC3
                          • _free.LIBCMT ref: 0103BB83
                          • _free.LIBCMT ref: 0103BB95
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: _free$ErrorFreeHeapLast
                          • String ID:
                          • API String ID: 776569668-0
                          • Opcode ID: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
                          • Instruction ID: 8b312a6e7f48dddb4f1bd6fc1f03e366f281b2242507d4932af6c36c85463fdf
                          • Opcode Fuzzy Hash: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
                          • Instruction Fuzzy Hash: 18E0C2B120074642EA3C653C6E44EF733CC0F84218704084DB7D9E3148CE78E44084A4
                          Function 00FF2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00FF22A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00FF24F1), ref: 00FF2303
                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00FF25A1
                          • CoInitialize.OLE32(00000000), ref: 00FF2618
                          • CloseHandle.KERNEL32(00000000), ref: 0106503A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Handle$CloseInitializeMessageRegisterWindow
                          • String ID:
                          • API String ID: 3815369404-0
                          • Opcode ID: 909627bab09137fabdb2e12c655c03feb69eb866cf493caf7d3a60b0e129ce42
                          • Instruction ID: 830272119462a21a2937d3caa8fbae63a2d3ada7c650404ea8c1236716f655f1
                          • Opcode Fuzzy Hash: 909627bab09137fabdb2e12c655c03feb69eb866cf493caf7d3a60b0e129ce42
                          • Instruction Fuzzy Hash: 9371CDF59022458B8724EF6AF4F04D9BBA5FB583407A4816ED1C9C73A9DB3E4820CF54
                          Function 00FF3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                          Download Yara Rule
                          APIs
                          • IsThemeActive.UXTHEME ref: 00FF3A73
                            • Part of subcall function 01011405: __lock.LIBCMT ref: 0101140B
                            • Part of subcall function 00FF3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00FF3AF3
                            • Part of subcall function 00FF3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FF3B08
                            • Part of subcall function 00FF3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00FF3AA3,?), ref: 00FF3D45
                            • Part of subcall function 00FF3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00FF3AA3,?), ref: 00FF3D57
                            • Part of subcall function 00FF3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,010B1148,010B1130,?,?,?,?,00FF3AA3,?), ref: 00FF3DC8
                            • Part of subcall function 00FF3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00FF3AA3,?), ref: 00FF3E48
                          • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00FF3AB3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                          • String ID:
                          • API String ID: 924797094-0
                          • Opcode ID: 69420393ef4da876c7d14daf6564427115d21916f8de51f3abb1ee2412898a48
                          • Instruction ID: aec3f6b7ab2cc2a8d5f167e8d1d30086534ebf6bbeaa67547dca44900193a92d
                          • Opcode Fuzzy Hash: 69420393ef4da876c7d14daf6564427115d21916f8de51f3abb1ee2412898a48
                          • Instruction Fuzzy Hash: 2D11D271A08345DFC310EF69E88499AFBE8FFA4710F00491EF5C4872A4DBB99545CB92
                          Function 0101E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___lock_fhandle.LIBCMT ref: 0101EA29
                          • __close_nolock.LIBCMT ref: 0101EA42
                            • Part of subcall function 01017BDA: __getptd_noexit.LIBCMT ref: 01017BDA
                            • Part of subcall function 01017C0E: __getptd_noexit.LIBCMT ref: 01017C0E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                          • String ID:
                          • API String ID: 1046115767-0
                          • Opcode ID: bdded14f45239c0138c6b1e53357cae3f93e76c014474f2f4206b97aafb3c523
                          • Instruction ID: 3c4d7bf334a9c6d882f793a5f843f46972622d161b3a72393242c9c18ca67b9d
                          • Opcode Fuzzy Hash: bdded14f45239c0138c6b1e53357cae3f93e76c014474f2f4206b97aafb3c523
                          • Instruction Fuzzy Hash: FF11C6739016018AD323BF68C88039D3EA16F51335F5A0344D9E14F1EDC7BDA940CBA1
                          Function 0100F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0101395C: __FF_MSGBANNER.LIBCMT ref: 01013973
                            • Part of subcall function 0101395C: __NMSG_WRITE.LIBCMT ref: 0101397A
                            • Part of subcall function 0101395C: RtlAllocateHeap.NTDLL(011A0000,00000000,00000001,00000001,00000000,?,?,0100F507,?,0000000E), ref: 0101399F
                          • std::exception::exception.LIBCMT ref: 0100F51E
                          • __CxxThrowException@8.LIBCMT ref: 0100F533
                            • Part of subcall function 01016805: RaiseException.KERNEL32(?,?,0000000E,010A6A30,?,?,?,0100F538,0000000E,010A6A30,?,00000001), ref: 01016856
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                          • String ID:
                          • API String ID: 3902256705-0
                          • Opcode ID: 1ae54419b6f5676dc3932b9c7c58c383c542d522623c984c0eecda7d471eafce
                          • Instruction ID: 6a94c1553222b8476f1f5f491f9d671ec77c2b6a0cd34beed31e90a20f2a9d52
                          • Opcode Fuzzy Hash: 1ae54419b6f5676dc3932b9c7c58c383c542d522623c984c0eecda7d471eafce
                          • Instruction Fuzzy Hash: 0CF0F43150021F67EB15BFACDC109DE7BE8BF10210F608565EA8496180DFB2924497A5
                          Function 010135E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 01017C0E: __getptd_noexit.LIBCMT ref: 01017C0E
                          • __lock_file.LIBCMT ref: 01013629
                            • Part of subcall function 01014E1C: __lock.LIBCMT ref: 01014E3F
                          • __fclose_nolock.LIBCMT ref: 01013634
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                          • String ID:
                          • API String ID: 2800547568-0
                          • Opcode ID: 095a0aff014bd0a567dbd8b13172ff831f159f91735d7400cd646fae5b80a637
                          • Instruction ID: c0f70049f9b63a03f15112c815112db550c4b9ae0c6a4fa451a1b1aba56a9a3c
                          • Opcode Fuzzy Hash: 095a0aff014bd0a567dbd8b13172ff831f159f91735d7400cd646fae5b80a637
                          • Instruction Fuzzy Hash: 3CF0BE329012069ADB11BB698C007AEBAE07FA5730F25C648D4E0AF2D8CBBC85418F95
                          Function 011E4235 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                          Download Yara Rule
                          APIs
                          • CreateProcessW.KERNELBASE(?,00000000), ref: 011E4A65
                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 011E4A89
                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 011E4AAB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020955679.00000000011E2000.00000040.00000020.00020000.00000000.sdmp, Offset: 011E2000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_11e2000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Process$ContextCreateMemoryReadThreadWow64
                          • String ID:
                          • API String ID: 2438371351-0
                          • Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                          • Instruction ID: 942ae3b4f9b35dc3f5d9b7452044271b6f857fc3f74cf3545f0655bb70aca4b2
                          • Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                          • Instruction Fuzzy Hash: 1F12DC24E24658C6EB24DF64D8547DEB272EF68300F1090E9910DEB7A4E77A4E81CB5A
                          Function 01012957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                          • __flush.LIBCMT ref: 01012A0B
                            • Part of subcall function 01017C0E: __getptd_noexit.LIBCMT ref: 01017C0E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: __flush__getptd_noexit
                          • String ID:
                          • API String ID: 4101623367-0
                          • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                          • Instruction ID: 34d9c80671d082434f3516934adab008f0dc40fc14bbdd37054258898296fcfe
                          • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                          • Instruction Fuzzy Hash: C041A6717007069FDF68CEADC8805AE7BE6EF452A0B34856DE9D5C7248E778DD418B40
                          Function 0100ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                          • Instruction ID: a55eff0de201950584e8916c1dd3fa955c76072c5bacfcc494bc407ebf905fa3
                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                          • Instruction Fuzzy Hash: BD31EC71600105DBE75AEF1CC490969FBE6FF49340F648AA6E549DB296DB30EDC1CB80
                          Function 01069A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ClearVariant
                          • String ID:
                          • API String ID: 1473721057-0
                          • Opcode ID: 6b75f04a67519e74612c655bb98cbf26b3a52b12b7258ba541cd70f2c3557803
                          • Instruction ID: dbcf4b6eac5d419ce1e5d86816df017f05bcbe4de2f752843142f3623a38eb36
                          • Opcode Fuzzy Hash: 6b75f04a67519e74612c655bb98cbf26b3a52b12b7258ba541cd70f2c3557803
                          • Instruction Fuzzy Hash: 72414B70504641CFEB25DF18C444B1ABBE0BF45348F19899CE9D65B3A2C376E885CF52
                          Function 00FF41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00FF4214: FreeLibrary.KERNEL32(00000000,?), ref: 00FF4247
                          • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,00FF39FE,?,00000001), ref: 00FF41DB
                            • Part of subcall function 00FF4291: FreeLibrary.KERNEL32(00000000), ref: 00FF42C4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Library$Free$Load
                          • String ID:
                          • API String ID: 2391024519-0
                          • Opcode ID: 04d1a0c28d6e4c2537a4b65e346723393b198c73166e2a042d1a86914053a83d
                          • Instruction ID: d031aab90424ccb37916a16a0dd173e82e67ef58cd7436dcdef38dbc7dae9542
                          • Opcode Fuzzy Hash: 04d1a0c28d6e4c2537a4b65e346723393b198c73166e2a042d1a86914053a83d
                          • Instruction Fuzzy Hash: 0011943160020AABDB10AF64DC16BAF77E99F40704F108439B696EA1D1DA79AA01AB60
                          Function 01069B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ClearVariant
                          • String ID:
                          • API String ID: 1473721057-0
                          • Opcode ID: 39c805dc588f0aa01c4fa023e81c4e273a87fc21d48d41152425a2c9814da0ad
                          • Instruction ID: ac2e2e23e56a9cb0d47abc7ea0510e839dccb644b2e38f97bc791663dafb55a8
                          • Opcode Fuzzy Hash: 39c805dc588f0aa01c4fa023e81c4e273a87fc21d48d41152425a2c9814da0ad
                          • Instruction Fuzzy Hash: AD212470508606CFEB25EF28C444B5ABBE1BF84344F1449A8FADA5B2A1C732E845CF52
                          Function 0101AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • ___lock_fhandle.LIBCMT ref: 0101AFC0
                            • Part of subcall function 01017BDA: __getptd_noexit.LIBCMT ref: 01017BDA
                            • Part of subcall function 01017C0E: __getptd_noexit.LIBCMT ref: 01017C0E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: __getptd_noexit$___lock_fhandle
                          • String ID:
                          • API String ID: 1144279405-0
                          • Opcode ID: b1636b702255993b4760c43c36ca135af598de3972b09424c564e4f7d654eeb3
                          • Instruction ID: 48d5a7662ad3770ee5153faf966bea2665fd549f3ae4b9b4da487cf874a815a6
                          • Opcode Fuzzy Hash: b1636b702255993b4760c43c36ca135af598de3972b09424c564e4f7d654eeb3
                          • Instruction Fuzzy Hash: 6E1160729016459FD7226FA8C88479D3AB0AF51335F194284E5F40B1E9C7BD89408BA1
                          Function 00FF39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: LibraryLoad
                          • String ID:
                          • API String ID: 1029625771-0
                          • Opcode ID: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
                          • Instruction ID: e68f75a6877c51b35a7cac0924e48be59e9ed11d2c19fd469f7e5da85945f4d8
                          • Opcode Fuzzy Hash: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
                          • Instruction Fuzzy Hash: E001367150010EAEDF45EF64CD918FFBF78AF20344F108066A665971A5EB34A649DB60
                          Function 01012AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                          Download Yara Rule
                          APIs
                          • __lock_file.LIBCMT ref: 01012AED
                            • Part of subcall function 01017C0E: __getptd_noexit.LIBCMT ref: 01017C0E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: __getptd_noexit__lock_file
                          • String ID:
                          • API String ID: 2597487223-0
                          • Opcode ID: d531b2f895f417d3f442bba8dab632833400b17614ab3421ae99c9e54310ed78
                          • Instruction ID: bbe07f3be061e9f009b9fa9cb40cefdbd172535512012fa4299f7fcf5de197b4
                          • Opcode Fuzzy Hash: d531b2f895f417d3f442bba8dab632833400b17614ab3421ae99c9e54310ed78
                          • Instruction Fuzzy Hash: 8AF09632500206EBDF22AF798C047DF3AE5BF10310F654555E4949B198D7BD8652DB51
                          Function 00FF4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                          Download Yara Rule
                          APIs
                          • FreeLibrary.KERNEL32(?,?,?,?,?,00FF39FE,?,00000001), ref: 00FF4286
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: FreeLibrary
                          • String ID:
                          • API String ID: 3664257935-0
                          • Opcode ID: bd008178ed9556e5e2d7130cae865120ee251ef410d1d3e2e53d49a7a1df81d6
                          • Instruction ID: ee38290f5c395ab5c912d7994f6bd7809ebd38bb2cd0210ad0237df0901090cb
                          • Opcode Fuzzy Hash: bd008178ed9556e5e2d7130cae865120ee251ef410d1d3e2e53d49a7a1df81d6
                          • Instruction Fuzzy Hash: A6F03971905706DFCB349F64E890827BBE4BF153253248A3EF2D682624C736A840EF50
                          Function 00FF40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                          Download Yara Rule
                          APIs
                          • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FF40C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: LongNamePath
                          • String ID:
                          • API String ID: 82841172-0
                          • Opcode ID: 61366d508bb369f74c7e66579fe145927c713e58bcf934940c2e2fd06c2c9708
                          • Instruction ID: ded8cf4fa166c04bf286122fe4bf7627177ef9ef0c23de6eda6a255168f13b18
                          • Opcode Fuzzy Hash: 61366d508bb369f74c7e66579fe145927c713e58bcf934940c2e2fd06c2c9708
                          • Instruction Fuzzy Hash: 70E0CD365001255BC7119654DC45FFA779DDF88690F050075F949E7248DD7899819790
                          Function 011E5234 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNELBASE(000001F4), ref: 011E5249
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020955679.00000000011E2000.00000040.00000020.00020000.00000000.sdmp, Offset: 011E2000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_11e2000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Sleep
                          • String ID:
                          • API String ID: 3472027048-0
                          • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                          • Instruction ID: 7d1d09bae70ed3a08426b846682054a207e6935107bf109f2b74472eaf35a2fd
                          • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                          • Instruction Fuzzy Hash: 18E09A7494420EEFDB00DFA4D54969D7BB4EF04301F1005A1FD0596680DB709A548A62
                          Function 011E5238 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNELBASE(000001F4), ref: 011E5249
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020955679.00000000011E2000.00000040.00000020.00020000.00000000.sdmp, Offset: 011E2000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_11e2000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Sleep
                          • String ID:
                          • API String ID: 3472027048-0
                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                          • Instruction ID: c80072565d3f4dc0d4e13d177a072db7571aa7319bb55bdd75d1f3eea288f8f2
                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                          • Instruction Fuzzy Hash: 7FE0BF7494420EDFDB00DFA4D54969D7BB4EF04301F100161FD0192280D77099508A62

                          Non-executed Functions

                          Function 0105F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0100B34E: GetWindowLongW.USER32(?,000000EB), ref: 0100B35F
                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0105F87D
                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0105F8DC
                          • GetWindowLongW.USER32(?,000000F0), ref: 0105F919
                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0105F940
                          • SendMessageW.USER32 ref: 0105F966
                          • _wcsncpy.LIBCMT ref: 0105F9D2
                          • GetKeyState.USER32(00000011), ref: 0105F9F3
                          • GetKeyState.USER32(00000009), ref: 0105FA00
                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0105FA16
                          • GetKeyState.USER32(00000010), ref: 0105FA20
                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0105FA4F
                          • SendMessageW.USER32 ref: 0105FA72
                          • SendMessageW.USER32(?,00001030,?,0105E059), ref: 0105FB6F
                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0105FB85
                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0105FB96
                          • SetCapture.USER32(?), ref: 0105FB9F
                          • ClientToScreen.USER32(?,?), ref: 0105FC03
                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0105FC0F
                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0105FC29
                          • ReleaseCapture.USER32 ref: 0105FC34
                          • GetCursorPos.USER32(?), ref: 0105FC69
                          • ScreenToClient.USER32(?,?), ref: 0105FC76
                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0105FCD8
                          • SendMessageW.USER32 ref: 0105FD02
                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0105FD41
                          • SendMessageW.USER32 ref: 0105FD6C
                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0105FD84
                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0105FD8F
                          • GetCursorPos.USER32(?), ref: 0105FDB0
                          • ScreenToClient.USER32(?,?), ref: 0105FDBD
                          • GetParent.USER32(?), ref: 0105FDD9
                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0105FE3F
                          • SendMessageW.USER32 ref: 0105FE6F
                          • ClientToScreen.USER32(?,?), ref: 0105FEC5
                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0105FEF1
                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0105FF19
                          • SendMessageW.USER32 ref: 0105FF3C
                          • ClientToScreen.USER32(?,?), ref: 0105FF86
                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0105FFB6
                          • GetWindowLongW.USER32(?,000000F0), ref: 0106004B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                          • String ID: @GUI_DRAGID$F
                          • API String ID: 2516578528-4164748364
                          • Opcode ID: 251502af4502f743b1be366da94d88673b83c671b830ae1ca8de2f7eef05a55c
                          • Instruction ID: 33bc6c1b89f6a1f9e1a8635bf0af22f96c50a3d6269752a6a52ad004f128f36b
                          • Opcode Fuzzy Hash: 251502af4502f743b1be366da94d88673b83c671b830ae1ca8de2f7eef05a55c
                          • Instruction Fuzzy Hash: 5132EF74604346EFEB61DF68C884BAABBE8FF48354F140659FAD5972A1C73AD800CB51
                          Function 0105AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0105B1CD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: %d/%02d/%02d
                          • API String ID: 3850602802-328681919
                          • Opcode ID: 576df3be21f3a832f9d9d540351c7fb2964a4710136981fb29a016b4cd71b578
                          • Instruction ID: e37b8f4c843630316b6ffb7498c292d1f8081d6a44f27fa848ee30e3a4e6551b
                          • Opcode Fuzzy Hash: 576df3be21f3a832f9d9d540351c7fb2964a4710136981fb29a016b4cd71b578
                          • Instruction Fuzzy Hash: BE12CE71600209AFEBA59F68CC48BAF7BF9FF48310F004259FA95AB2D0DB759941CB50
                          Function 0100EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32(00000000,00000000), ref: 0100EB4A
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 01063AEA
                          • IsIconic.USER32(000000FF), ref: 01063AF3
                          • ShowWindow.USER32(000000FF,00000009), ref: 01063B00
                          • SetForegroundWindow.USER32(000000FF), ref: 01063B0A
                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 01063B20
                          • GetCurrentThreadId.KERNEL32 ref: 01063B27
                          • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 01063B33
                          • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 01063B44
                          • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 01063B4C
                          • AttachThreadInput.USER32(00000000,?,00000001), ref: 01063B54
                          • SetForegroundWindow.USER32(000000FF), ref: 01063B57
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 01063B6C
                          • keybd_event.USER32(00000012,00000000), ref: 01063B77
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 01063B81
                          • keybd_event.USER32(00000012,00000000), ref: 01063B86
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 01063B8F
                          • keybd_event.USER32(00000012,00000000), ref: 01063B94
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 01063B9E
                          • keybd_event.USER32(00000012,00000000), ref: 01063BA3
                          • SetForegroundWindow.USER32(000000FF), ref: 01063BA6
                          • AttachThreadInput.USER32(000000FF,?,00000000), ref: 01063BCD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                          • String ID: Shell_TrayWnd
                          • API String ID: 4125248594-2988720461
                          • Opcode ID: 3e83c36c091aa0376d1968b569799a8e67fb67909ccd7b90deaf6d295e86db0b
                          • Instruction ID: 1ef6234a1e7bccbae36180d110854509301e3739cc0ebae24eb1e7a2315ba5d5
                          • Opcode Fuzzy Hash: 3e83c36c091aa0376d1968b569799a8e67fb67909ccd7b90deaf6d295e86db0b
                          • Instruction Fuzzy Hash: C0314171E40318BBEB316BA59C4AF7F7E6CEF44B50F104055FA49FA1C1DAB659009BA0
                          Function 0102ACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0102B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0102B180
                            • Part of subcall function 0102B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0102B1AD
                            • Part of subcall function 0102B134: GetLastError.KERNEL32 ref: 0102B1BA
                          • _memset.LIBCMT ref: 0102AD08
                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0102AD5A
                          • CloseHandle.KERNEL32(?), ref: 0102AD6B
                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0102AD82
                          • GetProcessWindowStation.USER32 ref: 0102AD9B
                          • SetProcessWindowStation.USER32(00000000), ref: 0102ADA5
                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0102ADBF
                            • Part of subcall function 0102AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0102ACC0), ref: 0102AB99
                            • Part of subcall function 0102AB84: CloseHandle.KERNEL32(?,?,0102ACC0), ref: 0102ABAB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                          • String ID: $default$winsta0
                          • API String ID: 2063423040-1027155976
                          • Opcode ID: 5d950ca194293ac2e4d6c64ec93be1e5284e9f1d06e2f591bdec6f56a0be8be8
                          • Instruction ID: d936f3beca8b2190eb122d6bd3425c8e8dd76f9cd521dfc7131bf62b2ec3c6b8
                          • Opcode Fuzzy Hash: 5d950ca194293ac2e4d6c64ec93be1e5284e9f1d06e2f591bdec6f56a0be8be8
                          • Instruction Fuzzy Hash: 67818D71A00259EFEF219FA8CC44AEEBBB8FF18304F044159F994B7950DB358A45DB60
                          Function 010360DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 01036EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01035FA6,?), ref: 01036ED8
                            • Part of subcall function 01036EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,01035FA6,?), ref: 01036EF1
                            • Part of subcall function 0103725E: __wsplitpath.LIBCMT ref: 0103727B
                            • Part of subcall function 0103725E: __wsplitpath.LIBCMT ref: 0103728E
                            • Part of subcall function 010372CB: GetFileAttributesW.KERNEL32(?,01036019), ref: 010372CC
                          • _wcscat.LIBCMT ref: 01036149
                          • _wcscat.LIBCMT ref: 01036167
                          • __wsplitpath.LIBCMT ref: 0103618E
                          • FindFirstFileW.KERNEL32(?,?), ref: 010361A4
                          • _wcscpy.LIBCMT ref: 01036209
                          • _wcscat.LIBCMT ref: 0103621C
                          • _wcscat.LIBCMT ref: 0103622F
                          • lstrcmpiW.KERNEL32(?,?), ref: 0103625D
                          • DeleteFileW.KERNEL32(?), ref: 0103626E
                          • MoveFileW.KERNEL32(?,?), ref: 01036289
                          • MoveFileW.KERNEL32(?,?), ref: 01036298
                          • CopyFileW.KERNEL32(?,?,00000000), ref: 010362AD
                          • DeleteFileW.KERNEL32(?), ref: 010362BE
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 010362E1
                          • FindClose.KERNEL32(00000000), ref: 010362FD
                          • FindClose.KERNEL32(00000000), ref: 0103630B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                          • String ID: \*.*
                          • API String ID: 1917200108-1173974218
                          • Opcode ID: 9f58ba08ac14ae7648ea27a3c17a4033f3ac550c8c15aef025f22365f3df634f
                          • Instruction ID: a777b04a93a50df8181e537a517ab1d1f80566dc66ac39a2be1263b841f7ba3b
                          • Opcode Fuzzy Hash: 9f58ba08ac14ae7648ea27a3c17a4033f3ac550c8c15aef025f22365f3df634f
                          • Instruction Fuzzy Hash: 5A512D7280811D6ADB21EBA5CC44DEFB7FCAF55210F0900E6E6C5E3141DE3697898FA4
                          Function 01046B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                          Download Yara Rule
                          APIs
                          • OpenClipboard.USER32(0108DC00), ref: 01046B36
                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 01046B44
                          • GetClipboardData.USER32(0000000D), ref: 01046B4C
                          • CloseClipboard.USER32 ref: 01046B58
                          • GlobalLock.KERNEL32(00000000), ref: 01046B74
                          • CloseClipboard.USER32 ref: 01046B7E
                          • GlobalUnlock.KERNEL32(00000000), ref: 01046B93
                          • IsClipboardFormatAvailable.USER32(00000001), ref: 01046BA0
                          • GetClipboardData.USER32(00000001), ref: 01046BA8
                          • GlobalLock.KERNEL32(00000000), ref: 01046BB5
                          • GlobalUnlock.KERNEL32(00000000), ref: 01046BE9
                          • CloseClipboard.USER32 ref: 01046CF6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                          • String ID:
                          • API String ID: 3222323430-0
                          • Opcode ID: 73e81f1aec5670f6a42e29e54cc85cffb296615005ddc299d466e477f5950458
                          • Instruction ID: 918e9d34690f04154b63a60ef15ba36aad5c1cc677dbdf457e06f83edfb90c1a
                          • Opcode Fuzzy Hash: 73e81f1aec5670f6a42e29e54cc85cffb296615005ddc299d466e477f5950458
                          • Instruction Fuzzy Hash: D851B4B1600209ABD310EFA4DD85F7E77A8AF99B11F000429F6D6E71D0EF76D8058B62
                          Function 0103F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?), ref: 0103F62B
                          • FindClose.KERNEL32(00000000), ref: 0103F67F
                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0103F6A4
                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0103F6BB
                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0103F6E2
                          • __swprintf.LIBCMT ref: 0103F72E
                          • __swprintf.LIBCMT ref: 0103F767
                          • __swprintf.LIBCMT ref: 0103F7BB
                            • Part of subcall function 0101172B: __woutput_l.LIBCMT ref: 01011784
                          • __swprintf.LIBCMT ref: 0103F809
                          • __swprintf.LIBCMT ref: 0103F858
                          • __swprintf.LIBCMT ref: 0103F8A7
                          • __swprintf.LIBCMT ref: 0103F8F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                          • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                          • API String ID: 835046349-2428617273
                          • Opcode ID: d669a41c87603ceaf0ff84758faf70a97d463c070e273528563af47e1081bfe2
                          • Instruction ID: a674626c5e360e187dacf9fd8f4fae107c478bd39653631588897865036c92c5
                          • Opcode Fuzzy Hash: d669a41c87603ceaf0ff84758faf70a97d463c070e273528563af47e1081bfe2
                          • Instruction Fuzzy Hash: 60A11AB2408349ABD315EBA5CD85DBFB7ECBF98704F40081EF68582191EB34D949DB62
                          Function 01041B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 01041B50
                          • _wcscmp.LIBCMT ref: 01041B65
                          • _wcscmp.LIBCMT ref: 01041B7C
                          • GetFileAttributesW.KERNEL32(?), ref: 01041B8E
                          • SetFileAttributesW.KERNEL32(?,?), ref: 01041BA8
                          • FindNextFileW.KERNEL32(00000000,?), ref: 01041BC0
                          • FindClose.KERNEL32(00000000), ref: 01041BCB
                          • FindFirstFileW.KERNEL32(*.*,?), ref: 01041BE7
                          • _wcscmp.LIBCMT ref: 01041C0E
                          • _wcscmp.LIBCMT ref: 01041C25
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 01041C37
                          • SetCurrentDirectoryW.KERNEL32(010A39FC), ref: 01041C55
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 01041C5F
                          • FindClose.KERNEL32(00000000), ref: 01041C6C
                          • FindClose.KERNEL32(00000000), ref: 01041C7C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                          • String ID: *.*
                          • API String ID: 1803514871-438819550
                          • Opcode ID: 1381cd07f81052b95b4897c60969eac89cad36471071cfa0ca896039de2c3af2
                          • Instruction ID: 0f2bff0e8e53ed174fdb2fbd1100e1fadec6f71c67890defd6cc291e79b9329d
                          • Opcode Fuzzy Hash: 1381cd07f81052b95b4897c60969eac89cad36471071cfa0ca896039de2c3af2
                          • Instruction Fuzzy Hash: BC31DB7190121E7BDF24AFF4DC88EDE77EC9F05220F1441A5E991E3080EB75E6858B54
                          Function 01041C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 01041CAB
                          • _wcscmp.LIBCMT ref: 01041CC0
                          • _wcscmp.LIBCMT ref: 01041CD7
                            • Part of subcall function 01036BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 01036BEF
                          • FindNextFileW.KERNEL32(00000000,?), ref: 01041D06
                          • FindClose.KERNEL32(00000000), ref: 01041D11
                          • FindFirstFileW.KERNEL32(*.*,?), ref: 01041D2D
                          • _wcscmp.LIBCMT ref: 01041D54
                          • _wcscmp.LIBCMT ref: 01041D6B
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 01041D7D
                          • SetCurrentDirectoryW.KERNEL32(010A39FC), ref: 01041D9B
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 01041DA5
                          • FindClose.KERNEL32(00000000), ref: 01041DB2
                          • FindClose.KERNEL32(00000000), ref: 01041DC2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                          • String ID: *.*
                          • API String ID: 1824444939-438819550
                          • Opcode ID: b85281b70df62534baa5dfce15245ffb1bef60cf3f6fff1a06b5e08e0acf73e5
                          • Instruction ID: a5e5b6839ce9c20ee0d7826d31bc79fde21d0a0ec84adeeb7eb902f0af63652d
                          • Opcode Fuzzy Hash: b85281b70df62534baa5dfce15245ffb1bef60cf3f6fff1a06b5e08e0acf73e5
                          • Instruction Fuzzy Hash: 3031F8B190561ABBDF24BBE4DC88ADE77AC9F05220F1405A5E9C1A7080DB35EA85CB54
                          Function 00FF7D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: _memset
                          • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                          • API String ID: 2102423945-2023335898
                          • Opcode ID: 6b965cfe9fedcdb3211bf6b2621484adb33df6f07bdc3335af235fdb21f3421a
                          • Instruction ID: 13db0ed47bbf532b78a796618406a2dc05ddc08a739f08281e62f066dae5fc04
                          • Opcode Fuzzy Hash: 6b965cfe9fedcdb3211bf6b2621484adb33df6f07bdc3335af235fdb21f3421a
                          • Instruction Fuzzy Hash: 6582D272D0421ACBDB24CF98C8907FDBBB1BF44320F2981AAD995AB351D7749D81DB90
                          Function 0104091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetLocalTime.KERNEL32(?), ref: 010409DF
                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 010409EF
                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 010409FB
                          • __wsplitpath.LIBCMT ref: 01040A59
                          • _wcscat.LIBCMT ref: 01040A71
                          • _wcscat.LIBCMT ref: 01040A83
                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 01040A98
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 01040AAC
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 01040ADE
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 01040AFF
                          • _wcscpy.LIBCMT ref: 01040B0B
                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 01040B4A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                          • String ID: *.*
                          • API String ID: 3566783562-438819550
                          • Opcode ID: 6506302bd47e1145d5dfac158f4ce974ba1d031471ede53c3a45a2a39e5c4942
                          • Instruction ID: 0c27b8942c8e3cdc43a44dd5b300fc6282886d58dc9bd5f97ee50aa6e71ad1d4
                          • Opcode Fuzzy Hash: 6506302bd47e1145d5dfac158f4ce974ba1d031471ede53c3a45a2a39e5c4942
                          • Instruction Fuzzy Hash: 9F617AB65043099FD710EF64C8849AEB3E8FF89310F04896AFAC9D7251DB35E945CB92
                          Function 0102A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0102ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0102ABD7
                            • Part of subcall function 0102ABBB: GetLastError.KERNEL32(?,0102A69F,?,?,?), ref: 0102ABE1
                            • Part of subcall function 0102ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0102A69F,?,?,?), ref: 0102ABF0
                            • Part of subcall function 0102ABBB: HeapAlloc.KERNEL32(00000000,?,0102A69F,?,?,?), ref: 0102ABF7
                            • Part of subcall function 0102ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0102AC0E
                            • Part of subcall function 0102AC56: GetProcessHeap.KERNEL32(00000008,0102A6B5,00000000,00000000,?,0102A6B5,?), ref: 0102AC62
                            • Part of subcall function 0102AC56: HeapAlloc.KERNEL32(00000000,?,0102A6B5,?), ref: 0102AC69
                            • Part of subcall function 0102AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0102A6B5,?), ref: 0102AC7A
                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0102A6D0
                          • _memset.LIBCMT ref: 0102A6E5
                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0102A704
                          • GetLengthSid.ADVAPI32(?), ref: 0102A715
                          • GetAce.ADVAPI32(?,00000000,?), ref: 0102A752
                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0102A76E
                          • GetLengthSid.ADVAPI32(?), ref: 0102A78B
                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0102A79A
                          • HeapAlloc.KERNEL32(00000000), ref: 0102A7A1
                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0102A7C2
                          • CopySid.ADVAPI32(00000000), ref: 0102A7C9
                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0102A7FA
                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0102A820
                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0102A834
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                          • String ID:
                          • API String ID: 3996160137-0
                          • Opcode ID: 55fb83d7765677b8462efc20ff9173a453e2381e4dfc0682cdead563dbd1d62e
                          • Instruction ID: 2583357103f8e596ed3678d88de952a1962a93e74e598eaa8ece70c55148fa0a
                          • Opcode Fuzzy Hash: 55fb83d7765677b8462efc20ff9173a453e2381e4dfc0682cdead563dbd1d62e
                          • Instruction Fuzzy Hash: 9C515D71A0021AEFDF11DF94DC44EEEBBB9FF08210F148169F951A7680DB799A05CB60
                          Function 00FF6F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID:
                          • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                          • API String ID: 0-4052911093
                          • Opcode ID: f0da4fd6106599390177f8f7ad2aa937c91f99f1114e886c393ae6516dd347cc
                          • Instruction ID: 0ae332e119fa7a6036b83ba3c38030274d8014f702b081b17ef55487a755aac7
                          • Opcode Fuzzy Hash: f0da4fd6106599390177f8f7ad2aa937c91f99f1114e886c393ae6516dd347cc
                          • Instruction Fuzzy Hash: 9B729171E04319DBDB25DF98C8807BEB7F5BF08310F1481AAE945EB290EB749A41DB94
                          Function 010363F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 01036EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01035FA6,?), ref: 01036ED8
                            • Part of subcall function 010372CB: GetFileAttributesW.KERNEL32(?,01036019), ref: 010372CC
                          • _wcscat.LIBCMT ref: 01036441
                          • __wsplitpath.LIBCMT ref: 0103645F
                          • FindFirstFileW.KERNEL32(?,?), ref: 01036474
                          • _wcscpy.LIBCMT ref: 010364A3
                          • _wcscat.LIBCMT ref: 010364B8
                          • _wcscat.LIBCMT ref: 010364CA
                          • DeleteFileW.KERNEL32(?), ref: 010364DA
                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 010364EB
                          • FindClose.KERNEL32(00000000), ref: 01036506
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                          • String ID: \*.*
                          • API String ID: 2643075503-1173974218
                          • Opcode ID: 5f0d8950bc27a2ff7db85a2db87d04f65cf30bfd9aedb101d2a0eccefe5a1588
                          • Instruction ID: 9b73d379ccaec0caca588869e5f6d3eeaae44ec441538ec5817966785bf85299
                          • Opcode Fuzzy Hash: 5f0d8950bc27a2ff7db85a2db87d04f65cf30bfd9aedb101d2a0eccefe5a1588
                          • Instruction Fuzzy Hash: 3431B6B24083896AC321DBE888849DFB7DCAF95210F40096EF6D9C3145EE36D24D8767
                          Function 010531BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 01053C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01052BB5,?,?), ref: 01053C1D
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0105328E
                            • Part of subcall function 00FF936C: __swprintf.LIBCMT ref: 00FF93AB
                            • Part of subcall function 00FF936C: __itow.LIBCMT ref: 00FF93DF
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0105332D
                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 010533C5
                          • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 01053604
                          • RegCloseKey.ADVAPI32(00000000), ref: 01053611
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                          • String ID:
                          • API String ID: 1240663315-0
                          • Opcode ID: 1ee3c4d35c1181070f09f971457e760378f3de52fe5093bd0082151548edbf49
                          • Instruction ID: 140b94b5c935acd76c181ac7c345264207e1ca099e9c2072580c2f2dcd8c213c
                          • Opcode Fuzzy Hash: 1ee3c4d35c1181070f09f971457e760378f3de52fe5093bd0082151548edbf49
                          • Instruction Fuzzy Hash: C5E17D35604204AFCB55DF68C995E6FBBE8FF88354B04846DF98ADB2A1CB34E905CB41
                          Function 01032B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?), ref: 01032B5F
                          • GetAsyncKeyState.USER32(000000A0), ref: 01032BE0
                          • GetKeyState.USER32(000000A0), ref: 01032BFB
                          • GetAsyncKeyState.USER32(000000A1), ref: 01032C15
                          • GetKeyState.USER32(000000A1), ref: 01032C2A
                          • GetAsyncKeyState.USER32(00000011), ref: 01032C42
                          • GetKeyState.USER32(00000011), ref: 01032C54
                          • GetAsyncKeyState.USER32(00000012), ref: 01032C6C
                          • GetKeyState.USER32(00000012), ref: 01032C7E
                          • GetAsyncKeyState.USER32(0000005B), ref: 01032C96
                          • GetKeyState.USER32(0000005B), ref: 01032CA8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: State$Async$Keyboard
                          • String ID:
                          • API String ID: 541375521-0
                          • Opcode ID: e48996f1f76136d04099a5317d6a3079fdb89209486751c2bb323f83bf1ee4ef
                          • Instruction ID: a584348d4de2826d78862f0069de49151d8368487df284a01666aa88bd956130
                          • Opcode Fuzzy Hash: e48996f1f76136d04099a5317d6a3079fdb89209486751c2bb323f83bf1ee4ef
                          • Instruction Fuzzy Hash: E8410A34A147CD6EFFB69BE884043B5BEE96F81304F0480D9D6C6562C3DBA995C4C7A2
                          Function 01046D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                          • String ID:
                          • API String ID: 1737998785-0
                          • Opcode ID: d3058563a92d6d93b4b9bb57a4dbe8d44291847a38cd91f3f5d8b9637d35405c
                          • Instruction ID: fc0c695244460dd9d0ac5aec3de4960e1a245d721b642b09bb77a6ac09e5f00f
                          • Opcode Fuzzy Hash: d3058563a92d6d93b4b9bb57a4dbe8d44291847a38cd91f3f5d8b9637d35405c
                          • Instruction Fuzzy Hash: F321B571B001119FE721BF94D888F6D77A8FF59711F00846AF9CAEB294DB7AE8418B50
                          Function 0104C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 01029ABF: CLSIDFromProgID.OLE32 ref: 01029ADC
                            • Part of subcall function 01029ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 01029AF7
                            • Part of subcall function 01029ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 01029B05
                            • Part of subcall function 01029ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 01029B15
                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0104C235
                          • _memset.LIBCMT ref: 0104C242
                          • _memset.LIBCMT ref: 0104C360
                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0104C38C
                          • CoTaskMemFree.OLE32(?), ref: 0104C397
                          Strings
                          • NULL Pointer assignment, xrefs: 0104C3E5
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                          • String ID: NULL Pointer assignment
                          • API String ID: 1300414916-2785691316
                          • Opcode ID: e640066bc083f35e307d757454e867c28d9ebeeb9785a7d005a3c39e36637837
                          • Instruction ID: 924b55c4d78f22c3895d4a7b1d75e3d14421a94c64d419c5de6c53fa37c6995a
                          • Opcode Fuzzy Hash: e640066bc083f35e307d757454e867c28d9ebeeb9785a7d005a3c39e36637837
                          • Instruction Fuzzy Hash: AE916C71D01219ABDB10DF94DD80EEEBBB8EF44310F10816AF659B7290DB715A45CFA0
                          Function 010379D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0102B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0102B180
                            • Part of subcall function 0102B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0102B1AD
                            • Part of subcall function 0102B134: GetLastError.KERNEL32 ref: 0102B1BA
                          • ExitWindowsEx.USER32(?,00000000), ref: 01037A0F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                          • String ID: $@$SeShutdownPrivilege
                          • API String ID: 2234035333-194228
                          • Opcode ID: dad01e19460b86aaadd3ce6d21d5ff25034054a795ea8c769c047274b8037374
                          • Instruction ID: 5c10f35389b4b94948e6592468be8750eb5346ede06d820e2723b5e64c4412d9
                          • Opcode Fuzzy Hash: dad01e19460b86aaadd3ce6d21d5ff25034054a795ea8c769c047274b8037374
                          • Instruction Fuzzy Hash: 3601FCB17506126AF76816E89C4ABBB769C9BC0241F140954EAC3E20C2D5A55E0282B0
                          Function 01048C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                          Download Yara Rule
                          APIs
                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 01048CA8
                          • WSAGetLastError.WSOCK32(00000000), ref: 01048CB7
                          • bind.WSOCK32(00000000,?,00000010), ref: 01048CD3
                          • listen.WSOCK32(00000000,00000005), ref: 01048CE2
                          • WSAGetLastError.WSOCK32(00000000), ref: 01048CFC
                          • closesocket.WSOCK32(00000000,00000000), ref: 01048D10
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ErrorLast$bindclosesocketlistensocket
                          • String ID:
                          • API String ID: 1279440585-0
                          • Opcode ID: a5878439d25c829f487d2cc963f81a61e38800ff2340dd9ea3de61f7af7cb5e3
                          • Instruction ID: 17c7c55736a161807dbfcddb6ada125c484ccb1c9d8d20f0fc68d6209c747a41
                          • Opcode Fuzzy Hash: a5878439d25c829f487d2cc963f81a61e38800ff2340dd9ea3de61f7af7cb5e3
                          • Instruction Fuzzy Hash: EB21B1716002059FDB20EFA8CD84B6EB7E9FF48310F1485A9EA96B72D1CB74AD41CB51
                          Function 01036532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 01036554
                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 01036564
                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 01036583
                          • __wsplitpath.LIBCMT ref: 010365A7
                          • _wcscat.LIBCMT ref: 010365BA
                          • CloseHandle.KERNEL32(00000000,?,00000000), ref: 010365F9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                          • String ID:
                          • API String ID: 1605983538-0
                          • Opcode ID: 2b6cc59644b712560bef08233dc01e56d7637eda388205b1369b1d8b4fff4033
                          • Instruction ID: 35acfa1b4f1897d515c2c613fea0b7421d87797975b5d9a3bd510e9d5e8ccc2b
                          • Opcode Fuzzy Hash: 2b6cc59644b712560bef08233dc01e56d7637eda388205b1369b1d8b4fff4033
                          • Instruction Fuzzy Hash: 13216571900219FBDB21ABA4D888BDDBBFCAF44300F5004F5E585E7185DB769B85CB60
                          Function 0104923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0104A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0104A84E
                          • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 01049296
                          • WSAGetLastError.WSOCK32(00000000,00000000), ref: 010492B9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ErrorLastinet_addrsocket
                          • String ID:
                          • API String ID: 4170576061-0
                          • Opcode ID: 2f6d7eb10aba488fbdaa9cbcfea4b956c9769b7c581577ed7e640b776a1a0fba
                          • Instruction ID: db41d7fc8533c5ad41b24cd5f3d09c34d021ac30a9528b490f8ef39fc9772b08
                          • Opcode Fuzzy Hash: 2f6d7eb10aba488fbdaa9cbcfea4b956c9769b7c581577ed7e640b776a1a0fba
                          • Instruction Fuzzy Hash: 6C41E270600105AFEB11AB68CC81EBF77EDEF48324F048458FA96AB2C2DB749D018B91
                          Function 0103EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?), ref: 0103EB8A
                          • _wcscmp.LIBCMT ref: 0103EBBA
                          • _wcscmp.LIBCMT ref: 0103EBCF
                          • FindNextFileW.KERNEL32(00000000,?), ref: 0103EBE0
                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0103EC0E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Find$File_wcscmp$CloseFirstNext
                          • String ID:
                          • API String ID: 2387731787-0
                          • Opcode ID: 83ad3ab78e1d305ba664b6fed8c41ec7d08f779b8aabd4b5aaa5730262552818
                          • Instruction ID: 912575fc476802f66afeffd022b69ff32530a47a581d3bcd38d89c26696d2ad0
                          • Opcode Fuzzy Hash: 83ad3ab78e1d305ba664b6fed8c41ec7d08f779b8aabd4b5aaa5730262552818
                          • Instruction Fuzzy Hash: 1441EE34604302CFD719DF68C490E9AB7E8FF89320F10465DEA9A8B3A1DB35A941CB91
                          Function 01058111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                          • String ID:
                          • API String ID: 292994002-0
                          • Opcode ID: 925394b4868d34132a4def393a5a686581b24b0a361ee2aa48d5159236448413
                          • Instruction ID: d41ab286ab401afc03706890e34fa1a0f8e36f9e807220eb8f9ba6a6fddd1b01
                          • Opcode Fuzzy Hash: 925394b4868d34132a4def393a5a686581b24b0a361ee2aa48d5159236448413
                          • Instruction Fuzzy Hash: 2E1190317002156BF7611F6BDC44E6FBB9CEF94760B04846AED89E7281CB35990187A8
                          Function 00FF9B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID:
                          • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                          • API String ID: 0-1546025612
                          • Opcode ID: a8c6cfb032bd33ec1ba712fbeaf9b4df50b5c0e95eccaaa93f02265f9efff23b
                          • Instruction ID: e32df64e0964d7fea140ad2c9660b8868ced08a96d5d4e6c9c8fc3fc8742bb0e
                          • Opcode Fuzzy Hash: a8c6cfb032bd33ec1ba712fbeaf9b4df50b5c0e95eccaaa93f02265f9efff23b
                          • Instruction Fuzzy Hash: C3929DB1E0421ACBEF24CF58C8407BDB7B1BF44314F14819AE95AAB290D7719D81EF95
                          Function 0100E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,0100E014,75920AE0,0100DEF1,0108DC38,?,?), ref: 0100E02C
                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0100E03E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: GetNativeSystemInfo$kernel32.dll
                          • API String ID: 2574300362-192647395
                          • Opcode ID: de97cc3cda052e2c92379095185529833867107d6341bd044cf563acbf8cc7df
                          • Instruction ID: 03e862a50445c46c3d349c5954485ce83caaf02db01f6b669d7a7b6cb1389f8d
                          • Opcode Fuzzy Hash: de97cc3cda052e2c92379095185529833867107d6341bd044cf563acbf8cc7df
                          • Instruction Fuzzy Hash: BDD09EB0944712AEE7729BA5E81865276D8AF04611F18486EAAD6B2584D7B8D4C08750
                          Function 01036713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 01036733
                          • _memset.LIBCMT ref: 01036754
                          • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 010367A6
                          • CloseHandle.KERNEL32(00000000), ref: 010367AF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CloseControlCreateDeviceFileHandle_memset
                          • String ID:
                          • API String ID: 1157408455-0
                          • Opcode ID: fb3bb06c55fbdd519d7d78f18657b045bc2db017cabffb713eafb32adb61ac13
                          • Instruction ID: bfc48d189976c619e4177a715f2a357a25ba01aec3e786c37c17c24b606e5e98
                          • Opcode Fuzzy Hash: fb3bb06c55fbdd519d7d78f18657b045bc2db017cabffb713eafb32adb61ac13
                          • Instruction Fuzzy Hash: FA11A775D012287AE73156A5AC4DFEBBABCEF44760F10419AF548E7180D6744F808B64
                          Function 010313CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 010313DC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: lstrlen
                          • String ID: ($|
                          • API String ID: 1659193697-1631851259
                          • Opcode ID: 159ba3fe03dc031984413ac7600309b54b6f58c20b2dc3617799862aeaebc34d
                          • Instruction ID: a266bd751c5a695f127d05c37b04fcff8267db69d909c827dfe5102a4a153414
                          • Opcode Fuzzy Hash: 159ba3fe03dc031984413ac7600309b54b6f58c20b2dc3617799862aeaebc34d
                          • Instruction Fuzzy Hash: 71320575A006059FD728CF69C4809AAB7F4FF8C310B15C5AEE59ADB3A1DB70E941CB44
                          Function 0100B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0100B34E: GetWindowLongW.USER32(?,000000EB), ref: 0100B35F
                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 0100B22F
                            • Part of subcall function 0100B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0100B5A5
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Proc$LongWindow
                          • String ID:
                          • API String ID: 2749884682-0
                          • Opcode ID: 1994a7bb54f1fa0247708e9bc19427ea4e25c4a80f94942200f81b43163048f7
                          • Instruction ID: 22f4e450c445f3da80ae42c5c99d37cf7ab2fb23120ec7e1c65de0a04b2361a9
                          • Opcode Fuzzy Hash: 1994a7bb54f1fa0247708e9bc19427ea4e25c4a80f94942200f81b43163048f7
                          • Instruction Fuzzy Hash: 16A1597C114206FAFB7AAA2D9C98EFF3EDCEB56640F404159FAC1D61C1DB299D018272
                          Function 01044EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                          Download Yara Rule
                          APIs
                          • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,010443BF,00000000), ref: 01044FA6
                          • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 01044FD2
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Internet$AvailableDataFileQueryRead
                          • String ID:
                          • API String ID: 599397726-0
                          • Opcode ID: b836ef3357dffe9b12957b1b8533914d06c854dc83f29886c9f304fbf4eb4188
                          • Instruction ID: b2e2a682a396e68eaf0ec007b699f153fde9825411498ac33c20fe971d26681b
                          • Opcode Fuzzy Hash: b836ef3357dffe9b12957b1b8533914d06c854dc83f29886c9f304fbf4eb4188
                          • Instruction Fuzzy Hash: C941B4B550420ABFEB219E94DCC5FBFB7ECEB40724F00407AF685A6180EA719E41D7A0
                          Function 0103E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 0103E20D
                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0103E267
                          • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0103E2B4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ErrorMode$DiskFreeSpace
                          • String ID:
                          • API String ID: 1682464887-0
                          • Opcode ID: 662390abab2cc96d7ac764bd5b9f4285f4b8b97cfdf678267c68c8e4db5d0f26
                          • Instruction ID: 0083a3841a4f3c8e1644ee938364ad775a6a5d25ae481bf93200d3b2b884cc69
                          • Opcode Fuzzy Hash: 662390abab2cc96d7ac764bd5b9f4285f4b8b97cfdf678267c68c8e4db5d0f26
                          • Instruction Fuzzy Hash: 19213D35A00118EFDB00EFA5D894EEDBBB8FF98310F0484A9E945E7255DB35A915CB50
                          Function 0102B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0100F4EA: std::exception::exception.LIBCMT ref: 0100F51E
                            • Part of subcall function 0100F4EA: __CxxThrowException@8.LIBCMT ref: 0100F533
                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0102B180
                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0102B1AD
                          • GetLastError.KERNEL32 ref: 0102B1BA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                          • String ID:
                          • API String ID: 1922334811-0
                          • Opcode ID: e136ef1668c393a8c1feaad6ddff6bfc7b35d274f2f084251f04918203156e05
                          • Instruction ID: 95af90008d470ed5f0bbb4390cc357072cee27da1719b6931b75be6b59e35c0c
                          • Opcode Fuzzy Hash: e136ef1668c393a8c1feaad6ddff6bfc7b35d274f2f084251f04918203156e05
                          • Instruction Fuzzy Hash: DD11BFB1800205AFE3289F54DC85D6AB7ACFF44610B20852EE496A7240DB75FC418B60
                          Function 010371FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                          Download Yara Rule
                          APIs
                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 01037223
                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0103723A
                          • FreeSid.ADVAPI32(?), ref: 0103724A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: AllocateCheckFreeInitializeMembershipToken
                          • String ID:
                          • API String ID: 3429775523-0
                          • Opcode ID: 6bb61d231a2ffb61ecd1b23b0b15b74afca596b80763cff5734808075c2cb05c
                          • Instruction ID: 61520b1c7e25d710220894bd0861e8bcf10c2fdc514cada6efa1c91cbe92ed88
                          • Opcode Fuzzy Hash: 6bb61d231a2ffb61ecd1b23b0b15b74afca596b80763cff5734808075c2cb05c
                          • Instruction Fuzzy Hash: A4F01D76E00209FFDF05DFE4D989EEEBBBCEF08201F105469B602E2181E27596548B50
                          Function 01037513 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                          Download Yara Rule
                          APIs
                          • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 01037547
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: mouse_event
                          • String ID: DOWN
                          • API String ID: 2434400541-711622031
                          • Opcode ID: a1a9d0f678c77c7f1b27d0444e138bd86ea87769cb22feb4e01ce515f1906131
                          • Instruction ID: d368ef6b89069df7f094baa9aa1eb2c88edd2ff43903f26e574413eef7ff39a7
                          • Opcode Fuzzy Hash: a1a9d0f678c77c7f1b27d0444e138bd86ea87769cb22feb4e01ce515f1906131
                          • Instruction Fuzzy Hash: 77E086A228C76279F94831597C02DF7338C9B62131710028AF8D5E54C5ED8559815269
                          Function 0103F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                          Download Yara Rule
                          APIs
                          • FindFirstFileW.KERNEL32(?,?), ref: 0103F599
                          • FindClose.KERNEL32(00000000), ref: 0103F5C9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Find$CloseFileFirst
                          • String ID:
                          • API String ID: 2295610775-0
                          • Opcode ID: 1caee26570d9da2ce56d08e98982d7d1dd29683b7ff8af7a77db1eb7cff3b531
                          • Instruction ID: 6d1f39a8bb762679efe71fb7c9ee54b2ceb648796e54ec1166c3612bcc2f9852
                          • Opcode Fuzzy Hash: 1caee26570d9da2ce56d08e98982d7d1dd29683b7ff8af7a77db1eb7cff3b531
                          • Instruction Fuzzy Hash: 4511C0326002059FD710EF68D848E6EB3E8FF94324F00891EF9A9D72D0CB34A9048B81
                          Function 0103CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0104BE6A,?,?,00000000,?), ref: 0103CEA7
                          • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0104BE6A,?,?,00000000,?), ref: 0103CEB9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ErrorFormatLastMessage
                          • String ID:
                          • API String ID: 3479602957-0
                          • Opcode ID: acb81ed501e772fe324c1af8ea4ec83484493a3a2fdd11ba5c9c003127a54189
                          • Instruction ID: 46e66b87012515a39047a3faf48c87007b5b855679192c1793b5f3b8f1e40974
                          • Opcode Fuzzy Hash: acb81ed501e772fe324c1af8ea4ec83484493a3a2fdd11ba5c9c003127a54189
                          • Instruction Fuzzy Hash: EEF0823150422DABEB209AA4DC48FEA776DBF08361F008156F959E6181D6749A45CBA0
                          Function 0103411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 01034153
                          • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 01034166
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: InputSendkeybd_event
                          • String ID:
                          • API String ID: 3536248340-0
                          • Opcode ID: 1aef42b0006807e27c2b6b11053bfb16cae0768ca5eba036252e38359a7efbfc
                          • Instruction ID: 9e610855eca106b90d7e57166dedb1c1753ab99c742c00d52f7808f3e232e5e9
                          • Opcode Fuzzy Hash: 1aef42b0006807e27c2b6b11053bfb16cae0768ca5eba036252e38359a7efbfc
                          • Instruction Fuzzy Hash: 05F0907090034DAFDB058FA4C805BBE7FB4EF00305F008049F9A5AA191D779C612CFA0
                          Function 0102AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0102ACC0), ref: 0102AB99
                          • CloseHandle.KERNEL32(?,?,0102ACC0), ref: 0102ABAB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: AdjustCloseHandlePrivilegesToken
                          • String ID:
                          • API String ID: 81990902-0
                          • Opcode ID: 9c6d0251945008078530133dac43fa87a5ac4ec740d18b3cff89a0d23a9d8110
                          • Instruction ID: 716138daac4f23d58743118c2cb16ed1cd5a1e3b72b99e660d3e75ad7e3011b9
                          • Opcode Fuzzy Hash: 9c6d0251945008078530133dac43fa87a5ac4ec740d18b3cff89a0d23a9d8110
                          • Instruction Fuzzy Hash: 1CE0BF71000511AFF7362F54EC05DB67BE9EF04221B108859F5D981474DB635D90DB50
                          Function 010181AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,01016DB3,-0000031A,?,?,00000001), ref: 010181B1
                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 010181BA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: 460bc25bbaa982d56c88bd8c0e26b56241bb75242b170b9537cb15389aef72e1
                          • Instruction ID: 8e0ee9f970b4b6b731f5910116d937d647c63e717ee6bfc5172b4a1dcfe26206
                          • Opcode Fuzzy Hash: 460bc25bbaa982d56c88bd8c0e26b56241bb75242b170b9537cb15389aef72e1
                          • Instruction Fuzzy Hash: 21B09271444608ABDB102BE1E809B587FA8EF08662F008010F64D680558B7754109BA1
                          Function 00FF77B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: _memmove
                          • String ID:
                          • API String ID: 4104443479-0
                          • Opcode ID: f146e8d3128187633a66338efb3aafebbb15e24542d433e5a6ebd05d9400bdc0
                          • Instruction ID: a2aeda0db9684e0d7d689f6e28fc5a4c2a6a5ecef3d40ba4eef3e204acb861d0
                          • Opcode Fuzzy Hash: f146e8d3128187633a66338efb3aafebbb15e24542d433e5a6ebd05d9400bdc0
                          • Instruction Fuzzy Hash: F8A26B71E04219CFDB24DF58C4807ADBBB1FF48310F2581A9E999AB3A1D7349E81DB94
                          Function 01003B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Exception@8Throwstd::exception::exception
                          • String ID: @
                          • API String ID: 3728558374-2766056989
                          • Opcode ID: 29ad5a9a914a5478a0b8f6275e1179a86a97ed505d53d8f50c8a4832ae72f3b2
                          • Instruction ID: e25c525633f4371d3c41cb63f1369f059d5ec74b27d4ebacc75ec202b6e5ffb5
                          • Opcode Fuzzy Hash: 29ad5a9a914a5478a0b8f6275e1179a86a97ed505d53d8f50c8a4832ae72f3b2
                          • Instruction Fuzzy Hash: BC72A274A00109DFEF16EF98C480AFEBBB5FF44304F14809AEA85AB291D775AD45CB91
                          Function 0101D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 109bacade3c96c7b9c9c425c8b4838dfb6a02b69fdf2cf7ba7f9be686d2a3ae2
                          • Instruction ID: 79a905b41e547a2519f5b775a9b4f6733693e15e58c453b6bc2d17a6bd779e67
                          • Opcode Fuzzy Hash: 109bacade3c96c7b9c9c425c8b4838dfb6a02b69fdf2cf7ba7f9be686d2a3ae2
                          • Instruction Fuzzy Hash: 36322632D29F414DDB239539C82533AA689AFB73D4F15D727F899B599EEB2DC0834200
                          Function 00FF96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: __itow__swprintf
                          • String ID:
                          • API String ID: 674341424-0
                          • Opcode ID: 02c77559ccbff6f7890027bdfd6735cb6d7ea5b3a3276c1a9094141b4f0713b9
                          • Instruction ID: 7d24fccd3b0b787af8f489e82f00acb26e948e23c6b93540ec386117ca4f0b3c
                          • Opcode Fuzzy Hash: 02c77559ccbff6f7890027bdfd6735cb6d7ea5b3a3276c1a9094141b4f0713b9
                          • Instruction Fuzzy Hash: D3229C715083059FE725DF24C890BABB7E4BF84310F00491DFADA972A1DBB5E944DB82
                          Function 0102038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e985e559f223ee83a30b2992eca8d9e90796c2ecb86de60d9dcd3e0ac42b9f1c
                          • Instruction ID: fe5785a13ed6141638ccb189398b623d256397991f7aa52e239e310ebc83da05
                          • Opcode Fuzzy Hash: e985e559f223ee83a30b2992eca8d9e90796c2ecb86de60d9dcd3e0ac42b9f1c
                          • Instruction Fuzzy Hash: 7AB11430D2AF514DD3239538883133AB65C6FBB2D5F91D71BFC9A74D16EB2681834680
                          Function 0103B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                          Download Yara Rule
                          APIs
                          • __time64.LIBCMT ref: 0103B6DF
                            • Part of subcall function 0101344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0103BDC3,00000000,?,?,?,?,0103BF70,00000000,?), ref: 01013453
                            • Part of subcall function 0101344A: __aulldiv.LIBCMT ref: 01013473
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Time$FileSystem__aulldiv__time64
                          • String ID:
                          • API String ID: 2893107130-0
                          • Opcode ID: 1c27309e6496db328aa0b5fe21a537197d5cb66f4c9e4400dd8f0f3116efb975
                          • Instruction ID: ebe9d0bc3e4e2779243f64336152b0f63c08eb4c422424def0395fb9c18fb3e9
                          • Opcode Fuzzy Hash: 1c27309e6496db328aa0b5fe21a537197d5cb66f4c9e4400dd8f0f3116efb975
                          • Instruction Fuzzy Hash: 3821B476634510CBC72ACF38C481A92B7E5FB95310B248E6DD0E5CF2C1CA78B905DB54
                          Function 01046AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • BlockInput.USER32(00000001), ref: 01046ACA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: BlockInput
                          • String ID:
                          • API String ID: 3456056419-0
                          • Opcode ID: 974b2c496cd9c680cd48d60c08e01958ae88c7c160cb3594e063b70d3f720576
                          • Instruction ID: f98b58929d7048a06704567c8aaa785a4fbfe8f4644737d6918b2e3db8c5bc5d
                          • Opcode Fuzzy Hash: 974b2c496cd9c680cd48d60c08e01958ae88c7c160cb3594e063b70d3f720576
                          • Instruction Fuzzy Hash: 9CE0D835200204AFD700EF99D804D96B7EDAF78351F04C426E985C7290DAB1F8048BA0
                          Function 0102B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                          Download Yara Rule
                          APIs
                          • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0102AD3E), ref: 0102B124
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: LogonUser
                          • String ID:
                          • API String ID: 1244722697-0
                          • Opcode ID: 681b3fff4f34892c291443925c5e0ba2e88faa543bc1942a6e020b07e2e7ab0c
                          • Instruction ID: 6552ce6f120af3596c2350f0b6a3847e7c5ee3de44eac65fc5d88e763c93587b
                          • Opcode Fuzzy Hash: 681b3fff4f34892c291443925c5e0ba2e88faa543bc1942a6e020b07e2e7ab0c
                          • Instruction Fuzzy Hash: 7BD05E320A460EAEDF024EA4DC02EAE3F6AEB04700F408110FA11D5090C676D531AB50
                          Function 0106B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: NameUser
                          • String ID:
                          • API String ID: 2645101109-0
                          • Opcode ID: e3e268ff4956de3f5733c280ec35e8868095ec737a6b6fed6b24ddb2d56f5262
                          • Instruction ID: 814c1acbb8b86da4a24ef15ea7dc93350bcab1ca37c16a23afaa1f2003fa22f1
                          • Opcode Fuzzy Hash: e3e268ff4956de3f5733c280ec35e8868095ec737a6b6fed6b24ddb2d56f5262
                          • Instruction Fuzzy Hash: 0CC04CB180050DDFC751DBC0C944AEEB7BCAB04311F105091A146F2104D7759B458B71
                          Function 01018189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                          Download Yara Rule
                          APIs
                          • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0101818F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ExceptionFilterUnhandled
                          • String ID:
                          • API String ID: 3192549508-0
                          • Opcode ID: aef3b7be8f6ec451d19dc4778ece3345a6b1f08666ec63f4a2cb3b53605393b5
                          • Instruction ID: 43407e5bbfebc844c44d34dd133fb67569e8f5cd60089c3c7366e15362cad5fe
                          • Opcode Fuzzy Hash: aef3b7be8f6ec451d19dc4778ece3345a6b1f08666ec63f4a2cb3b53605393b5
                          • Instruction Fuzzy Hash: E8A0223000020CFBCF002FC2FC088883FACFF002A0B008020F80C28020CB33A820ABE0
                          Function 00FFE3B0 Relevance: .5, Instructions: 540COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6f706d0c0284f53cc786e279087742829701102553d0bb244ab17a8191681038
                          • Instruction ID: 1e543e0fc9eb3442b2449b2dee9949e7237642c0d59815d93291f6ecbff9cb2f
                          • Opcode Fuzzy Hash: 6f706d0c0284f53cc786e279087742829701102553d0bb244ab17a8191681038
                          • Instruction Fuzzy Hash: A022BE75D0020A8FDB24DF58C480BBAB7F1FF14314F188069DA96AB3B1E735A985DB91
                          Function 00FF93F0 Relevance: .5, Instructions: 531COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 282f4aef34bb94eda67c2e4bfa913459857a0a911f27c1bbedb774600d52f60d
                          • Instruction ID: 5d8fc87171a2c9cf8670383ceb860471c96561d82c64c26fb7cb2331fdd1e0bf
                          • Opcode Fuzzy Hash: 282f4aef34bb94eda67c2e4bfa913459857a0a911f27c1bbedb774600d52f60d
                          • Instruction Fuzzy Hash: 7B12AC70A006099FDF14DFA4D981AFEB7F9FF48300F144569E946E72A4EB3AA910DB50
                          Function 00FFAF50 Relevance: .5, Instructions: 514COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Exception@8Throwstd::exception::exception
                          • String ID:
                          • API String ID: 3728558374-0
                          • Opcode ID: f982c928ee301c5bcda85c45447973697ef413e6e6553cbf9b32285740afa26e
                          • Instruction ID: b2691644b79d1966e65f9dcdf20980163903159528e232dc5a9cf1faf8de42cb
                          • Opcode Fuzzy Hash: f982c928ee301c5bcda85c45447973697ef413e6e6553cbf9b32285740afa26e
                          • Instruction Fuzzy Hash: 8302D170A00109DBDF14DF68D991ABEBBF9FF44300F108069E946EB2A5EB35DA14DB91
                          Function 010102A4 Relevance: .3, Instructions: 345COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                          • Instruction ID: 080afd97fd50b82aecb338213c4d5b11d42106db40cd7301dde2074ea743dca9
                          • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                          • Instruction Fuzzy Hash: BCC184322051D30AEBAE463D847443EBEE15BA1BB571A079DE4F2CB5DAEF24C164D620
                          Function 010106D9 Relevance: .3, Instructions: 341COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                          • Instruction ID: f5d877e6f13dc502867fd6b62fdc347c6817e11237cd3a9e539fb454f6a31048
                          • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                          • Instruction Fuzzy Hash: 2CC174322051D30AFBAE463D847443EBEE15B92BB571A179DE4F2CB4CAEF24C164D620
                          Function 0100FA57 Relevance: .3, Instructions: 323COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                          • Instruction ID: aa6f8918d754fa258359f9cd01161c6967b53da41778d1cfeec620f0d4f21202
                          • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                          • Instruction Fuzzy Hash: 37C162322051D30BFBBF463D847443EBEE15AA2BB5B1A079DD4F2CB5C6EE209564E610
                          Function 0104A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteObject.GDI32(00000000), ref: 0104A2FE
                          • DeleteObject.GDI32(00000000), ref: 0104A310
                          • DestroyWindow.USER32 ref: 0104A31E
                          • GetDesktopWindow.USER32 ref: 0104A338
                          • GetWindowRect.USER32(00000000), ref: 0104A33F
                          • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0104A480
                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0104A490
                          • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0104A4D8
                          • GetClientRect.USER32(00000000,?), ref: 0104A4E4
                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0104A51E
                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0104A540
                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0104A553
                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0104A55E
                          • GlobalLock.KERNEL32(00000000), ref: 0104A567
                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0104A576
                          • GlobalUnlock.KERNEL32(00000000), ref: 0104A57F
                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0104A586
                          • GlobalFree.KERNEL32(00000000), ref: 0104A591
                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0104A5A3
                          • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0107D9BC,00000000), ref: 0104A5B9
                          • GlobalFree.KERNEL32(00000000), ref: 0104A5C9
                          • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0104A5EF
                          • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0104A60E
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0104A630
                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0104A81D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                          • String ID: $AutoIt v3$DISPLAY$static
                          • API String ID: 2211948467-2373415609
                          • Opcode ID: 7f231964f3adc878e4b0ddc5bae4f909ab7ea942da510c3da84bd4b35a1f6543
                          • Instruction ID: 1a3e820de5d2b5b9b01a485e8f19a5e0a647fd977873b85a88183bd04362d0ed
                          • Opcode Fuzzy Hash: 7f231964f3adc878e4b0ddc5bae4f909ab7ea942da510c3da84bd4b35a1f6543
                          • Instruction Fuzzy Hash: B6027271A00108EFDB24DFA4DD89EAE7BB9FF48310F048159FA56AB294D7759D01CB60
                          Function 0105D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                          Download Yara Rule
                          APIs
                          • SetTextColor.GDI32(?,00000000), ref: 0105D2DB
                          • GetSysColorBrush.USER32(0000000F), ref: 0105D30C
                          • GetSysColor.USER32(0000000F), ref: 0105D318
                          • SetBkColor.GDI32(?,000000FF), ref: 0105D332
                          • SelectObject.GDI32(?,00000000), ref: 0105D341
                          • InflateRect.USER32(?,000000FF,000000FF), ref: 0105D36C
                          • GetSysColor.USER32(00000010), ref: 0105D374
                          • CreateSolidBrush.GDI32(00000000), ref: 0105D37B
                          • FrameRect.USER32(?,?,00000000), ref: 0105D38A
                          • DeleteObject.GDI32(00000000), ref: 0105D391
                          • InflateRect.USER32(?,000000FE,000000FE), ref: 0105D3DC
                          • FillRect.USER32(?,?,00000000), ref: 0105D40E
                          • GetWindowLongW.USER32(?,000000F0), ref: 0105D439
                            • Part of subcall function 0105D575: GetSysColor.USER32(00000012), ref: 0105D5AE
                            • Part of subcall function 0105D575: SetTextColor.GDI32(?,?), ref: 0105D5B2
                            • Part of subcall function 0105D575: GetSysColorBrush.USER32(0000000F), ref: 0105D5C8
                            • Part of subcall function 0105D575: GetSysColor.USER32(0000000F), ref: 0105D5D3
                            • Part of subcall function 0105D575: GetSysColor.USER32(00000011), ref: 0105D5F0
                            • Part of subcall function 0105D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0105D5FE
                            • Part of subcall function 0105D575: SelectObject.GDI32(?,00000000), ref: 0105D60F
                            • Part of subcall function 0105D575: SetBkColor.GDI32(?,00000000), ref: 0105D618
                            • Part of subcall function 0105D575: SelectObject.GDI32(?,?), ref: 0105D625
                            • Part of subcall function 0105D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0105D644
                            • Part of subcall function 0105D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0105D65B
                            • Part of subcall function 0105D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0105D670
                            • Part of subcall function 0105D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0105D698
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                          • String ID:
                          • API String ID: 3521893082-0
                          • Opcode ID: 36c2c8009b14192495772391c09443ea0d0d1d8e7b53497798c2e40005627aab
                          • Instruction ID: 2228dfc2d75edad51a8a07e73e990cd044e44e0fc4a67abe738f8591ff5a51eb
                          • Opcode Fuzzy Hash: 36c2c8009b14192495772391c09443ea0d0d1d8e7b53497798c2e40005627aab
                          • Instruction Fuzzy Hash: 9A91A071808301BFDB619FA4DC08E6B7BE9FF89325F004A19F9A2A61D0D776D944CB52
                          Function 0100B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32 ref: 0100B98B
                          • DeleteObject.GDI32(00000000), ref: 0100B9CD
                          • DeleteObject.GDI32(00000000), ref: 0100B9D8
                          • DestroyIcon.USER32(00000000), ref: 0100B9E3
                          • DestroyWindow.USER32(00000000), ref: 0100B9EE
                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 0106D2AA
                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0106D2E3
                          • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0106D711
                            • Part of subcall function 0100B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0100B759,?,00000000,?,?,?,?,0100B72B,00000000,?), ref: 0100BA58
                          • SendMessageW.USER32 ref: 0106D758
                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0106D76F
                          • ImageList_Destroy.COMCTL32(00000000), ref: 0106D785
                          • ImageList_Destroy.COMCTL32(00000000), ref: 0106D790
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                          • String ID: 0
                          • API String ID: 464785882-4108050209
                          • Opcode ID: 4c0fb6ccf64dfc8ba6ca7260f4e2010fb8e77406899345f32e45ca1bfe148cee
                          • Instruction ID: 53fef67d70a61d3529ffd59e5bd09010144dbd0b3c2a4a81872cef49172546e2
                          • Opcode Fuzzy Hash: 4c0fb6ccf64dfc8ba6ca7260f4e2010fb8e77406899345f32e45ca1bfe148cee
                          • Instruction Fuzzy Hash: CA129034604252DFEB62CF58C484BA9BBE9FF49304F0445A9F9C9DB692CB35E841CB91
                          Function 01049F50 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(00000000), ref: 01049F83
                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0104A042
                          • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 0104A080
                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 0104A092
                          • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 0104A0D8
                          • GetClientRect.USER32(00000000,?), ref: 0104A0E4
                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 0104A128
                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0104A137
                          • GetStockObject.GDI32(00000011), ref: 0104A147
                          • SelectObject.GDI32(00000000,00000000), ref: 0104A14B
                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 0104A15B
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0104A164
                          • DeleteDC.GDI32(00000000), ref: 0104A16D
                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0104A19B
                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 0104A1B2
                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 0104A1ED
                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0104A201
                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 0104A212
                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0104A242
                          • GetStockObject.GDI32(00000011), ref: 0104A24D
                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 0104A258
                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 0104A262
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                          • API String ID: 2910397461-517079104
                          • Opcode ID: 1de0aef96186ffff6b8fd956b9505e77da049ee26b48dc7bdb7d4589d8e94363
                          • Instruction ID: 00afe81c869cba80654c7a46e80a8737a76435578f6822d4f42b2b67e3a8170d
                          • Opcode Fuzzy Hash: 1de0aef96186ffff6b8fd956b9505e77da049ee26b48dc7bdb7d4589d8e94363
                          • Instruction Fuzzy Hash: 8FA161B1A50219BFEB24DBA8DD8AFAE7BB9EF04710F004114FA55A71D0D7B5AD00CB64
                          Function 0103DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 0103DBD6
                          • GetDriveTypeW.KERNEL32(?,0108DC54,?,\\.\,0108DC00), ref: 0103DCC3
                          • SetErrorMode.KERNEL32(00000000,0108DC54,?,\\.\,0108DC00), ref: 0103DE29
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ErrorMode$DriveType
                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                          • API String ID: 2907320926-4222207086
                          • Opcode ID: 0aa8b33dfae1f05e78684d5a7fda56a974778d58afb9564fec6a5a866d4f0b14
                          • Instruction ID: 5feb15fa500a6fd1f7edc0db9db2b9a99d45bce578f1f88b1b2b7ee5c3072a06
                          • Opcode Fuzzy Hash: 0aa8b33dfae1f05e78684d5a7fda56a974778d58afb9564fec6a5a866d4f0b14
                          • Instruction Fuzzy Hash: CE519E3025830AABC210FBD5C99686DBBADFBD4A44BC0491EF2C79F261DB60D845CB42
                          Function 00FFCC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: __wcsnicmp
                          • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                          • API String ID: 1038674560-86951937
                          • Opcode ID: b37f9a3c7d58a80bf543ee1262406994462eeb6eb8346400d0340a7692e9799d
                          • Instruction ID: b9e1e574455ca84c2eebf52834987d350109a40a29ae5c5c0ef6c53a285938c2
                          • Opcode Fuzzy Hash: b37f9a3c7d58a80bf543ee1262406994462eeb6eb8346400d0340a7692e9799d
                          • Instruction Fuzzy Hash: 9A81053164021EAADB25BFA4CD82FFE3BA9AF24700F044038FB85AA1D5EB64D501D6D0
                          Function 0105C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                          Download Yara Rule
                          APIs
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0105C788
                          • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0105C83E
                          • SendMessageW.USER32(?,00001102,00000002,?), ref: 0105C859
                          • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0105CB15
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend$Window
                          • String ID: 0
                          • API String ID: 2326795674-4108050209
                          • Opcode ID: bd850d71927545fb5d6e3309907315d8b3c3ff19fcf9da185ff84be964198618
                          • Instruction ID: bf006a7e0621e3952d9b65cfefdbcdd357d1f0ce46b7688c478c82538338d515
                          • Opcode Fuzzy Hash: bd850d71927545fb5d6e3309907315d8b3c3ff19fcf9da185ff84be964198618
                          • Instruction Fuzzy Hash: C2F1B071504305ABF7A18F28C989BABBFE8FF49354F08065DFAC9A6291C775C840CB91
                          Function 0105638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?,0108DC00), ref: 01056449
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: BuffCharUpper
                          • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                          • API String ID: 3964851224-45149045
                          • Opcode ID: d15d8f636293b845d87cc300d13b538b14b79715a58d982306f774bdfe3e6b90
                          • Instruction ID: b063ca493f11970f78600f9bd4f429b7d14bada2fba533ec89189bb3b29d8862
                          • Opcode Fuzzy Hash: d15d8f636293b845d87cc300d13b538b14b79715a58d982306f774bdfe3e6b90
                          • Instruction Fuzzy Hash: B4C1A73420425A8BDB44EF54C550EBF7BE5BFA4244F84485CEDC6AB2E1DB22E94BCB41
                          Function 0105D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetSysColor.USER32(00000012), ref: 0105D5AE
                          • SetTextColor.GDI32(?,?), ref: 0105D5B2
                          • GetSysColorBrush.USER32(0000000F), ref: 0105D5C8
                          • GetSysColor.USER32(0000000F), ref: 0105D5D3
                          • CreateSolidBrush.GDI32(?), ref: 0105D5D8
                          • GetSysColor.USER32(00000011), ref: 0105D5F0
                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0105D5FE
                          • SelectObject.GDI32(?,00000000), ref: 0105D60F
                          • SetBkColor.GDI32(?,00000000), ref: 0105D618
                          • SelectObject.GDI32(?,?), ref: 0105D625
                          • InflateRect.USER32(?,000000FF,000000FF), ref: 0105D644
                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0105D65B
                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0105D670
                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0105D698
                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0105D6BF
                          • InflateRect.USER32(?,000000FD,000000FD), ref: 0105D6DD
                          • DrawFocusRect.USER32(?,?), ref: 0105D6E8
                          • GetSysColor.USER32(00000011), ref: 0105D6F6
                          • SetTextColor.GDI32(?,00000000), ref: 0105D6FE
                          • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0105D712
                          • SelectObject.GDI32(?,0105D2A5), ref: 0105D729
                          • DeleteObject.GDI32(?), ref: 0105D734
                          • SelectObject.GDI32(?,?), ref: 0105D73A
                          • DeleteObject.GDI32(?), ref: 0105D73F
                          • SetTextColor.GDI32(?,?), ref: 0105D745
                          • SetBkColor.GDI32(?,?), ref: 0105D74F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                          • String ID:
                          • API String ID: 1996641542-0
                          • Opcode ID: 4c7c33cc1fbb74fa138c5a55c477a0722b27305e44457d53877b5c85f2b3e8a2
                          • Instruction ID: 94cd930f766dc388f29188bf94089d59f84ff7fc6276717ae9873f401febe4b8
                          • Opcode Fuzzy Hash: 4c7c33cc1fbb74fa138c5a55c477a0722b27305e44457d53877b5c85f2b3e8a2
                          • Instruction Fuzzy Hash: 86513B71D00208BFDB219FE8DC48AAE7BB9FF08324F104515FA55BB295D7769A40CB50
                          Function 0105B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0105B7B0
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0105B7C1
                          • CharNextW.USER32(0000014E), ref: 0105B7F0
                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0105B831
                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0105B847
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0105B858
                          • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0105B875
                          • SetWindowTextW.USER32(?,0000014E), ref: 0105B8C7
                          • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0105B8DD
                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 0105B90E
                          • _memset.LIBCMT ref: 0105B933
                          • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0105B97C
                          • _memset.LIBCMT ref: 0105B9DB
                          • SendMessageW.USER32 ref: 0105BA05
                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 0105BA5D
                          • SendMessageW.USER32(?,0000133D,?,?), ref: 0105BB0A
                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0105BB2C
                          • GetMenuItemInfoW.USER32(?), ref: 0105BB76
                          • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0105BBA3
                          • DrawMenuBar.USER32(?), ref: 0105BBB2
                          • SetWindowTextW.USER32(?,0000014E), ref: 0105BBDA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                          • String ID: 0
                          • API String ID: 1073566785-4108050209
                          • Opcode ID: eeabe00171c2d7e2d7eb2c79e2922a459f1d5be90ed2b17edb268c111df61c17
                          • Instruction ID: 8e2bab5ac5e86769327b798be769dcd72c96714b16bcc8305b0621c19baf1f0b
                          • Opcode Fuzzy Hash: eeabe00171c2d7e2d7eb2c79e2922a459f1d5be90ed2b17edb268c111df61c17
                          • Instruction Fuzzy Hash: 62E19070900209AFEB609FA5DC84AFF7BB9FF08714F048196FE95AA184D775A641CF60
                          Function 0105764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetCursorPos.USER32(?), ref: 0105778A
                          • GetDesktopWindow.USER32 ref: 0105779F
                          • GetWindowRect.USER32(00000000), ref: 010577A6
                          • GetWindowLongW.USER32(?,000000F0), ref: 01057808
                          • DestroyWindow.USER32(?), ref: 01057834
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0105785D
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0105787B
                          • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 010578A1
                          • SendMessageW.USER32(?,00000421,?,?), ref: 010578B6
                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 010578C9
                          • IsWindowVisible.USER32(?), ref: 010578E9
                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 01057904
                          • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 01057918
                          • GetWindowRect.USER32(?,?), ref: 01057930
                          • MonitorFromPoint.USER32(?,?,00000002), ref: 01057956
                          • GetMonitorInfoW.USER32 ref: 01057970
                          • CopyRect.USER32(?,?), ref: 01057987
                          • SendMessageW.USER32(?,00000412,00000000), ref: 010579F2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                          • String ID: ($0$tooltips_class32
                          • API String ID: 698492251-4156429822
                          • Opcode ID: a2201143f34ddfd7ac6ccd9f7fc0d7a0e397a021fd2e5c074e95b7c307c9f61e
                          • Instruction ID: 159274a47a9b189907d1bf556ceb32767d5c773b2e417d324a1222cfbb4ee77d
                          • Opcode Fuzzy Hash: a2201143f34ddfd7ac6ccd9f7fc0d7a0e397a021fd2e5c074e95b7c307c9f61e
                          • Instruction Fuzzy Hash: 7DB17C71604301AFD794DF68C848B6BBBE5BF88310F40891DFAD99B291D775E804DBA2
                          Function 01036CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                          Download Yara Rule
                          APIs
                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 01036CFB
                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 01036D21
                          • _wcscpy.LIBCMT ref: 01036D4F
                          • _wcscmp.LIBCMT ref: 01036D5A
                          • _wcscat.LIBCMT ref: 01036D70
                          • _wcsstr.LIBCMT ref: 01036D7B
                          • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 01036D97
                          • _wcscat.LIBCMT ref: 01036DE0
                          • _wcscat.LIBCMT ref: 01036DE7
                          • _wcsncpy.LIBCMT ref: 01036E12
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                          • API String ID: 699586101-1459072770
                          • Opcode ID: 35ea7e7e31a51d4824c10b5e9eadb43e27fb89481a327b30478447e89ab4a96c
                          • Instruction ID: 7e72dc628c9df3480f4cf2ec6840fa4e34d883ee99e3e0eaafb138881f70f07c
                          • Opcode Fuzzy Hash: 35ea7e7e31a51d4824c10b5e9eadb43e27fb89481a327b30478447e89ab4a96c
                          • Instruction Fuzzy Hash: 26410671904206BBEB11BBA4DC46EFF77BCEF55610F040059FAC1A6185EF79AA0097A1
                          Function 0100A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0100A939
                          • GetSystemMetrics.USER32(00000007), ref: 0100A941
                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0100A96C
                          • GetSystemMetrics.USER32(00000008), ref: 0100A974
                          • GetSystemMetrics.USER32(00000004), ref: 0100A999
                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0100A9B6
                          • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0100A9C6
                          • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0100A9F9
                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0100AA0D
                          • GetClientRect.USER32(00000000,000000FF), ref: 0100AA2B
                          • GetStockObject.GDI32(00000011), ref: 0100AA47
                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 0100AA52
                            • Part of subcall function 0100B63C: GetCursorPos.USER32(000000FF), ref: 0100B64F
                            • Part of subcall function 0100B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0100B66C
                            • Part of subcall function 0100B63C: GetAsyncKeyState.USER32(00000001), ref: 0100B691
                            • Part of subcall function 0100B63C: GetAsyncKeyState.USER32(00000002), ref: 0100B69F
                          • SetTimer.USER32(00000000,00000000,00000028,0100AB87), ref: 0100AA79
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                          • String ID: AutoIt v3 GUI
                          • API String ID: 1458621304-248962490
                          • Opcode ID: 6f6a5929ff9cff2ecb09b0223d6685167b93ade9c8a10e14a4cbccd87f705111
                          • Instruction ID: 7a55f5408c18e54faf7cf7e6430cb3d62381f89aa2664309e552be57c8902e4d
                          • Opcode Fuzzy Hash: 6f6a5929ff9cff2ecb09b0223d6685167b93ade9c8a10e14a4cbccd87f705111
                          • Instruction Fuzzy Hash: 03B14C71A0020ADFEB25DFA8D895BED7BB5FF08314F114219FA95A72C4DB799840CB50
                          Function 00FF2EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Window$Foreground
                          • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                          • API String ID: 62970417-1919597938
                          • Opcode ID: ae231396ebf8259357e4f746cd77c3129c6009a80cf93750c4631bba364c7ad2
                          • Instruction ID: ffa5ddc10f3017b4c8c25791d895ae27b2b3ac8a7f49e9d6398d454b7cb1ece2
                          • Opcode Fuzzy Hash: ae231396ebf8259357e4f746cd77c3129c6009a80cf93750c4631bba364c7ad2
                          • Instruction Fuzzy Hash: 11D1F83010824BEBDB05EF64C8409EABBF8BF54340F004E5DE6D6A75A1DB31E59ADB91
                          Function 01053639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01053735
                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,0108DC00,00000000,?,00000000,?,?), ref: 010537A3
                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 010537EB
                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 01053874
                          • RegCloseKey.ADVAPI32(?), ref: 01053B94
                          • RegCloseKey.ADVAPI32(00000000), ref: 01053BA1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Close$ConnectCreateRegistryValue
                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                          • API String ID: 536824911-966354055
                          • Opcode ID: 81710f1ec73d9e38a8b93f33462d00176f25eda217d6bc2cc9f2ed3eaa25d4db
                          • Instruction ID: 8cd02295695bcaf744d4f464050be22e1490ece2ebdd17d43ae624c758572090
                          • Opcode Fuzzy Hash: 81710f1ec73d9e38a8b93f33462d00176f25eda217d6bc2cc9f2ed3eaa25d4db
                          • Instruction Fuzzy Hash: 700268756046059FDB55EF28C844E2AB7E9FF88720F04845DFA9A9B3A1CB74EC01CB81
                          Function 01056BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?), ref: 01056C56
                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 01056D16
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: BuffCharMessageSendUpper
                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                          • API String ID: 3974292440-719923060
                          • Opcode ID: e0fb446625040455697c2c8bde72d3e2811079cad437020af1a570e4ced9357f
                          • Instruction ID: a69cd9ae0ebfc62122571ea1e0adc421d62431b75ef564a502c32b2f563a63d9
                          • Opcode Fuzzy Hash: e0fb446625040455697c2c8bde72d3e2811079cad437020af1a570e4ced9357f
                          • Instruction Fuzzy Hash: 76A18F3060424A9BDB94EF14C850ABBB7A5BF94310F444D5DADD6AB3D1DB72EC06CB81
                          Function 0102CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetClassNameW.USER32(?,?,00000100), ref: 0102CF91
                          • __swprintf.LIBCMT ref: 0102D032
                          • _wcscmp.LIBCMT ref: 0102D045
                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0102D09A
                          • _wcscmp.LIBCMT ref: 0102D0D6
                          • GetClassNameW.USER32(?,?,00000400), ref: 0102D10D
                          • GetDlgCtrlID.USER32(?), ref: 0102D15F
                          • GetWindowRect.USER32(?,?), ref: 0102D195
                          • GetParent.USER32(?), ref: 0102D1B3
                          • ScreenToClient.USER32(00000000), ref: 0102D1BA
                          • GetClassNameW.USER32(?,?,00000100), ref: 0102D234
                          • _wcscmp.LIBCMT ref: 0102D248
                          • GetWindowTextW.USER32(?,?,00000400), ref: 0102D26E
                          • _wcscmp.LIBCMT ref: 0102D282
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                          • String ID: %s%u
                          • API String ID: 3119225716-679674701
                          • Opcode ID: 31dd419bd5cc23de051bbf793362cb042357054af3ac770acc1dddebbb45534f
                          • Instruction ID: f8b5efdf7e9462be403e35c3a4387ab27542dd7f2dc16bd9b71787c9afd43754
                          • Opcode Fuzzy Hash: 31dd419bd5cc23de051bbf793362cb042357054af3ac770acc1dddebbb45534f
                          • Instruction Fuzzy Hash: 8FA1E231604316AFD755DFA8C884FEAB7E8FF58354F00451AEAD9D2181DB34EA09CB91
                          Function 0102D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                          Download Yara Rule
                          APIs
                          • GetClassNameW.USER32(00000008,?,00000400), ref: 0102D8EB
                          • _wcscmp.LIBCMT ref: 0102D8FC
                          • GetWindowTextW.USER32(00000001,?,00000400), ref: 0102D924
                          • CharUpperBuffW.USER32(?,00000000), ref: 0102D941
                          • _wcscmp.LIBCMT ref: 0102D95F
                          • _wcsstr.LIBCMT ref: 0102D970
                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0102D9A8
                          • _wcscmp.LIBCMT ref: 0102D9B8
                          • GetWindowTextW.USER32(00000002,?,00000400), ref: 0102D9DF
                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0102DA28
                          • _wcscmp.LIBCMT ref: 0102DA38
                          • GetClassNameW.USER32(00000010,?,00000400), ref: 0102DA60
                          • GetWindowRect.USER32(00000004,?), ref: 0102DAC9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                          • String ID: @$ThumbnailClass
                          • API String ID: 1788623398-1539354611
                          • Opcode ID: b680d00abcd856174f463dd7fd109bd8131c15de0b46bb58e7fe1781bded54e1
                          • Instruction ID: e91ee405bddd50b687ec3b59c59298a6f13681c38845f57369183757e6410636
                          • Opcode Fuzzy Hash: b680d00abcd856174f463dd7fd109bd8131c15de0b46bb58e7fe1781bded54e1
                          • Instruction Fuzzy Hash: 6881E3311083159BEB05CF98C884FAA7BE8FF44714F0444AAFEC99A096DB34DD45CBA1
                          Function 0102D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: __wcsnicmp
                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                          • API String ID: 1038674560-1810252412
                          • Opcode ID: 60f74dfd5a1b9cfd36ff4a81e56c56fe652625b431c35c492d31e1419beb744f
                          • Instruction ID: eb65754b73193b93ffb8906942730017b1857f8b077d5bef842a011f5d87a0b3
                          • Opcode Fuzzy Hash: 60f74dfd5a1b9cfd36ff4a81e56c56fe652625b431c35c492d31e1419beb744f
                          • Instruction Fuzzy Hash: 8A31CF31644219A6DB14FAE1CE53EEDB3A5AF20700F60017DF6C1B90E5FFA9AE049751
                          Function 0102EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • LoadIconW.USER32(00000063), ref: 0102EAB0
                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0102EAC2
                          • SetWindowTextW.USER32(?,?), ref: 0102EAD9
                          • GetDlgItem.USER32(?,000003EA), ref: 0102EAEE
                          • SetWindowTextW.USER32(00000000,?), ref: 0102EAF4
                          • GetDlgItem.USER32(?,000003E9), ref: 0102EB04
                          • SetWindowTextW.USER32(00000000,?), ref: 0102EB0A
                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0102EB2B
                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0102EB45
                          • GetWindowRect.USER32(?,?), ref: 0102EB4E
                          • SetWindowTextW.USER32(?,?), ref: 0102EBB9
                          • GetDesktopWindow.USER32 ref: 0102EBBF
                          • GetWindowRect.USER32(00000000), ref: 0102EBC6
                          • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0102EC12
                          • GetClientRect.USER32(?,?), ref: 0102EC1F
                          • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0102EC44
                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0102EC6F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                          • String ID:
                          • API String ID: 3869813825-0
                          • Opcode ID: eb78766199b37931277be32e027783a25295913adcb13315150c66923c3433f9
                          • Instruction ID: 6163e547330267e1c0ac2f34dd4496e5f866292e8f4be22881c9c72755602efb
                          • Opcode Fuzzy Hash: eb78766199b37931277be32e027783a25295913adcb13315150c66923c3433f9
                          • Instruction Fuzzy Hash: 96514A71940709EFDB21DFA8CD89EAFBBF9FF08705F004928E686A2590D775A944CB10
                          Function 010479B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                          Download Yara Rule
                          APIs
                          • LoadCursorW.USER32(00000000,00007F8A), ref: 010479C6
                          • LoadCursorW.USER32(00000000,00007F00), ref: 010479D1
                          • LoadCursorW.USER32(00000000,00007F03), ref: 010479DC
                          • LoadCursorW.USER32(00000000,00007F8B), ref: 010479E7
                          • LoadCursorW.USER32(00000000,00007F01), ref: 010479F2
                          • LoadCursorW.USER32(00000000,00007F81), ref: 010479FD
                          • LoadCursorW.USER32(00000000,00007F88), ref: 01047A08
                          • LoadCursorW.USER32(00000000,00007F80), ref: 01047A13
                          • LoadCursorW.USER32(00000000,00007F86), ref: 01047A1E
                          • LoadCursorW.USER32(00000000,00007F83), ref: 01047A29
                          • LoadCursorW.USER32(00000000,00007F85), ref: 01047A34
                          • LoadCursorW.USER32(00000000,00007F82), ref: 01047A3F
                          • LoadCursorW.USER32(00000000,00007F84), ref: 01047A4A
                          • LoadCursorW.USER32(00000000,00007F04), ref: 01047A55
                          • LoadCursorW.USER32(00000000,00007F02), ref: 01047A60
                          • LoadCursorW.USER32(00000000,00007F89), ref: 01047A6B
                          • GetCursorInfo.USER32(?), ref: 01047A7B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Cursor$Load$Info
                          • String ID:
                          • API String ID: 2577412497-0
                          • Opcode ID: 8e452104583920d1c41631f8133cefeedd713faf91080a457ba3612ba4780a71
                          • Instruction ID: c7b1d792b1ef799a39a55c3f10cad05f603f46b8e5e18397fabb84160a8f3a15
                          • Opcode Fuzzy Hash: 8e452104583920d1c41631f8133cefeedd713faf91080a457ba3612ba4780a71
                          • Instruction Fuzzy Hash: 523116B0D0431A6BDB509FF68C8999FBEE8FF44750F40453AA54DE7180DB78A5008F91
                          Function 00FFC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0100E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00FFC8B7,?,00002000,?,?,00000000,?,00FF419E,?,?,?,0108DC00), ref: 0100E984
                            • Part of subcall function 00FF660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FF53B1,?,?,00FF61FF,?,00000000,00000001,00000000), ref: 00FF662F
                          • __wsplitpath.LIBCMT ref: 00FFC93E
                            • Part of subcall function 01011DFC: __wsplitpath_helper.LIBCMT ref: 01011E3C
                          • _wcscpy.LIBCMT ref: 00FFC953
                          • _wcscat.LIBCMT ref: 00FFC968
                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 00FFC978
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00FFCABE
                            • Part of subcall function 00FFB337: _wcscpy.LIBCMT ref: 00FFB36F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                          • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                          • API String ID: 2258743419-1018226102
                          • Opcode ID: 43e8082b2798cde1273db171020120fcdca4b5c003e6c8dc5a84a6a6e116c81f
                          • Instruction ID: 858998f2c1383a50d01e2bd8036a73eb5866606e5902b24e8f5949d134b5b08a
                          • Opcode Fuzzy Hash: 43e8082b2798cde1273db171020120fcdca4b5c003e6c8dc5a84a6a6e116c81f
                          • Instruction Fuzzy Hash: 60129D715083499FC724EF24C991AAFBBE8BF98304F00491DF6C997261DB34E949DB92
                          Function 0105CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 0105CEFB
                          • DestroyWindow.USER32(?,?), ref: 0105CF73
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0105CFF4
                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0105D016
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0105D025
                          • DestroyWindow.USER32(?), ref: 0105D042
                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00FF0000,00000000), ref: 0105D075
                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0105D094
                          • GetDesktopWindow.USER32 ref: 0105D0A9
                          • GetWindowRect.USER32(00000000), ref: 0105D0B0
                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0105D0C2
                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0105D0DA
                            • Part of subcall function 0100B526: GetWindowLongW.USER32(?,000000EB), ref: 0100B537
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                          • String ID: 0$tooltips_class32
                          • API String ID: 3877571568-3619404913
                          • Opcode ID: 85e125ba89585e3d21ca594faeda26595fbf80d85f98c969efcc21f5495c1546
                          • Instruction ID: 4a67841c9b013040d8c612d7c74b21a71f97d723d7c0af26ce54e0584311c775
                          • Opcode Fuzzy Hash: 85e125ba89585e3d21ca594faeda26595fbf80d85f98c969efcc21f5495c1546
                          • Instruction Fuzzy Hash: 5271AB74140305AFE760CF68CC84FA67BE9EB88744F04491EFAC59B291D779E942CB12
                          Function 0105F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0100B34E: GetWindowLongW.USER32(?,000000EB), ref: 0100B35F
                          • DragQueryPoint.SHELL32(?,?), ref: 0105F37A
                            • Part of subcall function 0105D7DE: ClientToScreen.USER32(?,?), ref: 0105D807
                            • Part of subcall function 0105D7DE: GetWindowRect.USER32(?,?), ref: 0105D87D
                            • Part of subcall function 0105D7DE: PtInRect.USER32(?,?,0105ED5A), ref: 0105D88D
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0105F3E3
                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0105F3EE
                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0105F411
                          • _wcscat.LIBCMT ref: 0105F441
                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0105F458
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0105F471
                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0105F488
                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0105F4AA
                          • DragFinish.SHELL32(?), ref: 0105F4B1
                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0105F59C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                          • API String ID: 169749273-3440237614
                          • Opcode ID: 709d8675e13e1095b97da18c3b1d3d6c8b2157e1ddc01982a56f81efd43140ae
                          • Instruction ID: aa0805c21cb01cefda8b85f3c6671be12212f1434d6e1d23431cf48b96345d12
                          • Opcode Fuzzy Hash: 709d8675e13e1095b97da18c3b1d3d6c8b2157e1ddc01982a56f81efd43140ae
                          • Instruction Fuzzy Hash: FD616871408305AFC311EFA4DC85EAFBBE8BF88714F000A1EF6D5A61A1DB759609CB52
                          Function 0103AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(00000000), ref: 0103AB3D
                          • VariantCopy.OLEAUT32(?,?), ref: 0103AB46
                          • VariantClear.OLEAUT32(?), ref: 0103AB52
                          • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0103AC40
                          • __swprintf.LIBCMT ref: 0103AC70
                          • VarR8FromDec.OLEAUT32(?,?), ref: 0103AC9C
                          • VariantInit.OLEAUT32(?), ref: 0103AD4D
                          • SysFreeString.OLEAUT32(00000016), ref: 0103ADDF
                          • VariantClear.OLEAUT32(?), ref: 0103AE35
                          • VariantClear.OLEAUT32(?), ref: 0103AE44
                          • VariantInit.OLEAUT32(00000000), ref: 0103AE80
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                          • API String ID: 3730832054-3931177956
                          • Opcode ID: a02509f6ea1faa71bdf0f462fb990ae01951ec91ff6657115df8585566b90c25
                          • Instruction ID: 64e1ce6343b7bc8ccd40c494888a41447fb2f695fcf239014e9371dcbd0d20f6
                          • Opcode Fuzzy Hash: a02509f6ea1faa71bdf0f462fb990ae01951ec91ff6657115df8585566b90c25
                          • Instruction Fuzzy Hash: 95D1B271B0411ADBDB249FA5C884BADBBBDBF84700F048895E5C5DB195DB74E840CBA1
                          Function 0105716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?), ref: 010571FC
                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01057247
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: BuffCharMessageSendUpper
                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                          • API String ID: 3974292440-4258414348
                          • Opcode ID: 8d05ad9021fe1c66633c8ae926f38ceb98dd41140431d8d00a5b789a02708546
                          • Instruction ID: 8da0c7e6ba8e361d805810c5fd6894c94db0ec366c2a2680729886f2358ceec7
                          • Opcode Fuzzy Hash: 8d05ad9021fe1c66633c8ae926f38ceb98dd41140431d8d00a5b789a02708546
                          • Instruction Fuzzy Hash: 409190342043068BDB45EF14C850AAFBBA5BF94310F44489DEDD66B3A2DB75ED0ADB81
                          Function 0105E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                          Download Yara Rule
                          APIs
                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0105E5AB
                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0105BEAF), ref: 0105E607
                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0105E647
                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0105E68C
                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0105E6C3
                          • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0105BEAF), ref: 0105E6CF
                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0105E6DF
                          • DestroyIcon.USER32(?,?,?,?,?,0105BEAF), ref: 0105E6EE
                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0105E70B
                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0105E717
                            • Part of subcall function 01010FA7: __wcsicmp_l.LIBCMT ref: 01011030
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                          • String ID: .dll$.exe$.icl
                          • API String ID: 1212759294-1154884017
                          • Opcode ID: 2e23225b2d4ebd3aa5a6ddfd7a5698ac80b5c94f76db06871f82191efeb78c9c
                          • Instruction ID: ffb4bc8a85a59902fa100ceeedfed56e3a150464856c9fac960bb4bf565a87ac
                          • Opcode Fuzzy Hash: 2e23225b2d4ebd3aa5a6ddfd7a5698ac80b5c94f76db06871f82191efeb78c9c
                          • Instruction Fuzzy Hash: 3261B071900219BAEB60DF68CC45FFEBBA8BF08764F104155F9D5E60D0EB759A80CBA0
                          Function 0103D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00FF936C: __swprintf.LIBCMT ref: 00FF93AB
                            • Part of subcall function 00FF936C: __itow.LIBCMT ref: 00FF93DF
                          • CharLowerBuffW.USER32(?,?), ref: 0103D292
                          • GetDriveTypeW.KERNEL32 ref: 0103D2DF
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0103D327
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0103D35E
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0103D38C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                          • API String ID: 1148790751-4113822522
                          • Opcode ID: 06e553c19151c74e3b7fc61fb0086c96e9db64d7b7f396341705e2d7ba168557
                          • Instruction ID: 26073ce0fc09bf5d88565546639f4f68c0db9b343e3a6a4b45a8b1c8ae6e5e3d
                          • Opcode Fuzzy Hash: 06e553c19151c74e3b7fc61fb0086c96e9db64d7b7f396341705e2d7ba168557
                          • Instruction Fuzzy Hash: 8A516A715042099FC700EF54C89196EB7E8FF98718F40885CF9D5AB261DB35EE0ACB81
                          Function 010326BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,01063973,00000016,0000138C,00000016,?,00000016,0108DDB4,00000000,?), ref: 010326F1
                          • LoadStringW.USER32(00000000,?,01063973,00000016), ref: 010326FA
                          • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,01063973,00000016,0000138C,00000016,?,00000016,0108DDB4,00000000,?,00000016), ref: 0103271C
                          • LoadStringW.USER32(00000000,?,01063973,00000016), ref: 0103271F
                          • __swprintf.LIBCMT ref: 0103276F
                          • __swprintf.LIBCMT ref: 01032780
                          • _wprintf.LIBCMT ref: 01032829
                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 01032840
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                          • API String ID: 618562835-2268648507
                          • Opcode ID: 844009bad8eaf4dbf0e1258ea8b7d40f0d96c25d9219394d12ea18b7000465d3
                          • Instruction ID: 32e554d191b0d70ffc3d52c951f69c0a74630d6e31e74b401c19d603e8bfd9ac
                          • Opcode Fuzzy Hash: 844009bad8eaf4dbf0e1258ea8b7d40f0d96c25d9219394d12ea18b7000465d3
                          • Instruction Fuzzy Hash: A4412D7280021DAACB15FBE0DE86DFEB77CAF54740F500065B741760A1EA796F49DBA0
                          Function 0103D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                          Download Yara Rule
                          APIs
                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0103D0D8
                          • __swprintf.LIBCMT ref: 0103D0FA
                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 0103D137
                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0103D15C
                          • _memset.LIBCMT ref: 0103D17B
                          • _wcsncpy.LIBCMT ref: 0103D1B7
                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0103D1EC
                          • CloseHandle.KERNEL32(00000000), ref: 0103D1F7
                          • RemoveDirectoryW.KERNEL32(?), ref: 0103D200
                          • CloseHandle.KERNEL32(00000000), ref: 0103D20A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                          • String ID: :$\$\??\%s
                          • API String ID: 2733774712-3457252023
                          • Opcode ID: 5c85c2f4d939b84411f2c17fdad30743d4f3566b8b7e00b2f24a432a2d536238
                          • Instruction ID: 805f03f239d5781b0f862c70cd36be9491afeedf91a4ffced06c503ab99d6367
                          • Opcode Fuzzy Hash: 5c85c2f4d939b84411f2c17fdad30743d4f3566b8b7e00b2f24a432a2d536238
                          • Instruction Fuzzy Hash: 6731AFB290010AABDB21DFE4DC48FEB77BDEF88700F5040B6F689E2154E77492458B24
                          Function 0105E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0105BEF4,?,?), ref: 0105E754
                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0105BEF4,?,?,00000000,?), ref: 0105E76B
                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0105BEF4,?,?,00000000,?), ref: 0105E776
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,0105BEF4,?,?,00000000,?), ref: 0105E783
                          • GlobalLock.KERNEL32(00000000), ref: 0105E78C
                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0105BEF4,?,?,00000000,?), ref: 0105E79B
                          • GlobalUnlock.KERNEL32(00000000), ref: 0105E7A4
                          • CloseHandle.KERNEL32(00000000,?,?,?,?,0105BEF4,?,?,00000000,?), ref: 0105E7AB
                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0105BEF4,?,?,00000000,?), ref: 0105E7BC
                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,0107D9BC,?), ref: 0105E7D5
                          • GlobalFree.KERNEL32(00000000), ref: 0105E7E5
                          • GetObjectW.GDI32(00000000,00000018,?), ref: 0105E809
                          • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0105E834
                          • DeleteObject.GDI32(00000000), ref: 0105E85C
                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0105E872
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                          • String ID:
                          • API String ID: 3840717409-0
                          • Opcode ID: 0c265f0caac9bff5a977c6ea449dcd765613bd6a2c18867392afdc0019a6afa6
                          • Instruction ID: 10dc52000582875c935f8f225c9f79c202adfa973ed11f047510a897af11cdbd
                          • Opcode Fuzzy Hash: 0c265f0caac9bff5a977c6ea449dcd765613bd6a2c18867392afdc0019a6afa6
                          • Instruction Fuzzy Hash: 3A413C75A00204BFDB619FA5D848EAFBBB9FF89715F108058F989A6250C7359A41CB60
                          Function 010405F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                          Download Yara Rule
                          APIs
                          • __wsplitpath.LIBCMT ref: 0104076F
                          • _wcscat.LIBCMT ref: 01040787
                          • _wcscat.LIBCMT ref: 01040799
                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 010407AE
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 010407C2
                          • GetFileAttributesW.KERNEL32(?), ref: 010407DA
                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 010407F4
                          • SetCurrentDirectoryW.KERNEL32(?), ref: 01040806
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                          • String ID: *.*
                          • API String ID: 34673085-438819550
                          • Opcode ID: 58493b2bbdb9d2520bd881a7c569fc45e8999a67a3584d0c58f4ae471dc118dc
                          • Instruction ID: ffdd49392e019087336434745cb767c6a112966e4d70f78374ad87f47dfb1a6c
                          • Opcode Fuzzy Hash: 58493b2bbdb9d2520bd881a7c569fc45e8999a67a3584d0c58f4ae471dc118dc
                          • Instruction Fuzzy Hash: 6681A4B15043059FDB64EF68C8849EEB7D8BFC8200F14887EFAC6E7254E634D9458B92
                          Function 0105EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0100B34E: GetWindowLongW.USER32(?,000000EB), ref: 0100B35F
                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0105EF3B
                          • GetFocus.USER32 ref: 0105EF4B
                          • GetDlgCtrlID.USER32(00000000), ref: 0105EF56
                          • _memset.LIBCMT ref: 0105F081
                          • GetMenuItemInfoW.USER32 ref: 0105F0AC
                          • GetMenuItemCount.USER32(00000000), ref: 0105F0CC
                          • GetMenuItemID.USER32(?,00000000), ref: 0105F0DF
                          • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0105F113
                          • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0105F15B
                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0105F193
                          • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0105F1C8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                          • String ID: 0
                          • API String ID: 1296962147-4108050209
                          • Opcode ID: a0ff33fb6b4ca43db346ba61be5364703e6a650ce286c425cce7f4b56790ba21
                          • Instruction ID: 46526ba121d98217ff663157dbd75052c1e51bcea222a63e9442480cec3a3bc1
                          • Opcode Fuzzy Hash: a0ff33fb6b4ca43db346ba61be5364703e6a650ce286c425cce7f4b56790ba21
                          • Instruction Fuzzy Hash: 4D817A70504302AFE7A1CF18D884AABBBE9FF89314F04496EF9D597281D735D901CB96
                          Function 0102A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0102ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0102ABD7
                            • Part of subcall function 0102ABBB: GetLastError.KERNEL32(?,0102A69F,?,?,?), ref: 0102ABE1
                            • Part of subcall function 0102ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0102A69F,?,?,?), ref: 0102ABF0
                            • Part of subcall function 0102ABBB: HeapAlloc.KERNEL32(00000000,?,0102A69F,?,?,?), ref: 0102ABF7
                            • Part of subcall function 0102ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0102AC0E
                            • Part of subcall function 0102AC56: GetProcessHeap.KERNEL32(00000008,0102A6B5,00000000,00000000,?,0102A6B5,?), ref: 0102AC62
                            • Part of subcall function 0102AC56: HeapAlloc.KERNEL32(00000000,?,0102A6B5,?), ref: 0102AC69
                            • Part of subcall function 0102AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0102A6B5,?), ref: 0102AC7A
                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0102A8CB
                          • _memset.LIBCMT ref: 0102A8E0
                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0102A8FF
                          • GetLengthSid.ADVAPI32(?), ref: 0102A910
                          • GetAce.ADVAPI32(?,00000000,?), ref: 0102A94D
                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0102A969
                          • GetLengthSid.ADVAPI32(?), ref: 0102A986
                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0102A995
                          • HeapAlloc.KERNEL32(00000000), ref: 0102A99C
                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0102A9BD
                          • CopySid.ADVAPI32(00000000), ref: 0102A9C4
                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0102A9F5
                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0102AA1B
                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0102AA2F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                          • String ID:
                          • API String ID: 3996160137-0
                          • Opcode ID: b93464332af83f2af09150f288245b89a4428b1227b9042224ee0ed627fd4ff4
                          • Instruction ID: 27204ec5a5d676a4ac1cab82c0c41f399fa865fb887eebd585ebeb0b58a15ffc
                          • Opcode Fuzzy Hash: b93464332af83f2af09150f288245b89a4428b1227b9042224ee0ed627fd4ff4
                          • Instruction Fuzzy Hash: 51516F71A0021AEFDF11DF95DD44EEEBBB9FF04210F148199FA91A7680DB359A05CB60
                          Function 01049DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(00000000), ref: 01049E36
                          • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 01049E42
                          • CreateCompatibleDC.GDI32(?), ref: 01049E4E
                          • SelectObject.GDI32(00000000,?), ref: 01049E5B
                          • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 01049EAF
                          • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 01049EEB
                          • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 01049F0F
                          • SelectObject.GDI32(00000006,?), ref: 01049F17
                          • DeleteObject.GDI32(?), ref: 01049F20
                          • DeleteDC.GDI32(00000006), ref: 01049F27
                          • ReleaseDC.USER32(00000000,?), ref: 01049F32
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                          • String ID: (
                          • API String ID: 2598888154-3887548279
                          • Opcode ID: cc7547a43ec540527641e52ce1d33c9f253e410c4c7a3de25fea0ad06fcca0c3
                          • Instruction ID: aa90a2e62efadf64fd63140dcc378e7cd1078c99e4d2dc9d08a637c0034cba95
                          • Opcode Fuzzy Hash: cc7547a43ec540527641e52ce1d33c9f253e410c4c7a3de25fea0ad06fcca0c3
                          • Instruction Fuzzy Hash: 7F514EB5900309EFDB25DFA8D884EAFBBB9EF48310F14842DF999A7240C735A940CB50
                          Function 0103CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: LoadString__swprintf_wprintf
                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                          • API String ID: 2889450990-2391861430
                          • Opcode ID: 7ce359c0b1c8977f7884be14dfe9a5a95ed0617bbe09196ca19aa897269edbd2
                          • Instruction ID: cf7f8bea65523591ca954912305edce72688ef00ca3fa2d54745c4838ab013e4
                          • Opcode Fuzzy Hash: 7ce359c0b1c8977f7884be14dfe9a5a95ed0617bbe09196ca19aa897269edbd2
                          • Instruction Fuzzy Hash: E151903290011DBADB15FBE0CE46EEEB778AF08304F100166F64576161EB796E59EBA0
                          Function 0103CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: LoadString__swprintf_wprintf
                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                          • API String ID: 2889450990-3420473620
                          • Opcode ID: aeff937a463de475a3a46053c7c6e4981ba2d1f7a121a583bb6d03604e2868eb
                          • Instruction ID: e451cd1c7eca5261cf6735eb16a9fe23248cc38d701368d961b09150b390d859
                          • Opcode Fuzzy Hash: aeff937a463de475a3a46053c7c6e4981ba2d1f7a121a583bb6d03604e2868eb
                          • Instruction Fuzzy Hash: 1451A03290011DAADB15FBE0DE42EEEB778AF04300F100066F64576062EB796F59EFA1
                          Function 010355BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 010355D7
                          • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 01035664
                          • GetMenuItemCount.USER32(010B1708), ref: 010356ED
                          • DeleteMenu.USER32(010B1708,00000005,00000000,000000F5,?,?), ref: 0103577D
                          • DeleteMenu.USER32(010B1708,00000004,00000000), ref: 01035785
                          • DeleteMenu.USER32(010B1708,00000006,00000000), ref: 0103578D
                          • DeleteMenu.USER32(010B1708,00000003,00000000), ref: 01035795
                          • GetMenuItemCount.USER32(010B1708), ref: 0103579D
                          • SetMenuItemInfoW.USER32(010B1708,00000004,00000000,00000030), ref: 010357D3
                          • GetCursorPos.USER32(?), ref: 010357DD
                          • SetForegroundWindow.USER32(00000000), ref: 010357E6
                          • TrackPopupMenuEx.USER32(010B1708,00000000,?,00000000,00000000,00000000), ref: 010357F9
                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 01035805
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                          • String ID:
                          • API String ID: 3993528054-0
                          • Opcode ID: bc180fae4a1786dfb53249dd808566216c7b1f1dda83e1e178215e32b69e41f5
                          • Instruction ID: e10804f588ad6fa88eee11fdc2e9c25b03ba100b380cb73b17be1b1ea335d32f
                          • Opcode Fuzzy Hash: bc180fae4a1786dfb53249dd808566216c7b1f1dda83e1e178215e32b69e41f5
                          • Instruction Fuzzy Hash: E071E570640605BFFB219B59EC88FAABFA9FF84364F144245F695AB1E0C7715810DB90
                          Function 0102A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 0102A1DC
                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0102A211
                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0102A22D
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0102A249
                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0102A273
                          • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0102A29B
                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0102A2A6
                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0102A2AB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                          • API String ID: 1687751970-22481851
                          • Opcode ID: 1a649c3f2896cb44e5ac2b44e3bd0c19d0021f7689465717c957bbc57fce5358
                          • Instruction ID: 94ef2aaee74f1a20357d0ce05df61e30220052cec5f529058dedfe2760f8fa91
                          • Opcode Fuzzy Hash: 1a649c3f2896cb44e5ac2b44e3bd0c19d0021f7689465717c957bbc57fce5358
                          • Instruction Fuzzy Hash: F0410876D1022DABDB21EBA4DC85DEDB7B8FF04740F004069FA41B7161EB79AA05DB90
                          Function 01053C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(?,?,?,?,?,?,?,01052BB5,?,?), ref: 01053C1D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: BuffCharUpper
                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                          • API String ID: 3964851224-909552448
                          • Opcode ID: d0226a3e7ccd3cd2138e414e0d6b6f0a448dfdf5e7f81217d5868e8711e130f6
                          • Instruction ID: c92a79d74974ba29eeedab6c959fb456b08660a5bf5909564c6892d76eeb661a
                          • Opcode Fuzzy Hash: d0226a3e7ccd3cd2138e414e0d6b6f0a448dfdf5e7f81217d5868e8711e130f6
                          • Instruction Fuzzy Hash: 2D41603420024E8BDF45FF54E840AEB3775BF62380F544858EDD56F692EBB1A90ACB60
                          Function 010325B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,010636F4,00000010,?,Bad directive syntax error,0108DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 010325D6
                          • LoadStringW.USER32(00000000,?,010636F4,00000010), ref: 010325DD
                          • _wprintf.LIBCMT ref: 01032610
                          • __swprintf.LIBCMT ref: 01032632
                          • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 010326A1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                          • API String ID: 1080873982-4153970271
                          • Opcode ID: f595fa7b957d3c9f45bb416287e1d9d54556602cfdf2021efacf56a48a2f6b14
                          • Instruction ID: c06e5bf7c8d6eccf198dc3924ca96efcd0715f58c80afafdb65fec2e66dd00eb
                          • Opcode Fuzzy Hash: f595fa7b957d3c9f45bb416287e1d9d54556602cfdf2021efacf56a48a2f6b14
                          • Instruction Fuzzy Hash: C6212B3190021EAFCF11BB90CC4AEEE7B79BF18704F444459F6456A0A2EA75A629EB50
                          Function 01037AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                          Download Yara Rule
                          APIs
                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 01037B42
                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 01037B58
                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 01037B69
                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 01037B7B
                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 01037B8C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: SendString
                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                          • API String ID: 890592661-1007645807
                          • Opcode ID: d52129e9b6a2881b9d9303ed6541fbfc868994c186c5be95e9afa6884279b2d2
                          • Instruction ID: 4fa6eafbdca91481650f149275035389075aee5b8948b4122986aaca38a22c8c
                          • Opcode Fuzzy Hash: d52129e9b6a2881b9d9303ed6541fbfc868994c186c5be95e9afa6884279b2d2
                          • Instruction Fuzzy Hash: CF11C4A1A4026D79D734B7A6CC4AEFFBEBCFFD1B10F4004197651AA091EE641944C6B1
                          Function 0103778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • timeGetTime.WINMM ref: 01037794
                            • Part of subcall function 0100DC38: timeGetTime.WINMM(?,75A8B400,010658AB), ref: 0100DC3C
                          • Sleep.KERNEL32(0000000A), ref: 010377C0
                          • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 010377E4
                          • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 01037806
                          • SetActiveWindow.USER32 ref: 01037825
                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 01037833
                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 01037852
                          • Sleep.KERNEL32(000000FA), ref: 0103785D
                          • IsWindow.USER32 ref: 01037869
                          • EndDialog.USER32(00000000), ref: 0103787A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                          • String ID: BUTTON
                          • API String ID: 1194449130-3405671355
                          • Opcode ID: ae8a24b3de6cf088c34417a2fd9d19e0a7f08b5b6356a1a997eb6c185e0daa4a
                          • Instruction ID: 2d62ee93f3e25dda6c637dc12272e90a2cb8f457f6d2467cfb9909276b5ea3eb
                          • Opcode Fuzzy Hash: ae8a24b3de6cf088c34417a2fd9d19e0a7f08b5b6356a1a997eb6c185e0daa4a
                          • Instruction Fuzzy Hash: 112181B0640209BFE7255BA4ECD8BAA3F6DFF84748F504014F5C5AA259DB7B5C00DB21
                          Function 010402EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00FF936C: __swprintf.LIBCMT ref: 00FF93AB
                            • Part of subcall function 00FF936C: __itow.LIBCMT ref: 00FF93DF
                          • CoInitialize.OLE32(00000000), ref: 0104034B
                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 010403DE
                          • SHGetDesktopFolder.SHELL32(?), ref: 010403F2
                          • CoCreateInstance.OLE32(0107DA8C,00000000,00000001,010A3CF8,?), ref: 0104043E
                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 010404AD
                          • CoTaskMemFree.OLE32(?,?), ref: 01040505
                          • _memset.LIBCMT ref: 01040542
                          • SHBrowseForFolderW.SHELL32(?), ref: 0104057E
                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 010405A1
                          • CoTaskMemFree.OLE32(00000000), ref: 010405A8
                          • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 010405DF
                          • CoUninitialize.OLE32(00000001,00000000), ref: 010405E1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                          • String ID:
                          • API String ID: 1246142700-0
                          • Opcode ID: 5072d31435ce62589c64f9a8de41282e6e4b1a71f1b15dbc6b8c0a6dc1fb282e
                          • Instruction ID: 8ea8b8fd5456ff15a4fabd25694cd7a25ab310b3bb5db7a90f08c7f4bb138afb
                          • Opcode Fuzzy Hash: 5072d31435ce62589c64f9a8de41282e6e4b1a71f1b15dbc6b8c0a6dc1fb282e
                          • Instruction Fuzzy Hash: E7B1FB75A00209AFDB14DFA4C888DAEBBF9FF88304B0484A9F945EB251DB35ED41CB50
                          Function 01032E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?), ref: 01032ED6
                          • SetKeyboardState.USER32(?), ref: 01032F41
                          • GetAsyncKeyState.USER32(000000A0), ref: 01032F61
                          • GetKeyState.USER32(000000A0), ref: 01032F78
                          • GetAsyncKeyState.USER32(000000A1), ref: 01032FA7
                          • GetKeyState.USER32(000000A1), ref: 01032FB8
                          • GetAsyncKeyState.USER32(00000011), ref: 01032FE4
                          • GetKeyState.USER32(00000011), ref: 01032FF2
                          • GetAsyncKeyState.USER32(00000012), ref: 0103301B
                          • GetKeyState.USER32(00000012), ref: 01033029
                          • GetAsyncKeyState.USER32(0000005B), ref: 01033052
                          • GetKeyState.USER32(0000005B), ref: 01033060
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: State$Async$Keyboard
                          • String ID:
                          • API String ID: 541375521-0
                          • Opcode ID: 91fd11459159e92a6a4641315e5531e419536facda5ecdd874a28f2444fe4315
                          • Instruction ID: ff023be60687d305fa7175e0d6c0ca76e0c74f8182205efdac3aec261b119242
                          • Opcode Fuzzy Hash: 91fd11459159e92a6a4641315e5531e419536facda5ecdd874a28f2444fe4315
                          • Instruction Fuzzy Hash: 6051E920A08B9829FB75DBB884517EABFFC5F91340F0845DDD6C25E1C2DA54978CCBA2
                          Function 0102ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,00000001), ref: 0102ED1E
                          • GetWindowRect.USER32(00000000,?), ref: 0102ED30
                          • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0102ED8E
                          • GetDlgItem.USER32(?,00000002), ref: 0102ED99
                          • GetWindowRect.USER32(00000000,?), ref: 0102EDAB
                          • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0102EE01
                          • GetDlgItem.USER32(?,000003E9), ref: 0102EE0F
                          • GetWindowRect.USER32(00000000,?), ref: 0102EE20
                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0102EE63
                          • GetDlgItem.USER32(?,000003EA), ref: 0102EE71
                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0102EE8E
                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0102EE9B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Window$ItemMoveRect$Invalidate
                          • String ID:
                          • API String ID: 3096461208-0
                          • Opcode ID: 2913f1d5b0c85ea35a6ced73e423cae6eea7ecf48a94e143c2d3993bd8679110
                          • Instruction ID: 66b68f155e9f3d0efaebe3769dd90be2fcfd4c68a48563b8adda614ef46ebdcf
                          • Opcode Fuzzy Hash: 2913f1d5b0c85ea35a6ced73e423cae6eea7ecf48a94e143c2d3993bd8679110
                          • Instruction Fuzzy Hash: B8512EB1B00205AFDF18DFACDD85AAEBBBAFF88710F148169F559E7284D77599008B10
                          Function 0100B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0100B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0100B759,?,00000000,?,?,?,?,0100B72B,00000000,?), ref: 0100BA58
                          • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0100B72B), ref: 0100B7F6
                          • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0100B72B,00000000,?,?,0100B2EF,?,?), ref: 0100B88D
                          • DestroyAcceleratorTable.USER32(00000000), ref: 0106D8A6
                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0100B72B,00000000,?,?,0100B2EF,?,?), ref: 0106D8D7
                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0100B72B,00000000,?,?,0100B2EF,?,?), ref: 0106D8EE
                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0100B72B,00000000,?,?,0100B2EF,?,?), ref: 0106D90A
                          • DeleteObject.GDI32(00000000), ref: 0106D91C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                          • String ID:
                          • API String ID: 641708696-0
                          • Opcode ID: 312e33a03c02f38e723f928114a45035af1bf882ce93d031c708945ed96d8d10
                          • Instruction ID: 59a03eb1f8fd7fc60be1aee33ced1e1d4963696a115c671d84a041e7e8044e6f
                          • Opcode Fuzzy Hash: 312e33a03c02f38e723f928114a45035af1bf882ce93d031c708945ed96d8d10
                          • Instruction Fuzzy Hash: FD618E34500601DFEB379F58E998B69BBF5FF48311F18055DE1C696AA4C779A880CF90
                          Function 0100B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0100B526: GetWindowLongW.USER32(?,000000EB), ref: 0100B537
                          • GetSysColor.USER32(0000000F), ref: 0100B438
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ColorLongWindow
                          • String ID:
                          • API String ID: 259745315-0
                          • Opcode ID: 71553ff29d2ab1d5a7fe5216bd1fd54f6c604ac1916ec41941ceaff3f6ffbd9d
                          • Instruction ID: 239fd0c9230c0b6ef1914d73cb56529b9073c3c7210c7657f3e8bf219d00fd6b
                          • Opcode Fuzzy Hash: 71553ff29d2ab1d5a7fe5216bd1fd54f6c604ac1916ec41941ceaff3f6ffbd9d
                          • Instruction Fuzzy Hash: 6941D334500104AFEB326F6CD889BBD3BA5EF06731F1942A1FEE59A1D6DB358941C721
                          Function 0103690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                          • String ID:
                          • API String ID: 136442275-0
                          • Opcode ID: 5cfc832dc0474f0677b006d5a3ca7a9a0d57d33b68de2140abdd10a0cb344678
                          • Instruction ID: b044c964ec68453f2af02abf28d3df7b7c9ba6750f42d6b63f66d9a151370cb3
                          • Opcode Fuzzy Hash: 5cfc832dc0474f0677b006d5a3ca7a9a0d57d33b68de2140abdd10a0cb344678
                          • Instruction Fuzzy Hash: BB414F7684521DAECF62EB94CC40DCFB3BDEB94200F0041E6B6C9A2044EE35A7E98F50
                          Function 0103D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                          Download Yara Rule
                          APIs
                          • CharLowerBuffW.USER32(0108DC00,0108DC00,0108DC00), ref: 0103D7CE
                          • GetDriveTypeW.KERNEL32(?,010A3A70,00000061), ref: 0103D898
                          • _wcscpy.LIBCMT ref: 0103D8C2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: BuffCharDriveLowerType_wcscpy
                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                          • API String ID: 2820617543-1000479233
                          • Opcode ID: d0d405b80bb79c2b6a626c89e3c298b3b1dcb7519c97714b90379896bb568a04
                          • Instruction ID: cde56f4cdb2e8a68b01a074c2c77ace8b4bd715b87820fae678771e63d5f1485
                          • Opcode Fuzzy Hash: d0d405b80bb79c2b6a626c89e3c298b3b1dcb7519c97714b90379896bb568a04
                          • Instruction Fuzzy Hash: 9351DF30508305AFD700EF54D891AAEB7A9FFD4314F90881DF6DA6B2A1DB31E905CB42
                          Function 00FF936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                          Download Yara Rule
                          APIs
                          • __swprintf.LIBCMT ref: 00FF93AB
                          • __itow.LIBCMT ref: 00FF93DF
                            • Part of subcall function 01011557: _xtow@16.LIBCMT ref: 01011578
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: __itow__swprintf_xtow@16
                          • String ID: %.15g$0x%p$False$True
                          • API String ID: 1502193981-2263619337
                          • Opcode ID: 9e2630d3ebcb69cafbd2d2f62d303d68a3c79693ab9f2e958cc3d7bb375ff1d6
                          • Instruction ID: b26258f11577138e86f244eecd35b1a7644e38ee00943ef904b408fa24de4ee7
                          • Opcode Fuzzy Hash: 9e2630d3ebcb69cafbd2d2f62d303d68a3c79693ab9f2e958cc3d7bb375ff1d6
                          • Instruction Fuzzy Hash: FC41E332504209EBEB64EF78D941FB977ECEF44310F2044AEE2C9D72A5EA719941DB50
                          Function 0105A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                          Download Yara Rule
                          APIs
                          • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0105A259
                          • CreateCompatibleDC.GDI32(00000000), ref: 0105A260
                          • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0105A273
                          • SelectObject.GDI32(00000000,00000000), ref: 0105A27B
                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0105A286
                          • DeleteDC.GDI32(00000000), ref: 0105A28F
                          • GetWindowLongW.USER32(?,000000EC), ref: 0105A299
                          • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0105A2AD
                          • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0105A2B9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                          • String ID: static
                          • API String ID: 2559357485-2160076837
                          • Opcode ID: bd22e9100d70604dfa95219b23793fe04f56bb554b2629209c846c5158411fa9
                          • Instruction ID: f6a115e6816efdd2cf009f07dd03c8941c855e17aeb1e1376af8a570df29304f
                          • Opcode Fuzzy Hash: bd22e9100d70604dfa95219b23793fe04f56bb554b2629209c846c5158411fa9
                          • Instruction Fuzzy Hash: 9B312B31600119BBDB625FA8DC49FEB3BA9FF0D760F110315FA99A6190C7369811DBA4
                          Function 01036F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                          • String ID: 0.0.0.0
                          • API String ID: 2620052-3771769585
                          • Opcode ID: f09290174d03c0cea941c865338b922b1f8beb39053fc36dc77b6aaca27d6f12
                          • Instruction ID: ef4176b9de6da13d21801f17291659e143be207132338b01f90a08daa7daa6bd
                          • Opcode Fuzzy Hash: f09290174d03c0cea941c865338b922b1f8beb39053fc36dc77b6aaca27d6f12
                          • Instruction Fuzzy Hash: BE11E47190411ABFDB25AB64DC49EEE77ACEF90710F4000A9F1C5A6084FF7ADA858B50
                          Function 0101500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 01015047
                            • Part of subcall function 01017C0E: __getptd_noexit.LIBCMT ref: 01017C0E
                          • __gmtime64_s.LIBCMT ref: 010150E0
                          • __gmtime64_s.LIBCMT ref: 01015116
                          • __gmtime64_s.LIBCMT ref: 01015133
                          • __allrem.LIBCMT ref: 01015189
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010151A5
                          • __allrem.LIBCMT ref: 010151BC
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010151DA
                          • __allrem.LIBCMT ref: 010151F1
                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0101520F
                          • __invoke_watson.LIBCMT ref: 01015280
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                          • String ID:
                          • API String ID: 384356119-0
                          • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                          • Instruction ID: 25a3a3c19c35e5c373937b41a3efcd7e3207574315a1c61905f10f6d131f82c5
                          • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                          • Instruction Fuzzy Hash: BC712772A00717ABE7159EBCCC40BEA77E8BF96264F144269F590DF284E778D9408BD0
                          Function 01034DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 01034DF8
                          • GetMenuItemInfoW.USER32(010B1708,000000FF,00000000,00000030), ref: 01034E59
                          • SetMenuItemInfoW.USER32(010B1708,00000004,00000000,00000030), ref: 01034E8F
                          • Sleep.KERNEL32(000001F4), ref: 01034EA1
                          • GetMenuItemCount.USER32(?), ref: 01034EE5
                          • GetMenuItemID.USER32(?,00000000), ref: 01034F01
                          • GetMenuItemID.USER32(?,-00000001), ref: 01034F2B
                          • GetMenuItemID.USER32(?,?), ref: 01034F70
                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 01034FB6
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01034FCA
                          • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01034FEB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                          • String ID:
                          • API String ID: 4176008265-0
                          • Opcode ID: 846cf05f6c342ec29f47ed7f402de02577d3d24db1503581d56574fd9af7a070
                          • Instruction ID: 080f7384d05d4f8460187b8187c063148510c13daa50fdb33bb311c167d5f97e
                          • Opcode Fuzzy Hash: 846cf05f6c342ec29f47ed7f402de02577d3d24db1503581d56574fd9af7a070
                          • Instruction Fuzzy Hash: 06618371900249AFDB61CFA8D888AEE7BFCEF85308F184199F581EB255D775AD05CB20
                          Function 01059C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01059C98
                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01059C9B
                          • GetWindowLongW.USER32(?,000000F0), ref: 01059CBF
                          • _memset.LIBCMT ref: 01059CD0
                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01059CE2
                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01059D5A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend$LongWindow_memset
                          • String ID:
                          • API String ID: 830647256-0
                          • Opcode ID: 8e563b752f3a2d3283dbdad87e5534413909ecd75ce8446c54f56fef5524a051
                          • Instruction ID: d1bbffd5e506b4fb832a418e09a94425b4c6f4fc7a913a5e22e5dd14ef5570f2
                          • Opcode Fuzzy Hash: 8e563b752f3a2d3283dbdad87e5534413909ecd75ce8446c54f56fef5524a051
                          • Instruction Fuzzy Hash: CE619B75900208EFDB20DFA8DC80EEE77B8EF09704F10419AFE84A7291D774A941DB60
                          Function 010294E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                          Download Yara Rule
                          APIs
                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 010294FE
                          • SafeArrayAllocData.OLEAUT32(?), ref: 01029549
                          • VariantInit.OLEAUT32(?), ref: 0102955B
                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 0102957B
                          • VariantCopy.OLEAUT32(?,?), ref: 010295BE
                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 010295D2
                          • VariantClear.OLEAUT32(?), ref: 010295E7
                          • SafeArrayDestroyData.OLEAUT32(?), ref: 010295F4
                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 010295FD
                          • VariantClear.OLEAUT32(?), ref: 0102960F
                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0102961A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                          • String ID:
                          • API String ID: 2706829360-0
                          • Opcode ID: fc59188c04c3a80773a5db916700112c7ec3ee5dc0b0afc4e909d3eddc69ba3e
                          • Instruction ID: c43c9088283744c2fedb57dbdbe51b9017ccefc3589c9805636734b367e6352e
                          • Opcode Fuzzy Hash: fc59188c04c3a80773a5db916700112c7ec3ee5dc0b0afc4e909d3eddc69ba3e
                          • Instruction Fuzzy Hash: 1B410E31E00229AFDB11DFE4D8489DEBFB9FF48354F008065E591B7250DB36AA45CBA1
                          Function 0104ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00FF936C: __swprintf.LIBCMT ref: 00FF93AB
                            • Part of subcall function 00FF936C: __itow.LIBCMT ref: 00FF93DF
                          • CoInitialize.OLE32 ref: 0104ADF6
                          • CoUninitialize.OLE32 ref: 0104AE01
                          • CoCreateInstance.OLE32(?,00000000,00000017,0107D8FC,?), ref: 0104AE61
                          • IIDFromString.OLE32(?,?), ref: 0104AED4
                          • VariantInit.OLEAUT32(?), ref: 0104AF6E
                          • VariantClear.OLEAUT32(?), ref: 0104AFCF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                          • API String ID: 834269672-1287834457
                          • Opcode ID: 00cbfefbebe9edad6afe9af9480b84ce4769d9daf65173521e6453b5ab8997d1
                          • Instruction ID: 134462fe201cf04f5e043e77cded24b2fc8ca4ba8aaed0531c4d230c51a5f244
                          • Opcode Fuzzy Hash: 00cbfefbebe9edad6afe9af9480b84ce4769d9daf65173521e6453b5ab8997d1
                          • Instruction Fuzzy Hash: B3617BB1748301EFD721DF95C888B6EBBE8AF88714F004469F9D69B291C774E944CB92
                          Function 01048107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                          Download Yara Rule
                          APIs
                          • WSAStartup.WSOCK32(00000101,?), ref: 01048168
                          • inet_addr.WSOCK32(?,?,?), ref: 010481AD
                          • gethostbyname.WSOCK32(?), ref: 010481B9
                          • IcmpCreateFile.IPHLPAPI ref: 010481C7
                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 01048237
                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0104824D
                          • IcmpCloseHandle.IPHLPAPI(00000000), ref: 010482C2
                          • WSACleanup.WSOCK32 ref: 010482C8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                          • String ID: Ping
                          • API String ID: 1028309954-2246546115
                          • Opcode ID: 1fafcd62c2a2d1953fb0028105ad97cfbad32ae558e01b036a7f57e321a2d37e
                          • Instruction ID: e6b0ba2ff87c06e785389c7b7bda8f741864cde37335793495f1384c670e63af
                          • Opcode Fuzzy Hash: 1fafcd62c2a2d1953fb0028105ad97cfbad32ae558e01b036a7f57e321a2d37e
                          • Instruction Fuzzy Hash: 6151A571604701AFD761AFA4DD85B6ABBE4FF44310F04896AFAD5EB2A0DB74E800CB41
                          Function 0103E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 0103E396
                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0103E40C
                          • GetLastError.KERNEL32 ref: 0103E416
                          • SetErrorMode.KERNEL32(00000000,READY), ref: 0103E483
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Error$Mode$DiskFreeLastSpace
                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                          • API String ID: 4194297153-14809454
                          • Opcode ID: 756fea3f309f0db66b5252230edb8d536d56e3b768c965426b7016e794295312
                          • Instruction ID: d328ae93b773f8fbc059556f199c894004d1ba42c3b11d3451741cb3f284d5c9
                          • Opcode Fuzzy Hash: 756fea3f309f0db66b5252230edb8d536d56e3b768c965426b7016e794295312
                          • Instruction Fuzzy Hash: D131B435A0020DAFDB01DBA9CD45BBDBBF8FF88700F048565E685EB291DB75A901CB90
                          Function 0102B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0102B98C
                          • GetDlgCtrlID.USER32 ref: 0102B997
                          • GetParent.USER32 ref: 0102B9B3
                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 0102B9B6
                          • GetDlgCtrlID.USER32(?), ref: 0102B9BF
                          • GetParent.USER32(?), ref: 0102B9DB
                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 0102B9DE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend$CtrlParent
                          • String ID: ComboBox$ListBox
                          • API String ID: 1383977212-1403004172
                          • Opcode ID: bac33e20e2c2508299bb4157d79a1f5f47b25584b7985574cb452763d3468a3c
                          • Instruction ID: 88d9d15919042be4ed1d11a11228341f293ec242090803f660c004f171cf680a
                          • Opcode Fuzzy Hash: bac33e20e2c2508299bb4157d79a1f5f47b25584b7985574cb452763d3468a3c
                          • Instruction Fuzzy Hash: 2821F574A00118BFDB04EBE4CC85EFEBBB4EF59310F00011AF691A7295DB799815DB60
                          Function 0102B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0102BA73
                          • GetDlgCtrlID.USER32 ref: 0102BA7E
                          • GetParent.USER32 ref: 0102BA9A
                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 0102BA9D
                          • GetDlgCtrlID.USER32(?), ref: 0102BAA6
                          • GetParent.USER32(?), ref: 0102BAC2
                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 0102BAC5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend$CtrlParent
                          • String ID: ComboBox$ListBox
                          • API String ID: 1383977212-1403004172
                          • Opcode ID: 0d0b1cda064c34673fe52eec4f700fe6dfc6491ab1bd323074cef1e4c19c2860
                          • Instruction ID: 1566dfccab6015540edf81cd3b37fa20ddeeaaa6551308f0bc17ce980830cb59
                          • Opcode Fuzzy Hash: 0d0b1cda064c34673fe52eec4f700fe6dfc6491ab1bd323074cef1e4c19c2860
                          • Instruction Fuzzy Hash: 5021D774900118BFDB00EBA4CC85EFEBBB9EF49304F000016F691A7195DB799915DB60
                          Function 0102BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32 ref: 0102BAE3
                          • GetClassNameW.USER32(00000000,?,00000100), ref: 0102BAF8
                          • _wcscmp.LIBCMT ref: 0102BB0A
                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0102BB85
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ClassMessageNameParentSend_wcscmp
                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                          • API String ID: 1704125052-3381328864
                          • Opcode ID: aefd6e9f242540581be9a5da80aa7fee9f1f7379efea7f12f0d9ed55c34e0c48
                          • Instruction ID: 1e043956ea765753d869380304b97ca6c55d2533ef6134d96605dd6052c93b57
                          • Opcode Fuzzy Hash: aefd6e9f242540581be9a5da80aa7fee9f1f7379efea7f12f0d9ed55c34e0c48
                          • Instruction Fuzzy Hash: 94115936708313FAFB326675DC16DEA77DC9F20220F10002AFAC9E508DEFE6A8504614
                          Function 0104B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 0104B2D5
                          • CoInitialize.OLE32(00000000), ref: 0104B302
                          • CoUninitialize.OLE32 ref: 0104B30C
                          • GetRunningObjectTable.OLE32(00000000,?), ref: 0104B40C
                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 0104B539
                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0104B56D
                          • CoGetObject.OLE32(?,00000000,0107D91C,?), ref: 0104B590
                          • SetErrorMode.KERNEL32(00000000), ref: 0104B5A3
                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0104B623
                          • VariantClear.OLEAUT32(0107D91C), ref: 0104B633
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                          • String ID:
                          • API String ID: 2395222682-0
                          • Opcode ID: 49cea132f8f6eb3cdb10074973fc444b73e66dbb55eddc8f4bb1767a088b3acf
                          • Instruction ID: 08ce7bc70ead573f2a522e5c689aa6e6f90d46817dd438bc2514270fb12424ad
                          • Opcode Fuzzy Hash: 49cea132f8f6eb3cdb10074973fc444b73e66dbb55eddc8f4bb1767a088b3acf
                          • Instruction Fuzzy Hash: CCC118B16083059FD700DF69C884A6BB7E9FF88308F04496DF9899B251DB71ED05CB92
                          Function 010367E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                          Download Yara Rule
                          APIs
                          • __swprintf.LIBCMT ref: 010367FD
                          • __swprintf.LIBCMT ref: 0103680A
                            • Part of subcall function 0101172B: __woutput_l.LIBCMT ref: 01011784
                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 01036834
                          • LoadResource.KERNEL32(?,00000000), ref: 01036840
                          • LockResource.KERNEL32(00000000), ref: 0103684D
                          • FindResourceW.KERNEL32(?,?,00000003), ref: 0103686D
                          • LoadResource.KERNEL32(?,00000000), ref: 0103687F
                          • SizeofResource.KERNEL32(?,00000000), ref: 0103688E
                          • LockResource.KERNEL32(?), ref: 0103689A
                          • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 010368F9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                          • String ID:
                          • API String ID: 1433390588-0
                          • Opcode ID: 104f879b93a2d578696d6fe2d1f68189aade5852d60591bdb1b52b97b6216a89
                          • Instruction ID: 17f99a46e7b3e85cb9ace8328296cbe21c88cc4360cbef39a0d7d3b48c152622
                          • Opcode Fuzzy Hash: 104f879b93a2d578696d6fe2d1f68189aade5852d60591bdb1b52b97b6216a89
                          • Instruction Fuzzy Hash: EF3162B190021ABBDB219FA0DD55AFE7BACFF48350F004525F981E2144E77ADA12CB70
                          Function 01034025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 01034047
                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,010330A5,?,00000001), ref: 0103405B
                          • GetWindowThreadProcessId.USER32(00000000), ref: 01034062
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,010330A5,?,00000001), ref: 01034071
                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 01034083
                          • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,010330A5,?,00000001), ref: 0103409C
                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,010330A5,?,00000001), ref: 010340AE
                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,010330A5,?,00000001), ref: 010340F3
                          • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,010330A5,?,00000001), ref: 01034108
                          • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,010330A5,?,00000001), ref: 01034113
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                          • String ID:
                          • API String ID: 2156557900-0
                          • Opcode ID: cb83d385c4c68bdf688563f7822cb42b9f25ae608dc7e7df613885c6c48bf1d6
                          • Instruction ID: 481cadf2f7bcbe279bb091e5750494476e214d4ddbe651bb42fc0ec327d78db7
                          • Opcode Fuzzy Hash: cb83d385c4c68bdf688563f7822cb42b9f25ae608dc7e7df613885c6c48bf1d6
                          • Instruction Fuzzy Hash: 4831D771600618AFEB71DF99D885BB977EDFF94311F108045FA84DE248C77AD9408B50
                          Function 0106DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetSysColor.USER32(00000008), ref: 0100B496
                          • SetTextColor.GDI32(?,000000FF), ref: 0100B4A0
                          • SetBkMode.GDI32(?,00000001), ref: 0100B4B5
                          • GetStockObject.GDI32(00000005), ref: 0100B4BD
                          • GetClientRect.USER32(?), ref: 0106DD63
                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 0106DD7A
                          • GetWindowDC.USER32(?), ref: 0106DD86
                          • GetPixel.GDI32(00000000,?,?), ref: 0106DD95
                          • ReleaseDC.USER32(?,00000000), ref: 0106DDA7
                          • GetSysColor.USER32(00000005), ref: 0106DDC5
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                          • String ID:
                          • API String ID: 3430376129-0
                          • Opcode ID: a1ada5fe5719f8a6dff08f4e20b0b2ccf4b2941d7ae8ac50e2730344fa1a0f5b
                          • Instruction ID: cbca90570e85149344be44f25fe7f1957a499a13465cc33b4a3aa959834ba764
                          • Opcode Fuzzy Hash: a1ada5fe5719f8a6dff08f4e20b0b2ccf4b2941d7ae8ac50e2730344fa1a0f5b
                          • Instruction Fuzzy Hash: 26117F31900205BFEB626BF4EC08BA93BA5EF04325F114661FAE6A50D5CB360941DB10
                          Function 0102CB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                          Download Yara Rule
                          APIs
                          • EnumChildWindows.USER32(?,0102CF50), ref: 0102CE90
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ChildEnumWindows
                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                          • API String ID: 3555792229-1603158881
                          • Opcode ID: 397e7cbb01a1485e5283b48ab7a237d178b48cd5ecf6ec32db648cca0e1dcc35
                          • Instruction ID: acd16e4108978e005327b615e976e8998823f1c017ac664d05232fea1f4cb8d8
                          • Opcode Fuzzy Hash: 397e7cbb01a1485e5283b48ab7a237d178b48cd5ecf6ec32db648cca0e1dcc35
                          • Instruction Fuzzy Hash: DE91A23060011AABEB59EFA4C580BEEFBB5BF14300F408559DACAB7190DF71695ACBD0
                          Function 00FF3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                          Download Yara Rule
                          APIs
                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00FF30DC
                          • CoUninitialize.OLE32(?,00000000), ref: 00FF3181
                          • UnregisterHotKey.USER32(?), ref: 00FF32A9
                          • DestroyWindow.USER32(?), ref: 01065079
                          • FreeLibrary.KERNEL32(?), ref: 010650F8
                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 01065125
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                          • String ID: close all
                          • API String ID: 469580280-3243417748
                          • Opcode ID: 2b4a8f1b4c9edc0e8d657673b29692012adf94e090e8e87e6f5d09c6183dc086
                          • Instruction ID: 71a6af049263cd1bf12271680708508a55bc6cc9fb9bfd44b4037bd30b7f3c71
                          • Opcode Fuzzy Hash: 2b4a8f1b4c9edc0e8d657673b29692012adf94e090e8e87e6f5d09c6183dc086
                          • Instruction Fuzzy Hash: A291393460020ACFD715EF24C895A78F3A8FF14304F5482A9E64AA7272DF34AE56EF50
                          Function 0100CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                          Download Yara Rule
                          APIs
                          • SetWindowLongW.USER32(?,000000EB), ref: 0100CC15
                            • Part of subcall function 0100CCCD: GetClientRect.USER32(?,?), ref: 0100CCF6
                            • Part of subcall function 0100CCCD: GetWindowRect.USER32(?,?), ref: 0100CD37
                            • Part of subcall function 0100CCCD: ScreenToClient.USER32(?,?), ref: 0100CD5F
                          • GetDC.USER32 ref: 0106D137
                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0106D14A
                          • SelectObject.GDI32(00000000,00000000), ref: 0106D158
                          • SelectObject.GDI32(00000000,00000000), ref: 0106D16D
                          • ReleaseDC.USER32(?,00000000), ref: 0106D175
                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0106D200
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                          • String ID: U
                          • API String ID: 4009187628-3372436214
                          • Opcode ID: 0b28b0b057c3d90694e761e3002a3865f41aa3480e0d187b23c307db6b87e8d5
                          • Instruction ID: 298c4d74d0d16f46de83dee4d06851ec7a2be882230ed2caedf4271b1906c17e
                          • Opcode Fuzzy Hash: 0b28b0b057c3d90694e761e3002a3865f41aa3480e0d187b23c307db6b87e8d5
                          • Instruction Fuzzy Hash: 1271C530600209EFEF629FA8C984AEA7BF9FF48354F1442AAEDD55A196D7318841DF50
                          Function 0105ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0100B34E: GetWindowLongW.USER32(?,000000EB), ref: 0100B35F
                            • Part of subcall function 0100B63C: GetCursorPos.USER32(000000FF), ref: 0100B64F
                            • Part of subcall function 0100B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0100B66C
                            • Part of subcall function 0100B63C: GetAsyncKeyState.USER32(00000001), ref: 0100B691
                            • Part of subcall function 0100B63C: GetAsyncKeyState.USER32(00000002), ref: 0100B69F
                          • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0105ED3C
                          • ImageList_EndDrag.COMCTL32 ref: 0105ED42
                          • ReleaseCapture.USER32 ref: 0105ED48
                          • SetWindowTextW.USER32(?,00000000), ref: 0105EDF0
                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0105EE03
                          • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0105EEDC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                          • String ID: @GUI_DRAGFILE$@GUI_DROPID
                          • API String ID: 1924731296-2107944366
                          • Opcode ID: 52e26d1e9d41690d0f63b98e22827068b8bebab26971e75d103a445306d22061
                          • Instruction ID: 6c180dad92ba64d44334c49d391053f4ea18031f3085a67ebf6e22453fbf51c4
                          • Opcode Fuzzy Hash: 52e26d1e9d41690d0f63b98e22827068b8bebab26971e75d103a445306d22061
                          • Instruction Fuzzy Hash: 2151A934204308AFE720EF24DC99FAA77E4BF88704F10491DFAD5A62E1DB759904CB92
                          Function 010445C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 010445FF
                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0104462B
                          • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0104466D
                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 01044682
                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0104468F
                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 010446BF
                          • InternetCloseHandle.WININET(00000000), ref: 01044706
                            • Part of subcall function 01045052: GetLastError.KERNEL32(?,?,010443CC,00000000,00000000,00000001), ref: 01045067
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                          • String ID:
                          • API String ID: 1241431887-3916222277
                          • Opcode ID: 85e4ff7a23f302464acb553b4ad9a60a67cddf520e3308741d992f4788b16579
                          • Instruction ID: 8ed3fca0e1ac3f5f6bbb079fcbfbd6a1594ba113e652e97bcd7227b3cea35ea3
                          • Opcode Fuzzy Hash: 85e4ff7a23f302464acb553b4ad9a60a67cddf520e3308741d992f4788b16579
                          • Instruction Fuzzy Hash: 2A4180B1501205BFEB129F94CC85FFE7BACFF08314F004066FA85EA145E77599448BA5
                          Function 0104B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0108DC00), ref: 0104B715
                          • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0108DC00), ref: 0104B749
                          • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0104B8C1
                          • SysFreeString.OLEAUT32(?), ref: 0104B8EB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Free$FileLibraryModuleNamePathQueryStringType
                          • String ID:
                          • API String ID: 560350794-0
                          • Opcode ID: 1d041f8706475e6c0be05efd166d02c4a187b83d5f1ed3e51645809c4b49aefd
                          • Instruction ID: bae866809985d445e66250246187b5e52eb6d42f0899d826cfa42e6f81e4507e
                          • Opcode Fuzzy Hash: 1d041f8706475e6c0be05efd166d02c4a187b83d5f1ed3e51645809c4b49aefd
                          • Instruction Fuzzy Hash: 7BF13AB5A00109EFDB14DF94C884EAEBBB9FF49315F1484A9E945AB250DB31ED41CB90
                          Function 010524D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 010524F5
                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 01052688
                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 010526AC
                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 010526EC
                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0105270E
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0105286F
                          • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 010528A1
                          • CloseHandle.KERNEL32(?), ref: 010528D0
                          • CloseHandle.KERNEL32(?), ref: 01052947
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                          • String ID:
                          • API String ID: 4090791747-0
                          • Opcode ID: abca8bb5b6030732a3ee9ab52be05ac7a4372f9bf0f15f95f786757bdd1b2364
                          • Instruction ID: 2ac560f6bfac86c95f1bea2d207652abd3361301a784f29ad2c20a97ca4710f3
                          • Opcode Fuzzy Hash: abca8bb5b6030732a3ee9ab52be05ac7a4372f9bf0f15f95f786757bdd1b2364
                          • Instruction Fuzzy Hash: 87D1DE31604301DFDB65EF28C890A6EBBE5BF88314F14845DE9D99B2A1DB31EC41CB92
                          Function 0105B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                          Download Yara Rule
                          APIs
                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0105B3F4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: InvalidateRect
                          • String ID:
                          • API String ID: 634782764-0
                          • Opcode ID: 0cfa1b855d810aa67d2d1877cfe5699ceb978ab786df1b2f26d21e06907a145d
                          • Instruction ID: c1f745b6bf105bcbc37d767bad9820b3db8700523f0718607724e0b1985a0e89
                          • Opcode Fuzzy Hash: 0cfa1b855d810aa67d2d1877cfe5699ceb978ab786df1b2f26d21e06907a145d
                          • Instruction Fuzzy Hash: AF51AF34601205BBEFB59E68CC85BAE7FA6AB04358F148051FED4E61E2CB75F9408B50
                          Function 0100A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0106DB1B
                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0106DB3C
                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0106DB51
                          • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0106DB6E
                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0106DB95
                          • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0100A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0106DBA0
                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0106DBBD
                          • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0100A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0106DBC8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Icon$DestroyExtractImageLoadMessageSend
                          • String ID:
                          • API String ID: 1268354404-0
                          • Opcode ID: 823134a4514551c91391e1a6b3dc8c2ac8b07e0a1fe866ac57499cb9b72c3e62
                          • Instruction ID: 7fadadb6a8700d355753dcfe91cae198093a347e95aa67197543f76cdc6a9c36
                          • Opcode Fuzzy Hash: 823134a4514551c91391e1a6b3dc8c2ac8b07e0a1fe866ac57499cb9b72c3e62
                          • Instruction Fuzzy Hash: 60513670700309EFEB21DFA8CC91FAA7BF9BB48750F104519F986A72D1D7B5A9808B50
                          Function 01037555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 01036EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,01035FA6,?), ref: 01036ED8
                            • Part of subcall function 01036EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,01035FA6,?), ref: 01036EF1
                            • Part of subcall function 010372CB: GetFileAttributesW.KERNEL32(?,01036019), ref: 010372CC
                          • lstrcmpiW.KERNEL32(?,?), ref: 010375CA
                          • _wcscmp.LIBCMT ref: 010375E2
                          • MoveFileW.KERNEL32(?,?), ref: 010375FB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                          • String ID:
                          • API String ID: 793581249-0
                          • Opcode ID: d19ae9e3712e14c8d038c2a06ba639689ff8c7cecb1316d3fb1591f48f07775a
                          • Instruction ID: 016a20a3f82a22e724138c24ff1874472a49ba288d1dbaf389aca8b6a7e4fe26
                          • Opcode Fuzzy Hash: d19ae9e3712e14c8d038c2a06ba639689ff8c7cecb1316d3fb1591f48f07775a
                          • Instruction Fuzzy Hash: FD5100F2A0521A9ADF65EB94D880DDE73BCAF5C210B0040EAF685E3141EA7593C9CF64
                          Function 0100EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                          • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0106DAD1,00000004,00000000,00000000), ref: 0100EAEB
                          • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0106DAD1,00000004,00000000,00000000), ref: 0100EB32
                          • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0106DAD1,00000004,00000000,00000000), ref: 0106DC86
                          • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0106DAD1,00000004,00000000,00000000), ref: 0106DCF2
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ShowWindow
                          • String ID:
                          • API String ID: 1268545403-0
                          • Opcode ID: 6c4a36c268ef0f238ef7546ac64a7a3490fd8a58030c50611c197416a33b73e8
                          • Instruction ID: f58128f31d6872560f94254b1e4c25316347e2abb652097251c154bd50c6dc46
                          • Opcode Fuzzy Hash: 6c4a36c268ef0f238ef7546ac64a7a3490fd8a58030c50611c197416a33b73e8
                          • Instruction Fuzzy Hash: F941F470705A859AF7BB4B6CC98CA6B7EDABF46310F090C49E2C7A65D5C675B080C731
                          Function 0102B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0102AEF1,00000B00,?,?), ref: 0102B26C
                          • HeapAlloc.KERNEL32(00000000,?,0102AEF1,00000B00,?,?), ref: 0102B273
                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0102AEF1,00000B00,?,?), ref: 0102B288
                          • GetCurrentProcess.KERNEL32(?,00000000,?,0102AEF1,00000B00,?,?), ref: 0102B290
                          • DuplicateHandle.KERNEL32(00000000,?,0102AEF1,00000B00,?,?), ref: 0102B293
                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0102AEF1,00000B00,?,?), ref: 0102B2A3
                          • GetCurrentProcess.KERNEL32(0102AEF1,00000000,?,0102AEF1,00000B00,?,?), ref: 0102B2AB
                          • DuplicateHandle.KERNEL32(00000000,?,0102AEF1,00000B00,?,?), ref: 0102B2AE
                          • CreateThread.KERNEL32(00000000,00000000,0102B2D4,00000000,00000000,00000000), ref: 0102B2C8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                          • String ID:
                          • API String ID: 1957940570-0
                          • Opcode ID: b1184a6ef48f06b618450bee06f77357504a60d0c1672bf7645bad60c9e413fb
                          • Instruction ID: 59904e27816e5b1597bf52524485500dddb8ab07e354553c16f4f31a6355288c
                          • Opcode Fuzzy Hash: b1184a6ef48f06b618450bee06f77357504a60d0c1672bf7645bad60c9e413fb
                          • Instruction Fuzzy Hash: 9B01B6B5640348BFE720ABA5DC49F6B7BACEF89711F018411FA45EB195CA799800CB60
                          Function 0104C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID:
                          • String ID: NULL Pointer assignment$Not an Object type
                          • API String ID: 0-572801152
                          • Opcode ID: 4c9e94d2a598b80619e5300c009d1141505b2c22c6b24f36702c32dc1f1cea2b
                          • Instruction ID: 77a6bbf8374aa2165d8174ec8a8fa7e4ad31cce2ee1a4336b3cf72f5992bec0d
                          • Opcode Fuzzy Hash: 4c9e94d2a598b80619e5300c009d1141505b2c22c6b24f36702c32dc1f1cea2b
                          • Instruction Fuzzy Hash: 5DE197B1A0121AAFEF14DFA8C984AEE77F5FF48354F144079E985AB281D770AD41CB90
                          Function 0104BB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Variant$ClearInit$_memset
                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                          • API String ID: 2862541840-625585964
                          • Opcode ID: edec4cbf16acf3f54324fe4f927c213e120e3d220228d90888f253730d60b92a
                          • Instruction ID: 41a619e12724672041b615edeabfe6f4f2e2aea8cad26dac3be42312e3cee5bc
                          • Opcode Fuzzy Hash: edec4cbf16acf3f54324fe4f927c213e120e3d220228d90888f253730d60b92a
                          • Instruction Fuzzy Hash: 4E91A4B1A00209ABDF25DF99C884FEEBBB8EF45710F0085A9F595AB181D770D944CFA1
                          Function 00FF86C2 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 155COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: _memset
                          • String ID: Q\E$[$\$\$]$^
                          • API String ID: 2102423945-1026548749
                          • Opcode ID: c878b25cdeb29e23bb6c63ef7b8622ba463022723c66d852fd2a13c2deed62cc
                          • Instruction ID: 1c7ff43735f1c60973267b5b450409ceb67f0b0ac835777e458957b6dd816b03
                          • Opcode Fuzzy Hash: c878b25cdeb29e23bb6c63ef7b8622ba463022723c66d852fd2a13c2deed62cc
                          • Instruction Fuzzy Hash: 5F518071E0020E9BDF24DF98C8806BDFBB5AF84314F28816ADA54A7261E7309D85DB90
                          Function 01059A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01059B19
                          • SendMessageW.USER32(?,00001036,00000000,?), ref: 01059B2D
                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01059B47
                          • _wcscat.LIBCMT ref: 01059BA2
                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 01059BB9
                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 01059BE7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend$Window_wcscat
                          • String ID: SysListView32
                          • API String ID: 307300125-78025650
                          • Opcode ID: ce5b6d56cdbf71ff2b727496df7ce971c877cc0ff0f07f84a18ed689b679ec1b
                          • Instruction ID: b10e2b9749fe99c1cd1913838634b68455e0d4e548796629ef0099e68361a2d5
                          • Opcode Fuzzy Hash: ce5b6d56cdbf71ff2b727496df7ce971c877cc0ff0f07f84a18ed689b679ec1b
                          • Instruction Fuzzy Hash: 45418271900309EBEF619FA8C884BEF77E9EF08354F10446AF9C9A7281D67599848B60
                          Function 0105172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 01036532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 01036554
                            • Part of subcall function 01036532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 01036564
                            • Part of subcall function 01036532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 010365F9
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0105179A
                          • GetLastError.KERNEL32 ref: 010517AD
                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 010517D9
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 01051855
                          • GetLastError.KERNEL32(00000000), ref: 01051860
                          • CloseHandle.KERNEL32(00000000), ref: 01051895
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                          • String ID: SeDebugPrivilege
                          • API String ID: 2533919879-2896544425
                          • Opcode ID: 2c5c2a6577d192487acba7620f99b35550d3eab744a83fc13399f71f704610cf
                          • Instruction ID: 05a7da9aa2f2592c948942596185d3928e17f9936c6f00419f5acca6f6393b99
                          • Opcode Fuzzy Hash: 2c5c2a6577d192487acba7620f99b35550d3eab744a83fc13399f71f704610cf
                          • Instruction Fuzzy Hash: 9F419071600205AFEB15EF98C894FBE77A5AF54310F048099EA86AF2C2DBB99905CB51
                          Function 01035819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                          Download Yara Rule
                          APIs
                          • LoadIconW.USER32(00000000,00007F03), ref: 010358B8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: IconLoad
                          • String ID: blank$info$question$stop$warning
                          • API String ID: 2457776203-404129466
                          • Opcode ID: efcb5b64309c98066169afca2bbd9941673cd290629bd75d0dbfc3819d8d9b36
                          • Instruction ID: bbac51f9791d9e4c219ba667345bde1ccaa6313010fa3cfb1447ae025ff465bf
                          • Opcode Fuzzy Hash: efcb5b64309c98066169afca2bbd9941673cd290629bd75d0dbfc3819d8d9b36
                          • Instruction Fuzzy Hash: E7110632709347FAE7015B999C82DAE67ECBFA9224B20007EF5C5FA281E7A4A5404264
                          Function 0103A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                          Download Yara Rule
                          APIs
                          • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0103A806
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ArraySafeVartype
                          • String ID:
                          • API String ID: 1725837607-0
                          • Opcode ID: c587fef3e29b0a80ba73e0e90eaecca3cfd62aa85df38d3839170722722aaf26
                          • Instruction ID: 31e140ed8c41b840d6bec1a8af29aa5d5378513de17cfcd306d840a4a4a3d815
                          • Opcode Fuzzy Hash: c587fef3e29b0a80ba73e0e90eaecca3cfd62aa85df38d3839170722722aaf26
                          • Instruction Fuzzy Hash: DCC15E75A0420ADFDB11DF98C484BEEBBF8FF49315F20406AE685E7280D735A942CB90
                          Function 01036B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 01036B63
                          • LoadStringW.USER32(00000000), ref: 01036B6A
                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 01036B80
                          • LoadStringW.USER32(00000000), ref: 01036B87
                          • _wprintf.LIBCMT ref: 01036BAD
                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 01036BCB
                          Strings
                          • %s (%d) : ==> %s: %s %s, xrefs: 01036BA8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: HandleLoadModuleString$Message_wprintf
                          • String ID: %s (%d) : ==> %s: %s %s
                          • API String ID: 3648134473-3128320259
                          • Opcode ID: ffaa97760c56e5f269f2694f054d9bcaee1762bb7ee9160772c3dd4b5fab1297
                          • Instruction ID: 8edd533832e6de0deb6451a91e571bd3dcfa100046667e307882d4ef29bdf6a2
                          • Opcode Fuzzy Hash: ffaa97760c56e5f269f2694f054d9bcaee1762bb7ee9160772c3dd4b5fab1297
                          • Instruction Fuzzy Hash: 330112F6900208BFE751BBE49D89EE6776CEB08304F404495B785E6145EA799E844F70
                          Function 01052B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 01053C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01052BB5,?,?), ref: 01053C1D
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01052BF6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: BuffCharConnectRegistryUpper
                          • String ID:
                          • API String ID: 2595220575-0
                          • Opcode ID: cfb4bcfc461bcc80674bc0b86681694441c3f7d807f5b6eaf869d8437d9ad968
                          • Instruction ID: 433a3da684bcacd67ac88a3b4ba9298ca7854dcbe56ef061d6da9dd31e964aa5
                          • Opcode Fuzzy Hash: cfb4bcfc461bcc80674bc0b86681694441c3f7d807f5b6eaf869d8437d9ad968
                          • Instruction Fuzzy Hash: D5918B31204205DFDB51EF58C884B6EBBE5FF98310F04885DFA969B2A1DB35E905CB92
                          Function 010495BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                          Download Yara Rule
                          APIs
                          • select.WSOCK32 ref: 01049691
                          • WSAGetLastError.WSOCK32(00000000), ref: 0104969E
                          • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 010496C8
                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 010496E9
                          • WSAGetLastError.WSOCK32(00000000), ref: 010496F8
                          • htons.WSOCK32(?,?,?,00000000,?), ref: 010497AA
                          • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0108DC00), ref: 01049765
                            • Part of subcall function 0102D2FF: _strlen.LIBCMT ref: 0102D309
                          • _strlen.LIBCMT ref: 01049800
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                          • String ID:
                          • API String ID: 3480843537-0
                          • Opcode ID: 8e80e9cda571f1edde888d074ea0611a46844ed64c7b817d3914187bb504f9d5
                          • Instruction ID: 4fef97172f1403b5cb0adc924ef1ad12eed542db307aa2faa53bc13e9fed1598
                          • Opcode Fuzzy Hash: 8e80e9cda571f1edde888d074ea0611a46844ed64c7b817d3914187bb504f9d5
                          • Instruction Fuzzy Hash: 2F81CF71504205AFD710EF68CC85E6BBBE8FF98714F00462DF6959B2A1EB34D904CB92
                          Function 0101A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __mtinitlocknum.LIBCMT ref: 0101A991
                            • Part of subcall function 01017D7C: __FF_MSGBANNER.LIBCMT ref: 01017D91
                            • Part of subcall function 01017D7C: __NMSG_WRITE.LIBCMT ref: 01017D98
                            • Part of subcall function 01017D7C: __malloc_crt.LIBCMT ref: 01017DB8
                          • __lock.LIBCMT ref: 0101A9A4
                          • __lock.LIBCMT ref: 0101A9F0
                          • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,010A6DE0,00000018,01025E7B,?,00000000,00000109), ref: 0101AA0C
                          • EnterCriticalSection.KERNEL32(8000000C,010A6DE0,00000018,01025E7B,?,00000000,00000109), ref: 0101AA29
                          • LeaveCriticalSection.KERNEL32(8000000C), ref: 0101AA39
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                          • String ID:
                          • API String ID: 1422805418-0
                          • Opcode ID: 270713d7e141ebf98a71f97ef8ce91a9dc809d82d63fb88cdac6b3e33da15dce
                          • Instruction ID: 53fbbeda47ca904a9336793d0a0fef808497ac073a012ca16c326e9942ab02fc
                          • Opcode Fuzzy Hash: 270713d7e141ebf98a71f97ef8ce91a9dc809d82d63fb88cdac6b3e33da15dce
                          • Instruction Fuzzy Hash: F2413972B02286DBEB209F6CD98079DB7B07F01334F548258D5E5AB2C9D77D9441CB80
                          Function 01058ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                          Download Yara Rule
                          APIs
                          • DeleteObject.GDI32(00000000), ref: 01058EE4
                          • GetDC.USER32(00000000), ref: 01058EEC
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 01058EF7
                          • ReleaseDC.USER32(00000000,00000000), ref: 01058F03
                          • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 01058F3F
                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01058F50
                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0105BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 01058F8A
                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 01058FAA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                          • String ID:
                          • API String ID: 3864802216-0
                          • Opcode ID: 3cd2b0ab5fd40e8ca28502ed29c6085d23963a18bef61b21bad12d27aabaa08e
                          • Instruction ID: 74ae881059f924a5b241b1aa2c8bbeca4ab99779ff05ec3f30cb3ae29f284e28
                          • Opcode Fuzzy Hash: 3cd2b0ab5fd40e8ca28502ed29c6085d23963a18bef61b21bad12d27aabaa08e
                          • Instruction Fuzzy Hash: 8E316D72600214BFEB218F95CC49FEB3BAEEF49755F044065FE48AA185C67A9841CBB0
                          Function 010416DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00FF936C: __swprintf.LIBCMT ref: 00FF93AB
                            • Part of subcall function 00FF936C: __itow.LIBCMT ref: 00FF93DF
                            • Part of subcall function 0100C6F4: _wcscpy.LIBCMT ref: 0100C717
                          • _wcstok.LIBCMT ref: 0104184E
                          • _wcscpy.LIBCMT ref: 010418DD
                          • _memset.LIBCMT ref: 01041910
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                          • String ID: X
                          • API String ID: 774024439-3081909835
                          • Opcode ID: 1f2c82a8df43c6b172ee22baf4b86bd6ffa2416cff70f58cf93ca7db46aa47c2
                          • Instruction ID: ed04cb4a1e8856f542b52c7c1d1d88c20367a9dad2f4c243eaae8507d803c215
                          • Opcode Fuzzy Hash: 1f2c82a8df43c6b172ee22baf4b86bd6ffa2416cff70f58cf93ca7db46aa47c2
                          • Instruction Fuzzy Hash: 16C19D756043459FD364EF24CD81AAEBBE4BF85350F00496DFAD99B2A1DB34E844CB82
                          Function 01060133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0100B34E: GetWindowLongW.USER32(?,000000EB), ref: 0100B35F
                          • GetSystemMetrics.USER32(0000000F), ref: 0106016D
                          • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0106038D
                          • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 010603AB
                          • InvalidateRect.USER32(?,00000000,00000001,?), ref: 010603D6
                          • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 010603FF
                          • ShowWindow.USER32(00000003,00000000), ref: 01060421
                          • DefDlgProcW.USER32(?,00000005,?,?), ref: 01060440
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                          • String ID:
                          • API String ID: 3356174886-0
                          • Opcode ID: d2efa6fe8298f6fcd2a88bbebc29e9e27666867e745d12477f800f91fef50f0d
                          • Instruction ID: f0e98ffcd480b1f04da86c81edb9050b340139f71e6ee6fa209dbe05b68c5163
                          • Opcode Fuzzy Hash: d2efa6fe8298f6fcd2a88bbebc29e9e27666867e745d12477f800f91fef50f0d
                          • Instruction Fuzzy Hash: A8A1CC35640626EBDB18CF68C9857BEBBF9FF08701F048155FD94AB288DB35A950CB90
                          Function 0100AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 64dc73d97d80733f1f2f61d5fc3efa2d75d558cbb146ba2e87a3865b00423f1d
                          • Instruction ID: c6f4b4f1c00be212f09c80aedd1ae12511653872ebc775d6da0d963ef4079f0f
                          • Opcode Fuzzy Hash: 64dc73d97d80733f1f2f61d5fc3efa2d75d558cbb146ba2e87a3865b00423f1d
                          • Instruction Fuzzy Hash: 42714E71A00209EFEB15CF98C848EFE7B75FF85314F148149F595AB291C7349A41CBA0
                          Function 01052230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 0105225A
                          • _memset.LIBCMT ref: 01052323
                          • ShellExecuteExW.SHELL32(?), ref: 01052368
                            • Part of subcall function 00FF936C: __swprintf.LIBCMT ref: 00FF93AB
                            • Part of subcall function 00FF936C: __itow.LIBCMT ref: 00FF93DF
                            • Part of subcall function 0100C6F4: _wcscpy.LIBCMT ref: 0100C717
                          • CloseHandle.KERNEL32(00000000), ref: 0105242F
                          • FreeLibrary.KERNEL32(00000000), ref: 0105243E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                          • String ID: @
                          • API String ID: 4082843840-2766056989
                          • Opcode ID: 01cbad2928f8c0cbf20513dcb46cc4f164052651b4d293f8c31e19a1fcaf5263
                          • Instruction ID: cd9f90d841b1b35c3af72c4ba628503659346fe19769a730f22d7d70d0315fc6
                          • Opcode Fuzzy Hash: 01cbad2928f8c0cbf20513dcb46cc4f164052651b4d293f8c31e19a1fcaf5263
                          • Instruction Fuzzy Hash: 06717D74A00619DFDF15EFA8C884AAEBBF5FF48310F108459E995AB391DB34AD40CB90
                          Function 01033DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32(?), ref: 01033DE7
                          • GetKeyboardState.USER32(?), ref: 01033DFC
                          • SetKeyboardState.USER32(?), ref: 01033E5D
                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 01033E8B
                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 01033EAA
                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 01033EF0
                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 01033F13
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessagePost$KeyboardState$Parent
                          • String ID:
                          • API String ID: 87235514-0
                          • Opcode ID: a2f9e3d055974fe641e023e414eb94830cadd3b16688ea700c5493db6363facf
                          • Instruction ID: 3725e66b0f0d6873e7d862b05de68e7f7100c5d20ce1f4eb7fccacceeff21aca
                          • Opcode Fuzzy Hash: a2f9e3d055974fe641e023e414eb94830cadd3b16688ea700c5493db6363facf
                          • Instruction Fuzzy Hash: 6951B4A06047D53DFB3646688885BBA7FED6F86304F0885C9E2D59E8C2D399E884D760
                          Function 01033BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetParent.USER32(00000000), ref: 01033C02
                          • GetKeyboardState.USER32(?), ref: 01033C17
                          • SetKeyboardState.USER32(?), ref: 01033C78
                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 01033CA4
                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 01033CC1
                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 01033D05
                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 01033D26
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessagePost$KeyboardState$Parent
                          • String ID:
                          • API String ID: 87235514-0
                          • Opcode ID: aab4ed6f44101b23499c09aff7d2e3dc501fa31223d6abb03a96e019ea3c61ac
                          • Instruction ID: dcf223cab13825068ed89a68cd0b3cf7cff182b3f2c871df7cfa1862b62b3e87
                          • Opcode Fuzzy Hash: aab4ed6f44101b23499c09aff7d2e3dc501fa31223d6abb03a96e019ea3c61ac
                          • Instruction Fuzzy Hash: 6C5106A06087D53DFB3693288C95BB6BFDD7B86300F0884C8E2D55E4C2D295E884D750
                          Function 01037DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: _wcsncpy$LocalTime
                          • String ID:
                          • API String ID: 2945705084-0
                          • Opcode ID: 61381887a7ba102657d00e7b1cd47281b9c879b9bc49d1a5d8ef42b3cbac8c79
                          • Instruction ID: 7da25e75c764b20b20b214bd4fad398b2bf3c72636826b20ae642c83cc4972a0
                          • Opcode Fuzzy Hash: 61381887a7ba102657d00e7b1cd47281b9c879b9bc49d1a5d8ef42b3cbac8c79
                          • Instruction Fuzzy Hash: 94418266C10219BADB10EBF4CC459CFB7ACEF58210F548866E688F3124FA38E654C7E5
                          Function 01053D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 01053DA1
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01053DCB
                          • FreeLibrary.KERNEL32(00000000), ref: 01053E80
                            • Part of subcall function 01053D72: RegCloseKey.ADVAPI32(?), ref: 01053DE8
                            • Part of subcall function 01053D72: FreeLibrary.KERNEL32(?), ref: 01053E3A
                            • Part of subcall function 01053D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01053E5D
                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 01053E25
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: EnumFreeLibrary$CloseDeleteOpen
                          • String ID:
                          • API String ID: 395352322-0
                          • Opcode ID: 9221e4855fac2b9c8b18e8581df546fb2300468c1d09da454bb71e0e270a3d3e
                          • Instruction ID: 3cbe85c631b3d8e764c7291c73182a40e78dd598f1a1fa77909593676ca324e8
                          • Opcode Fuzzy Hash: 9221e4855fac2b9c8b18e8581df546fb2300468c1d09da454bb71e0e270a3d3e
                          • Instruction Fuzzy Hash: AD31EDB1D01109BFEB559BD4D889AFFB7FCFF08340F0001A9EA52E6180D6759A459BA0
                          Function 01058FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 01058FE7
                          • GetWindowLongW.USER32(011BDD80,000000F0), ref: 0105901A
                          • GetWindowLongW.USER32(011BDD80,000000F0), ref: 0105904F
                          • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 01059081
                          • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 010590AB
                          • GetWindowLongW.USER32(00000000,000000F0), ref: 010590BC
                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 010590D6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: LongWindow$MessageSend
                          • String ID:
                          • API String ID: 2178440468-0
                          • Opcode ID: 5479bc215ea2529fde8a672c66522daea3ea5aa75457e4b906ea1fc5fcf102cf
                          • Instruction ID: f53229752ad42d536694a22513a3dead12d6c8cb65c8c991d6cae6fe1ce62cc1
                          • Opcode Fuzzy Hash: 5479bc215ea2529fde8a672c66522daea3ea5aa75457e4b906ea1fc5fcf102cf
                          • Instruction Fuzzy Hash: 9D316D34600215DFDBB1CF58D884F9637E5FB4D368F1451A4FA959F2A6CB76A840CB40
                          Function 010308AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 010308F2
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 01030918
                          • SysAllocString.OLEAUT32(00000000), ref: 0103091B
                          • SysAllocString.OLEAUT32(?), ref: 01030939
                          • SysFreeString.OLEAUT32(?), ref: 01030942
                          • StringFromGUID2.OLE32(?,?,00000028), ref: 01030967
                          • SysAllocString.OLEAUT32(?), ref: 01030975
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                          • String ID:
                          • API String ID: 3761583154-0
                          • Opcode ID: 1133c657d8c5395da7c9b40b7b4667a3fe42dda74c39045282d638a2fbd03fbb
                          • Instruction ID: 38a44061ccd2fd5ed4789c82f0146cf67cd0694c37994159d388154b6336d7c0
                          • Opcode Fuzzy Hash: 1133c657d8c5395da7c9b40b7b4667a3fe42dda74c39045282d638a2fbd03fbb
                          • Instruction Fuzzy Hash: 3821B772601209AFAB209FACCC84DEB73ECFF48760B008126F985DB148D674EC418760
                          Function 01032472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: __wcsnicmp
                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                          • API String ID: 1038674560-2734436370
                          • Opcode ID: af5c634bf5a5ea4fc3284494e0bb4a4246972525e81236b71a3c63d428a69e33
                          • Instruction ID: e4665da5e627f9be9c24e9013e602d159e48e06e5116b4f04b7053f1cfcdf7d5
                          • Opcode Fuzzy Hash: af5c634bf5a5ea4fc3284494e0bb4a4246972525e81236b71a3c63d428a69e33
                          • Instruction Fuzzy Hash: DD21373220461267E625BA389D11FBB73ECEFE5310F508029EAC6970C5EB75A6828395
                          Function 01030986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                          Download Yara Rule
                          APIs
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 010309CB
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 010309F1
                          • SysAllocString.OLEAUT32(00000000), ref: 010309F4
                          • SysAllocString.OLEAUT32 ref: 01030A15
                          • SysFreeString.OLEAUT32 ref: 01030A1E
                          • StringFromGUID2.OLE32(?,?,00000028), ref: 01030A38
                          • SysAllocString.OLEAUT32(?), ref: 01030A46
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                          • String ID:
                          • API String ID: 3761583154-0
                          • Opcode ID: 4dac97d82e610c3bf07d1dd0c99f3b72c207c8153b1b6966b105c2753953017d
                          • Instruction ID: d61ff79e53a5e9b45f9d4309a9ba1713fb073d4a24095dd04053106ffd8943e1
                          • Opcode Fuzzy Hash: 4dac97d82e610c3bf07d1dd0c99f3b72c207c8153b1b6966b105c2753953017d
                          • Instruction Fuzzy Hash: F6218375601104AFEB20DFEDDC88DAA77ECEF483607008165F989DB299EA74EC418B64
                          Function 0105A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0100D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0100D1BA
                            • Part of subcall function 0100D17C: GetStockObject.GDI32(00000011), ref: 0100D1CE
                            • Part of subcall function 0100D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0100D1D8
                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0105A32D
                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0105A33A
                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0105A345
                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0105A354
                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0105A360
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend$CreateObjectStockWindow
                          • String ID: Msctls_Progress32
                          • API String ID: 1025951953-3636473452
                          • Opcode ID: 039e3f400381d68e1c173bfc136848af7974b5c09672ae7558e2e088827e3d7a
                          • Instruction ID: 9b705f9ee062367597178dc6837441579bbd362803774c53c1c1f2614a0f233f
                          • Opcode Fuzzy Hash: 039e3f400381d68e1c173bfc136848af7974b5c09672ae7558e2e088827e3d7a
                          • Instruction Fuzzy Hash: 6011B2B1650219BEEF115FA4CC85EEB7F6DFF08798F014214FA48A6091C7729C21DBA4
                          Function 0100CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                          Download Yara Rule
                          APIs
                          • GetClientRect.USER32(?,?), ref: 0100CCF6
                          • GetWindowRect.USER32(?,?), ref: 0100CD37
                          • ScreenToClient.USER32(?,?), ref: 0100CD5F
                          • GetClientRect.USER32(?,?), ref: 0100CE8C
                          • GetWindowRect.USER32(?,?), ref: 0100CEA5
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Rect$Client$Window$Screen
                          • String ID:
                          • API String ID: 1296646539-0
                          • Opcode ID: 21d55a4a56a0f10618dca128e629c8fe4054ef7d8974ddf8bbba398780d0a2e9
                          • Instruction ID: c86d2ca2f83fc824daded2250f2c9bc9fd1fac584b3a0030e451a958a3579fe5
                          • Opcode Fuzzy Hash: 21d55a4a56a0f10618dca128e629c8fe4054ef7d8974ddf8bbba398780d0a2e9
                          • Instruction Fuzzy Hash: A1B14C79900249DBEF51CFA8C5807EDBBF1FF08310F1486A9ED99AB255DB30A950CB54
                          Function 01051BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32 ref: 01051C18
                          • Process32FirstW.KERNEL32(00000000,?), ref: 01051C26
                          • __wsplitpath.LIBCMT ref: 01051C54
                            • Part of subcall function 01011DFC: __wsplitpath_helper.LIBCMT ref: 01011E3C
                          • _wcscat.LIBCMT ref: 01051C69
                          • Process32NextW.KERNEL32(00000000,?), ref: 01051CDF
                          • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 01051CF1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                          • String ID:
                          • API String ID: 1380811348-0
                          • Opcode ID: b4817f52c0921dd83241504a1a16e7630cd995b07cd5506970b8f8d6bee71af9
                          • Instruction ID: 8acc9807b8fe7723016208d8af6dab8551261ae62355414d980bcbf2b2244618
                          • Opcode Fuzzy Hash: b4817f52c0921dd83241504a1a16e7630cd995b07cd5506970b8f8d6bee71af9
                          • Instruction Fuzzy Hash: 0A518D715043059FD721EF64C885EABBBE8EF88714F00491EFAC697291DB74D904CB92
                          Function 01052FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 01053C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01052BB5,?,?), ref: 01053C1D
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010530AF
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 010530EF
                          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 01053112
                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0105313B
                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0105317E
                          • RegCloseKey.ADVAPI32(00000000), ref: 0105318B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                          • String ID:
                          • API String ID: 3451389628-0
                          • Opcode ID: d671660ec92ecdee20742907415d1525b646d9364b8004a70095856d24b1394d
                          • Instruction ID: c73b97ccd772ae0ff1ee12ba249502c902ad1345036b100565640f8dd71ef311
                          • Opcode Fuzzy Hash: d671660ec92ecdee20742907415d1525b646d9364b8004a70095856d24b1394d
                          • Instruction Fuzzy Hash: A6515632108304AFD744EF64C895E6BBBE9BF88340F04491DFA959B2A1DB35E905DB92
                          Function 010584DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetMenu.USER32(?), ref: 01058540
                          • GetMenuItemCount.USER32(00000000), ref: 01058577
                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0105859F
                          • GetMenuItemID.USER32(?,?), ref: 0105860E
                          • GetSubMenu.USER32(?,?), ref: 0105861C
                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 0105866D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Menu$Item$CountMessagePostString
                          • String ID:
                          • API String ID: 650687236-0
                          • Opcode ID: 7b1b8e87f7d33a05b18db81624e276610700fe0565ca9f49ff85260fcb274632
                          • Instruction ID: 9359b8847873aaf176f3efa23914b0236804ef605a600ee8af0b58a692c56528
                          • Opcode Fuzzy Hash: 7b1b8e87f7d33a05b18db81624e276610700fe0565ca9f49ff85260fcb274632
                          • Instruction Fuzzy Hash: BA517C71A00219AFDF51EFA9C844AEEB7F4AF48310F00849AED95B7250DB75AE418B91
                          Function 01034AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 01034B10
                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01034B5B
                          • IsMenu.USER32(00000000), ref: 01034B7B
                          • CreatePopupMenu.USER32 ref: 01034BAF
                          • GetMenuItemCount.USER32(000000FF), ref: 01034C0D
                          • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 01034C3E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                          • String ID:
                          • API String ID: 3311875123-0
                          • Opcode ID: ba8d6b56641f0a3dae17edd61c3640a79a9714323ca33f61ef3e787fd1776107
                          • Instruction ID: 385d7028812e8f02a0bb2e0c602ed7b2966b057046bb2acb8bd960287b3e5cd1
                          • Opcode Fuzzy Hash: ba8d6b56641f0a3dae17edd61c3640a79a9714323ca33f61ef3e787fd1776107
                          • Instruction Fuzzy Hash: 3051E070A00209EFDFA5CF68C888BADBFF8AF85318F148199E595DF291D3759944CB11
                          Function 01048DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                          Download Yara Rule
                          APIs
                          • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0108DC00), ref: 01048E7C
                          • WSAGetLastError.WSOCK32(00000000), ref: 01048E89
                          • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 01048EAD
                          • #16.WSOCK32(?,?,00000000,00000000), ref: 01048EC5
                          • _strlen.LIBCMT ref: 01048EF7
                          • WSAGetLastError.WSOCK32(00000000), ref: 01048F6A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ErrorLast$_strlenselect
                          • String ID:
                          • API String ID: 2217125717-0
                          • Opcode ID: 91fe7f1a3cced74b2035e79af2fb87214bbe3b9198cf4577de0ce4deac5960fa
                          • Instruction ID: b71cd64101c6d8b4fbcedba894a1521abd4a0f2b995067f242c34121f70b1ff8
                          • Opcode Fuzzy Hash: 91fe7f1a3cced74b2035e79af2fb87214bbe3b9198cf4577de0ce4deac5960fa
                          • Instruction Fuzzy Hash: E041A5B1500109AFDB14EBA4CDC5EEEB7B9BF58310F10856AF656A72D1DB34AE00CB60
                          Function 0100ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0100B34E: GetWindowLongW.USER32(?,000000EB), ref: 0100B35F
                          • BeginPaint.USER32(?,?,?), ref: 0100AC2A
                          • GetWindowRect.USER32(?,?), ref: 0100AC8E
                          • ScreenToClient.USER32(?,?), ref: 0100ACAB
                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0100ACBC
                          • EndPaint.USER32(?,?,?,?,?), ref: 0100AD06
                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0106E673
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                          • String ID:
                          • API String ID: 2592858361-0
                          • Opcode ID: 76048006fe8ff3e2549f73353f2b69cb49c80caa9f6e24b9ee9873f9cce5dc96
                          • Instruction ID: 91d43fbde674c9f9f123b21eed3d0ac3daab5f1aca8053e90621b251ae89c412
                          • Opcode Fuzzy Hash: 76048006fe8ff3e2549f73353f2b69cb49c80caa9f6e24b9ee9873f9cce5dc96
                          • Instruction Fuzzy Hash: 9C41CF71600305EFD722DF28D884FBA7BE8AB49320F140269F9E4872D1C336A844CB61
                          Function 0105E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                          Download Yara Rule
                          APIs
                          • ShowWindow.USER32(010B1628,00000000,010B1628,00000000,00000000,010B1628,?,0106DC5D,00000000,?,00000000,00000000,00000000,?,0106DAD1,00000004), ref: 0105E40B
                          • EnableWindow.USER32(00000000,00000000), ref: 0105E42F
                          • ShowWindow.USER32(010B1628,00000000), ref: 0105E48F
                          • ShowWindow.USER32(00000000,00000004), ref: 0105E4A1
                          • EnableWindow.USER32(00000000,00000001), ref: 0105E4C5
                          • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0105E4E8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Window$Show$Enable$MessageSend
                          • String ID:
                          • API String ID: 642888154-0
                          • Opcode ID: f0a05a7ef747a463732de1d2c431e55ac625bf139694ed0d74c52cce7768f4da
                          • Instruction ID: 9d700bf4450ed4689be903572892feac73feec303ac245401ea2dc14c2dcc3a3
                          • Opcode Fuzzy Hash: f0a05a7ef747a463732de1d2c431e55ac625bf139694ed0d74c52cce7768f4da
                          • Instruction Fuzzy Hash: 5C411B30601141AFEBA2CF68C499B95BFE1BF09304F1845A9EED89F1A2CB35A941CB51
                          Function 010398BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                          Download Yara Rule
                          APIs
                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 010398D1
                            • Part of subcall function 0100F4EA: std::exception::exception.LIBCMT ref: 0100F51E
                            • Part of subcall function 0100F4EA: __CxxThrowException@8.LIBCMT ref: 0100F533
                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 01039908
                          • EnterCriticalSection.KERNEL32(?), ref: 01039924
                          • LeaveCriticalSection.KERNEL32(?), ref: 0103999E
                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 010399B3
                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 010399D2
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                          • String ID:
                          • API String ID: 2537439066-0
                          • Opcode ID: 7321d7c508533644948f0bd56ee4a421aa55e181766e1122343f85c86bdb110b
                          • Instruction ID: ad176fcafffbbbea50a4069fd5dfaa5e01cfc2d172d658ab043aa896829ef23b
                          • Opcode Fuzzy Hash: 7321d7c508533644948f0bd56ee4a421aa55e181766e1122343f85c86bdb110b
                          • Instruction Fuzzy Hash: E631C731900106EFDB11DF98DC84DAE77B8FF84310F1480A5E945AB289DB75DE11DB60
                          Function 01049B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32(?,?,?,?,?,?,010477F4,?,?,00000000,00000001), ref: 01049B53
                            • Part of subcall function 01046544: GetWindowRect.USER32(?,?), ref: 01046557
                          • GetDesktopWindow.USER32 ref: 01049B7D
                          • GetWindowRect.USER32(00000000), ref: 01049B84
                          • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 01049BB6
                            • Part of subcall function 01037A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 01037AD0
                          • GetCursorPos.USER32(?), ref: 01049BE2
                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 01049C44
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                          • String ID:
                          • API String ID: 4137160315-0
                          • Opcode ID: 2590c2625ec5c87afb4e32a97e48fc53b6449a8fc8f70de467b4bdab08c03737
                          • Instruction ID: 5f2910b68ad7fd999938c47542c5dc68f26469ed591ced5e8b4b4c167f60deee
                          • Opcode Fuzzy Hash: 2590c2625ec5c87afb4e32a97e48fc53b6449a8fc8f70de467b4bdab08c03737
                          • Instruction Fuzzy Hash: DD31A2B250431AABD720DF58C884B9BB7E9FF89314F000929F5D5E7181D671E904CB91
                          Function 0102AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0102AFAE
                          • OpenProcessToken.ADVAPI32(00000000), ref: 0102AFB5
                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0102AFC4
                          • CloseHandle.KERNEL32(00000004), ref: 0102AFCF
                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0102AFFE
                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 0102B012
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                          • String ID:
                          • API String ID: 1413079979-0
                          • Opcode ID: 10b78833594a2c376bc347161881b9bfd2a454de98004bf354efb97a20a8212b
                          • Instruction ID: d18a92c49f4d4acf65d8c43ab9897b08a4ef051633710e7651c1dc2cfa7d9485
                          • Opcode Fuzzy Hash: 10b78833594a2c376bc347161881b9bfd2a454de98004bf354efb97a20a8212b
                          • Instruction Fuzzy Hash: 5121797260025DEFDB528FE8E908FAE7BA9AF44304F044055FA81A2190D67A9920DB60
                          Function 0105EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0100AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0100AFE3
                            • Part of subcall function 0100AF83: SelectObject.GDI32(?,00000000), ref: 0100AFF2
                            • Part of subcall function 0100AF83: BeginPath.GDI32(?), ref: 0100B009
                            • Part of subcall function 0100AF83: SelectObject.GDI32(?,00000000), ref: 0100B033
                          • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0105EC20
                          • LineTo.GDI32(00000000,00000003,?), ref: 0105EC34
                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0105EC42
                          • LineTo.GDI32(00000000,00000000,?), ref: 0105EC52
                          • EndPath.GDI32(00000000), ref: 0105EC62
                          • StrokePath.GDI32(00000000), ref: 0105EC72
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                          • String ID:
                          • API String ID: 43455801-0
                          • Opcode ID: b07eef018c87b696e06044982a989b7655eae9dca5600140d8f76e5d81830a0f
                          • Instruction ID: 8665b2cd627ba3fe3162cc54bff1436a3a322377780e4a36180dbe3701840fc3
                          • Opcode Fuzzy Hash: b07eef018c87b696e06044982a989b7655eae9dca5600140d8f76e5d81830a0f
                          • Instruction Fuzzy Hash: 22113C7240014DBFEB229F94DC88FEA7F6DEF08390F048012BE8859164C7769955DBA0
                          Function 0102E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                          Download Yara Rule
                          APIs
                          • GetDC.USER32(00000000), ref: 0102E1C0
                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 0102E1D1
                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0102E1D8
                          • ReleaseDC.USER32(00000000,00000000), ref: 0102E1E0
                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0102E1F7
                          • MulDiv.KERNEL32(000009EC,?,?), ref: 0102E209
                            • Part of subcall function 01029AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,01029A05,00000000,00000000,?,01029DDB), ref: 0102A53A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CapsDevice$ExceptionRaiseRelease
                          • String ID:
                          • API String ID: 603618608-0
                          • Opcode ID: 5b292023f1ddb0c7ccf9279b58df119dc44465971e4daa73f40a1cbcc79f61df
                          • Instruction ID: fa419f6edf40d28a9d72a4036df2f41a0129d323b7b3e7be6e896ca8044530d8
                          • Opcode Fuzzy Hash: 5b292023f1ddb0c7ccf9279b58df119dc44465971e4daa73f40a1cbcc79f61df
                          • Instruction Fuzzy Hash: AC017CB5E40219BBEB109BE69C45B5ABFB9EF48351F104066EA44A7280DA719800CBA0
                          Function 01017B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                          Download Yara Rule
                          APIs
                          • __init_pointers.LIBCMT ref: 01017B47
                            • Part of subcall function 0101123A: __initp_misc_winsig.LIBCMT ref: 0101125E
                            • Part of subcall function 0101123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 01017F51
                            • Part of subcall function 0101123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 01017F65
                            • Part of subcall function 0101123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 01017F78
                            • Part of subcall function 0101123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 01017F8B
                            • Part of subcall function 0101123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 01017F9E
                            • Part of subcall function 0101123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 01017FB1
                            • Part of subcall function 0101123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 01017FC4
                            • Part of subcall function 0101123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 01017FD7
                            • Part of subcall function 0101123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 01017FEA
                            • Part of subcall function 0101123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 01017FFD
                            • Part of subcall function 0101123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 01018010
                            • Part of subcall function 0101123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 01018023
                            • Part of subcall function 0101123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 01018036
                            • Part of subcall function 0101123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 01018049
                            • Part of subcall function 0101123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0101805C
                            • Part of subcall function 0101123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0101806F
                          • __mtinitlocks.LIBCMT ref: 01017B4C
                            • Part of subcall function 01017E23: InitializeCriticalSectionAndSpinCount.KERNEL32(010AAC68,00000FA0,?,?,01017B51,01015E77,010A6C70,00000014), ref: 01017E41
                          • __mtterm.LIBCMT ref: 01017B55
                            • Part of subcall function 01017BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,01017B5A,01015E77,010A6C70,00000014), ref: 01017D3F
                            • Part of subcall function 01017BBD: _free.LIBCMT ref: 01017D46
                            • Part of subcall function 01017BBD: DeleteCriticalSection.KERNEL32(010AAC68,?,?,01017B5A,01015E77,010A6C70,00000014), ref: 01017D68
                          • __calloc_crt.LIBCMT ref: 01017B7A
                          • GetCurrentThreadId.KERNEL32 ref: 01017BA3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                          • String ID:
                          • API String ID: 2942034483-0
                          • Opcode ID: 1d98b30211bc8e680c2566745e9e71034414b2ade4b3b107e7766cbde0c0173e
                          • Instruction ID: 6786b44d58d29d3328c7b530a82c5ce672c2194f15d4c5feda29edf2233857b1
                          • Opcode Fuzzy Hash: 1d98b30211bc8e680c2566745e9e71034414b2ade4b3b107e7766cbde0c0173e
                          • Instruction Fuzzy Hash: D0F0963251971319E67577787C457CA3AC4AF11734B204699EAE0D70DCFF2D84818160
                          Function 00FF27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FF281D
                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 00FF2825
                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FF2830
                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FF283B
                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 00FF2843
                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00FF284B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Virtual
                          • String ID:
                          • API String ID: 4278518827-0
                          • Opcode ID: ab19d3d1969a7e9fd1872facc387fbea0ae02b97d708e4fde6d793aed645cacd
                          • Instruction ID: b416dab790334a158d089a245b2d9f742f7a30902bc71026aac51d856a81f5e2
                          • Opcode Fuzzy Hash: ab19d3d1969a7e9fd1872facc387fbea0ae02b97d708e4fde6d793aed645cacd
                          • Instruction Fuzzy Hash: F40167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C47A42C7F5A864CBE5
                          Function 01039AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                          • String ID:
                          • API String ID: 1423608774-0
                          • Opcode ID: b61a3b6f32e9044ec30ee5ddaeeb1afc37ceddb6a6671c27e1f658836642c5eb
                          • Instruction ID: 17ddcf23259af71bfb44ec2f358e80701d5f3556d9216e679bcb2ecd0d1ed0f0
                          • Opcode Fuzzy Hash: b61a3b6f32e9044ec30ee5ddaeeb1afc37ceddb6a6671c27e1f658836642c5eb
                          • Instruction Fuzzy Hash: 1D01F932501612ABDB251BD8FC48DEB77ADFFD83117040569F583B2094DBB99803DBA0
                          Function 01037BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                          Download Yara Rule
                          APIs
                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 01037C07
                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 01037C1D
                          • GetWindowThreadProcessId.USER32(?,?), ref: 01037C2C
                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 01037C3B
                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 01037C45
                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 01037C4C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                          • String ID:
                          • API String ID: 839392675-0
                          • Opcode ID: 0d6b045c6561c05907031df2023e7e42565949928e4eafc30b9d412a877093c8
                          • Instruction ID: 4f50a83f661a2d03540f017b3ac6fdd0b06339b7564648702c91d975a0b1c9c0
                          • Opcode Fuzzy Hash: 0d6b045c6561c05907031df2023e7e42565949928e4eafc30b9d412a877093c8
                          • Instruction Fuzzy Hash: EFF09072601158BBE7311792AC0DEEF3B7CDFCAB11F000018F641A1041D7A51A41C7B4
                          Function 01039A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • InterlockedExchange.KERNEL32(?,?), ref: 01039A33
                          • EnterCriticalSection.KERNEL32(?,?,?,?,01065DEE,?,?,?,?,?,00FFED63), ref: 01039A44
                          • TerminateThread.KERNEL32(?,000001F6,?,?,?,01065DEE,?,?,?,?,?,00FFED63), ref: 01039A51
                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,01065DEE,?,?,?,?,?,00FFED63), ref: 01039A5E
                            • Part of subcall function 010393D1: CloseHandle.KERNEL32(?,?,01039A6B,?,?,?,01065DEE,?,?,?,?,?,00FFED63), ref: 010393DB
                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 01039A71
                          • LeaveCriticalSection.KERNEL32(?,?,?,?,01065DEE,?,?,?,?,?,00FFED63), ref: 01039A78
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                          • String ID:
                          • API String ID: 3495660284-0
                          • Opcode ID: c8d97e4c45eed24cb2455eec37e60b9fca7cd41407b4d9cdc0cd87e4c9590d89
                          • Instruction ID: 327655a6e5130d43289eb87916bd93e37d0f778f6f42634b0328b9853d441018
                          • Opcode Fuzzy Hash: c8d97e4c45eed24cb2455eec37e60b9fca7cd41407b4d9cdc0cd87e4c9590d89
                          • Instruction Fuzzy Hash: 69F0E932941201ABD7211BD4FC4CDEB3779FF94311B040061F243B1098DBBA9813DB60
                          Function 00FF1CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0100F4EA: std::exception::exception.LIBCMT ref: 0100F51E
                            • Part of subcall function 0100F4EA: __CxxThrowException@8.LIBCMT ref: 0100F533
                          • __swprintf.LIBCMT ref: 00FF1EA6
                          Strings
                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00FF1D49
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Exception@8Throw__swprintfstd::exception::exception
                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                          • API String ID: 2125237772-557222456
                          • Opcode ID: 3f8deda0c345a58f2ca371c057991534a1164478bb5b4e17f0c8d866fbc57f96
                          • Instruction ID: b5888cbe76f4d0cab8fbef4fe0ba3392983ec27faebc56386420a67f58f900b5
                          • Opcode Fuzzy Hash: 3f8deda0c345a58f2ca371c057991534a1164478bb5b4e17f0c8d866fbc57f96
                          • Instruction Fuzzy Hash: 469169725082099FD724EF28CD85C7ABBA8BF95700F00495DFA85972B1DB34E944DB92
                          Function 0104AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 0104B006
                          • CharUpperBuffW.USER32(?,?), ref: 0104B115
                          • VariantClear.OLEAUT32(?), ref: 0104B298
                            • Part of subcall function 01039DC5: VariantInit.OLEAUT32(00000000), ref: 01039E05
                            • Part of subcall function 01039DC5: VariantCopy.OLEAUT32(?,?), ref: 01039E0E
                            • Part of subcall function 01039DC5: VariantClear.OLEAUT32(?), ref: 01039E1A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Variant$ClearInit$BuffCharCopyUpper
                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                          • API String ID: 4237274167-1221869570
                          • Opcode ID: 3341175d7f384f6cd9cfb6ff1912e6a588e625c76685f262a474d958b3999f6b
                          • Instruction ID: 21b19b8fa60361f43d202078e4a9dd8009c921e0f64779058e978ff88d78ea71
                          • Opcode Fuzzy Hash: 3341175d7f384f6cd9cfb6ff1912e6a588e625c76685f262a474d958b3999f6b
                          • Instruction Fuzzy Hash: 2B916C746083069FCB10DF68C5849AEBBF8BF89704F04496DF99A9B361DB31E905CB52
                          Function 01035347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0100C6F4: _wcscpy.LIBCMT ref: 0100C717
                          • _memset.LIBCMT ref: 01035438
                          • GetMenuItemInfoW.USER32(?), ref: 01035467
                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 01035513
                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0103553D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ItemMenu$Info$Default_memset_wcscpy
                          • String ID: 0
                          • API String ID: 4152858687-4108050209
                          • Opcode ID: 7fbab053bdc6f3d0147a43d0b469f8b4cc41a0436adf0c12626e4cb120bb43b7
                          • Instruction ID: 102e8dc6eecf0681ae9c0c119fc88f73a5314854ba2db024c721dfe7c3c50bd6
                          • Opcode Fuzzy Hash: 7fbab053bdc6f3d0147a43d0b469f8b4cc41a0436adf0c12626e4cb120bb43b7
                          • Instruction Fuzzy Hash: 1051F0726043019BE7959A2CCC906ABBBECAFC5314F040A69F9D6D31F1EB74E9448B52
                          Function 01030213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0103027B
                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 010302B1
                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 010302C2
                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 01030344
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ErrorMode$AddressCreateInstanceProc
                          • String ID: DllGetClassObject
                          • API String ID: 753597075-1075368562
                          • Opcode ID: b2564241f39519dbb6305f6c2451124e3e8da5c757c1d52ae0c357127520adbd
                          • Instruction ID: b1ef79e178feb8a3ae15f0a73bb90ddc73dc6b6930ab4eddc0bdbaf07f9d8ece
                          • Opcode Fuzzy Hash: b2564241f39519dbb6305f6c2451124e3e8da5c757c1d52ae0c357127520adbd
                          • Instruction Fuzzy Hash: EC416DB1A01204EFDB55CF54C894B9B7BADEF84310B14C0A9B9899F209D7B5DA44CBA1
                          Function 01035007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 01035075
                          • GetMenuItemInfoW.USER32 ref: 01035091
                          • DeleteMenu.USER32(00000004,00000007,00000000), ref: 010350D7
                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,010B1708,00000000), ref: 01035120
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Menu$Delete$InfoItem_memset
                          • String ID: 0
                          • API String ID: 1173514356-4108050209
                          • Opcode ID: 20fc79ad40667ac29c53628216aa6ef2154c7ce296a917f838fbf4950cfc3b06
                          • Instruction ID: 7cc7e0b32e8c0913fd9a4f7568b3a7e3d072bb5c9aa4701ebf80932c154916c9
                          • Opcode Fuzzy Hash: 20fc79ad40667ac29c53628216aa6ef2154c7ce296a917f838fbf4950cfc3b06
                          • Instruction Fuzzy Hash: E7419D712043019FD720DF28DC84B6ABBE8AFC9324F044A5EFAD5972A1D731E940CB62
                          Function 01050567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                          Download Yara Rule
                          APIs
                          • CharLowerBuffW.USER32(?,?,?,?), ref: 01050587
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: BuffCharLower
                          • String ID: cdecl$none$stdcall$winapi
                          • API String ID: 2358735015-567219261
                          • Opcode ID: c5bce3f3e75e31745a9596bb37a25011d655cd042b5f82b03e4752e4ede6bf9a
                          • Instruction ID: 29d38f097766fa0430d9ee329075149452bc27bec689df90842a30fee0a1801c
                          • Opcode Fuzzy Hash: c5bce3f3e75e31745a9596bb37a25011d655cd042b5f82b03e4752e4ede6bf9a
                          • Instruction Fuzzy Hash: C031C13460021AAFCF00EF98CD409EFB3B4FF54314B108A69E9A6A72D5DB71A905CB90
                          Function 0102B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0102B88E
                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0102B8A1
                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 0102B8D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: ComboBox$ListBox
                          • API String ID: 3850602802-1403004172
                          • Opcode ID: eb279f7ced14d980b67f3b5374471bb45f4b58dbf69ebf28cd001a25ef3da078
                          • Instruction ID: bfd9b0ebf1b23146475ba6e100cc84c037b1d7eeb114a7f64bafba644f794034
                          • Opcode Fuzzy Hash: eb279f7ced14d980b67f3b5374471bb45f4b58dbf69ebf28cd001a25ef3da078
                          • Instruction Fuzzy Hash: 0621357290011CBFEB14ABA8CC86DFE77B8DF05314B004129F1A9A71E0DBB94D06D760
                          Function 00FF51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 00FF522F
                          • _wcscpy.LIBCMT ref: 00FF5283
                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FF5293
                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 01063CB0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: IconLoadNotifyShell_String_memset_wcscpy
                          • String ID: Line:
                          • API String ID: 1053898822-1585850449
                          • Opcode ID: 05eb5e399872275f47543746ff53a5215b26b8a1e2313512a782c21b282416c8
                          • Instruction ID: 1797ad72e39c5282356eaef73ed95c7554c80c01e5122f30e3be8a957662c6c2
                          • Opcode Fuzzy Hash: 05eb5e399872275f47543746ff53a5215b26b8a1e2313512a782c21b282416c8
                          • Instruction Fuzzy Hash: D931B0715087486BD330EB60EC82FEE7BD8AF44710F00461EF7C9961A1DBB8A5489B96
                          Function 010443E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 01044401
                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01044427
                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 01044457
                          • InternetCloseHandle.WININET(00000000), ref: 0104449E
                            • Part of subcall function 01045052: GetLastError.KERNEL32(?,?,010443CC,00000000,00000000,00000001), ref: 01045067
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                          • String ID:
                          • API String ID: 1951874230-3916222277
                          • Opcode ID: 8e2fe225533e350f5481f533e00b998b764a33aaf4c9bfefccc1c4f2a726f013
                          • Instruction ID: c3cfc3b0b404a3c2732ec523d40609842951dfec359d7a660c70869d79634137
                          • Opcode Fuzzy Hash: 8e2fe225533e350f5481f533e00b998b764a33aaf4c9bfefccc1c4f2a726f013
                          • Instruction Fuzzy Hash: BA2150F5500608BFE721AEA4CCC4FBFBAECEF88654F00852AF685E6140EA759D059771
                          Function 010590E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0100D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0100D1BA
                            • Part of subcall function 0100D17C: GetStockObject.GDI32(00000011), ref: 0100D1CE
                            • Part of subcall function 0100D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0100D1D8
                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0105915C
                          • LoadLibraryW.KERNEL32(?), ref: 01059163
                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 01059178
                          • DestroyWindow.USER32(?), ref: 01059180
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                          • String ID: SysAnimate32
                          • API String ID: 4146253029-1011021900
                          • Opcode ID: 7cde747fc38c9eda8303572f083378b208103b6889705ccec9279d76c41529c2
                          • Instruction ID: 086f13a95ae5c6e9e589590966d7f7f7ca5a7091419ac2d02a837e2139e43752
                          • Opcode Fuzzy Hash: 7cde747fc38c9eda8303572f083378b208103b6889705ccec9279d76c41529c2
                          • Instruction Fuzzy Hash: A621BE71600215FBEFA14EA89C88EBB37E9EF89368F100658FE9092191C7329C41A764
                          Function 01039568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                          Download Yara Rule
                          APIs
                          • GetStdHandle.KERNEL32(0000000C), ref: 01039588
                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 010395B9
                          • GetStdHandle.KERNEL32(0000000C), ref: 010395CB
                          • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 01039605
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CreateHandle$FilePipe
                          • String ID: nul
                          • API String ID: 4209266947-2873401336
                          • Opcode ID: 6892be87bc05b7f18849a973f2ec0e226eba4a783bd733debc8f834cc8f5dd89
                          • Instruction ID: db951841f54a23f54d3f8ef9b4440ca9cd9a95fe26165cde50d26a4e84a7a8b7
                          • Opcode Fuzzy Hash: 6892be87bc05b7f18849a973f2ec0e226eba4a783bd733debc8f834cc8f5dd89
                          • Instruction Fuzzy Hash: D4216271500305ABEB209F69D804A9E7BFCAFD5728F204A59F9E1E72D0D7B1D991CB10
                          Function 01039634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                          Download Yara Rule
                          APIs
                          • GetStdHandle.KERNEL32(000000F6), ref: 01039653
                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 01039683
                          • GetStdHandle.KERNEL32(000000F6), ref: 01039694
                          • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 010396CE
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CreateHandle$FilePipe
                          • String ID: nul
                          • API String ID: 4209266947-2873401336
                          • Opcode ID: 564cf0551477ea69b73eafdb2a16bfd294ce0c0deac8d5933813704939bf7889
                          • Instruction ID: 4f32cb46c14b9de04a837ef82581aa3b6b88dbde79a1e6c1c03ad2816738a462
                          • Opcode Fuzzy Hash: 564cf0551477ea69b73eafdb2a16bfd294ce0c0deac8d5933813704939bf7889
                          • Instruction Fuzzy Hash: 8821A1716012059BDB209F6D9804E9E77ECAFD8738F200A58F9E1E72D0DBB19441DB10
                          Function 0103DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                          Download Yara Rule
                          APIs
                          • SetErrorMode.KERNEL32(00000001), ref: 0103DB0A
                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0103DB5E
                          • __swprintf.LIBCMT ref: 0103DB77
                          • SetErrorMode.KERNEL32(00000000,00000001,00000000,0108DC00), ref: 0103DBB5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ErrorMode$InformationVolume__swprintf
                          • String ID: %lu
                          • API String ID: 3164766367-685833217
                          • Opcode ID: e755729033ab6e1b78c5055f47cc237aa912f88e86ce733da51b86d3b41ec8b3
                          • Instruction ID: 7d9f83641d9790674e3dee1ce1d129978502477d0438a492941e014d1950662b
                          • Opcode Fuzzy Hash: e755729033ab6e1b78c5055f47cc237aa912f88e86ce733da51b86d3b41ec8b3
                          • Instruction Fuzzy Hash: B8219535A0010DAFCB10EFA5DD85DEEBBB8EF88704B004069F649E7251DB75EA01DB60
                          Function 0102C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0102C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0102C84A
                            • Part of subcall function 0102C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0102C85D
                            • Part of subcall function 0102C82D: GetCurrentThreadId.KERNEL32 ref: 0102C864
                            • Part of subcall function 0102C82D: AttachThreadInput.USER32(00000000), ref: 0102C86B
                          • GetFocus.USER32 ref: 0102CA05
                            • Part of subcall function 0102C876: GetParent.USER32(?), ref: 0102C884
                          • GetClassNameW.USER32(?,?,00000100), ref: 0102CA4E
                          • EnumChildWindows.USER32(?,0102CAC4), ref: 0102CA76
                          • __swprintf.LIBCMT ref: 0102CA90
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                          • String ID: %s%d
                          • API String ID: 3187004680-1110647743
                          • Opcode ID: 026c03e51858118067b1e3d84faa76284961e62a74cbe266aec9c2933d6431c6
                          • Instruction ID: ddd7233b01e5b037e8510c135de67cc28b54fb2df4bc888d0aa619a1a117a64b
                          • Opcode Fuzzy Hash: 026c03e51858118067b1e3d84faa76284961e62a74cbe266aec9c2933d6431c6
                          • Instruction Fuzzy Hash: 031106715002157BEF11BFA08D84FED377CAF54714F008066FE48AA041DB749905DB70
                          Function 01051945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                          Download Yara Rule
                          APIs
                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 010519F3
                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 01051A26
                          • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 01051B49
                          • CloseHandle.KERNEL32(?), ref: 01051BBF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Process$CloseCountersHandleInfoMemoryOpen
                          • String ID:
                          • API String ID: 2364364464-0
                          • Opcode ID: dbec56dd84b84e87b9e5cc3446455d96b7696606fc67a468c16f52f03fbaa35b
                          • Instruction ID: 775ee244781a3bc1a1c4ba395b954a622f7da54eba5c59192789930e68dda65d
                          • Opcode Fuzzy Hash: dbec56dd84b84e87b9e5cc3446455d96b7696606fc67a468c16f52f03fbaa35b
                          • Instruction Fuzzy Hash: 77816170600205ABEF11EF64C885BAEBBF5AF58720F048499FA45AF3C1D7B5E941CB90
                          Function 0105E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0105E1D5
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0105E20D
                          • IsDlgButtonChecked.USER32(?,00000001), ref: 0105E248
                          • GetWindowLongW.USER32(?,000000EC), ref: 0105E269
                          • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0105E281
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend$ButtonCheckedLongWindow
                          • String ID:
                          • API String ID: 3188977179-0
                          • Opcode ID: 9aca969a2f8d2dab0b915be817839ef96582994156e72a3b1b0b8522e987eafe
                          • Instruction ID: dfeb1c38db2f8454bf9d94a2584e97f766f72d1a28fc07b8f7be7fca1fb99373
                          • Opcode Fuzzy Hash: 9aca969a2f8d2dab0b915be817839ef96582994156e72a3b1b0b8522e987eafe
                          • Instruction Fuzzy Hash: 6B618E34A00204AFEBA5DF58C894FEBBBFAAF49310F144099FDD997291C775AA40CB54
                          Function 01031C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                          Download Yara Rule
                          APIs
                          • VariantInit.OLEAUT32(?), ref: 01031CB4
                          • VariantClear.OLEAUT32(00000013), ref: 01031D26
                          • VariantClear.OLEAUT32(00000000), ref: 01031D81
                          • VariantClear.OLEAUT32(?), ref: 01031DF8
                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 01031E26
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Variant$Clear$ChangeInitType
                          • String ID:
                          • API String ID: 4136290138-0
                          • Opcode ID: eb2116bc44217c3c7559ecd61c87a49a1c958941d739ef58ea024c25c8adc51b
                          • Instruction ID: 3b32cec4bf2f9bcb1b5d27b5930ee9c5bd7aeee1f11f6d6f1ba32bc960ba03ec
                          • Opcode Fuzzy Hash: eb2116bc44217c3c7559ecd61c87a49a1c958941d739ef58ea024c25c8adc51b
                          • Instruction Fuzzy Hash: F7518CB5A00209EFDB10DF58C884AAAB7F8FF8D314B158559E999DB304D730E911CFA0
                          Function 01050688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00FF936C: __swprintf.LIBCMT ref: 00FF93AB
                            • Part of subcall function 00FF936C: __itow.LIBCMT ref: 00FF93DF
                          • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 010506EE
                          • GetProcAddress.KERNEL32(00000000,?), ref: 0105077D
                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 0105079B
                          • GetProcAddress.KERNEL32(00000000,?), ref: 010507E1
                          • FreeLibrary.KERNEL32(00000000,00000004), ref: 010507FB
                            • Part of subcall function 0100E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0103A574,?,?,00000000,00000008), ref: 0100E675
                            • Part of subcall function 0100E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0103A574,?,?,00000000,00000008), ref: 0100E699
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                          • String ID:
                          • API String ID: 327935632-0
                          • Opcode ID: 76dc338eaf1eee9ed81c3b4cbdd1cb7184bf9d8c95627c792e0507ea65758c20
                          • Instruction ID: 8b269ee73709ec67ed6350efcdd91165df671cfefa21f29217269540805d1e1a
                          • Opcode Fuzzy Hash: 76dc338eaf1eee9ed81c3b4cbdd1cb7184bf9d8c95627c792e0507ea65758c20
                          • Instruction Fuzzy Hash: D9514975A0020ADFDB40EFA8C990DAEB7F5BF48310F048095FA95AB361DB34E945DB80
                          Function 01052E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 01053C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,01052BB5,?,?), ref: 01053C1D
                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01052EEF
                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01052F2E
                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 01052F75
                          • RegCloseKey.ADVAPI32(?,?), ref: 01052FA1
                          • RegCloseKey.ADVAPI32(00000000), ref: 01052FAE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                          • String ID:
                          • API String ID: 3740051246-0
                          • Opcode ID: 45c9142f3903363e0c524612b68049740e3689eba1cfb72cb9f4235631182b8e
                          • Instruction ID: 8fe950f60a230c331a7c9732ea6042fbc64b35fe738f07b7f2a06aef5c773d54
                          • Opcode Fuzzy Hash: 45c9142f3903363e0c524612b68049740e3689eba1cfb72cb9f4235631182b8e
                          • Instruction Fuzzy Hash: 72514B71208208EFD744EB54CD85E6FB7E9BF88304F00486DFA95972A1DB35E904DB92
                          Function 0105CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 68d4f31583ac64f8402d5b569af9ae242ba5732c1e491217b1970f038a6b364c
                          • Instruction ID: b6b0794803dfcbbfca647d0d6b893c17a2b0d5a0d7e038d8b2e253ef73d5c665
                          • Opcode Fuzzy Hash: 68d4f31583ac64f8402d5b569af9ae242ba5732c1e491217b1970f038a6b364c
                          • Instruction Fuzzy Hash: 6741B339900304ABE7A0EA68CD44FAABFACEB09310F040195ED99E72D1D634A901DBA0
                          Function 01041206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                          Download Yara Rule
                          APIs
                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 010412B4
                          • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 010412DD
                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0104131C
                            • Part of subcall function 00FF936C: __swprintf.LIBCMT ref: 00FF93AB
                            • Part of subcall function 00FF936C: __itow.LIBCMT ref: 00FF93DF
                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 01041341
                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 01041349
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                          • String ID:
                          • API String ID: 1389676194-0
                          • Opcode ID: fce1240b2658ef2dfc287abcfd6d9f9ca9e1c53253bf2e754a85ef9a901f2586
                          • Instruction ID: c805db4fd9434cad129a6bf951b4926bca0774a159aaa8b6275441872259f5b7
                          • Opcode Fuzzy Hash: fce1240b2658ef2dfc287abcfd6d9f9ca9e1c53253bf2e754a85ef9a901f2586
                          • Instruction Fuzzy Hash: 93411B75A00109DFDB01EF64C981EAEBBF9FF08310B148099E94AAB3A1CB35ED41DB50
                          Function 0100B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                          Download Yara Rule
                          APIs
                          • GetCursorPos.USER32(000000FF), ref: 0100B64F
                          • ScreenToClient.USER32(00000000,000000FF), ref: 0100B66C
                          • GetAsyncKeyState.USER32(00000001), ref: 0100B691
                          • GetAsyncKeyState.USER32(00000002), ref: 0100B69F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: AsyncState$ClientCursorScreen
                          • String ID:
                          • API String ID: 4210589936-0
                          • Opcode ID: 16c1c3b6ce422acf811aa9718b9726c2eea9aecd1e24a18102d88e07ef436443
                          • Instruction ID: 41823ff486c769efaaf3f5365d8c30f4a718271e5fe50a7d528180dedc0532a7
                          • Opcode Fuzzy Hash: 16c1c3b6ce422acf811aa9718b9726c2eea9aecd1e24a18102d88e07ef436443
                          • Instruction Fuzzy Hash: 4F41A334604105FBEF568FA8CC44AEDBBB4FF09324F104356E8A4A21D0C734A990DF90
                          Function 0102B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowRect.USER32(?,?), ref: 0102B369
                          • PostMessageW.USER32(?,00000201,00000001), ref: 0102B413
                          • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0102B41B
                          • PostMessageW.USER32(?,00000202,00000000), ref: 0102B429
                          • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0102B431
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessagePostSleep$RectWindow
                          • String ID:
                          • API String ID: 3382505437-0
                          • Opcode ID: 753f6d6661d6b7b3eb1e141f28259a40add0019c8dfe3312b64e8541b5c2c6c2
                          • Instruction ID: 28f041430327c4b1e08373d9d3062e54b1f15c7cd20042073717f2c2b2fafc89
                          • Opcode Fuzzy Hash: 753f6d6661d6b7b3eb1e141f28259a40add0019c8dfe3312b64e8541b5c2c6c2
                          • Instruction Fuzzy Hash: 3F31A071900229EBDF14CFACD94DADE7BB5EF04329F008269F9A5A61C1C7B49954CB90
                          Function 0102DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                          Download Yara Rule
                          APIs
                          • IsWindowVisible.USER32(?), ref: 0102DBD7
                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0102DBF4
                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0102DC2C
                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0102DC52
                          • _wcsstr.LIBCMT ref: 0102DC5C
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                          • String ID:
                          • API String ID: 3902887630-0
                          • Opcode ID: e354b2518d97cedba56300a9865ef9f64ee7c1a56f3f7774b1a0fbb97efd855a
                          • Instruction ID: 1ca30c4886c56a00097f8c7225e4bb86b2db0a49c5be1561d2131f25884526e0
                          • Opcode Fuzzy Hash: e354b2518d97cedba56300a9865ef9f64ee7c1a56f3f7774b1a0fbb97efd855a
                          • Instruction Fuzzy Hash: 99214C31204115BBF7265FB8DC48E7F7BECDF45620F104069F989DB080DAA5CC009760
                          Function 0102BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0102BC90
                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0102BCC2
                          • __itow.LIBCMT ref: 0102BCDA
                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0102BD00
                          • __itow.LIBCMT ref: 0102BD11
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend$__itow
                          • String ID:
                          • API String ID: 3379773720-0
                          • Opcode ID: 6bb1123b70a1495c02c3da9cf9dcba567ceabcfe60725b3a8382f33020c72c50
                          • Instruction ID: 7feee847ca48619377f6d1ea92408a1a83921bff39dd6b1572613c80e8aeb12f
                          • Opcode Fuzzy Hash: 6bb1123b70a1495c02c3da9cf9dcba567ceabcfe60725b3a8382f33020c72c50
                          • Instruction Fuzzy Hash: 2A21083170062CBBDB21BEA98C45FEF7BA9AF49710F000064FB85EB181EA75890587A1
                          Function 01036318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00FF50E6: _wcsncpy.LIBCMT ref: 00FF50FA
                          • GetFileAttributesW.KERNEL32(?,?,?,?,010360C3), ref: 01036369
                          • GetLastError.KERNEL32(?,?,?,010360C3), ref: 01036374
                          • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,010360C3), ref: 01036388
                          • _wcsrchr.LIBCMT ref: 010363AA
                            • Part of subcall function 01036318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,010360C3), ref: 010363E0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                          • String ID:
                          • API String ID: 3633006590-0
                          • Opcode ID: 7b2fa09e7766bfd599843ce1db39123228310afebe3e35dc511aafd660bda311
                          • Instruction ID: 53359988021daaa82bd62a285562cdec5055181589d9f0694754700fcb6e4046
                          • Opcode Fuzzy Hash: 7b2fa09e7766bfd599843ce1db39123228310afebe3e35dc511aafd660bda311
                          • Instruction Fuzzy Hash: A42108319042166BEB26AA78AC41FEE33ECEF55360F1080A5F1C5D70C4EFA6D7818B54
                          Function 01048B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0104A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0104A84E
                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 01048BD3
                          • WSAGetLastError.WSOCK32(00000000), ref: 01048BE2
                          • connect.WSOCK32(00000000,?,00000010), ref: 01048BFE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ErrorLastconnectinet_addrsocket
                          • String ID:
                          • API String ID: 3701255441-0
                          • Opcode ID: d46ef2eccaf84b60c3cacbc44e1a1cbba819a0a44c65f27ed3fc2947b63625b2
                          • Instruction ID: 68a6553f50703f6b93c12d939362d69d9d49e675209d57accd765b819a566516
                          • Opcode Fuzzy Hash: d46ef2eccaf84b60c3cacbc44e1a1cbba819a0a44c65f27ed3fc2947b63625b2
                          • Instruction Fuzzy Hash: 8C21C3716001199FDB10AFA8C985F7E77E8EF54710F04845AE996E72D1DB74A8018B51
                          Function 01048420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • IsWindow.USER32(00000000), ref: 01048441
                          • GetForegroundWindow.USER32 ref: 01048458
                          • GetDC.USER32(00000000), ref: 01048494
                          • GetPixel.GDI32(00000000,?,00000003), ref: 010484A0
                          • ReleaseDC.USER32(00000000,00000003), ref: 010484DB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Window$ForegroundPixelRelease
                          • String ID:
                          • API String ID: 4156661090-0
                          • Opcode ID: bcd7bb465abfbcbe3b913d6de0aad339cac9c6c634cb4f9215694488473e67b6
                          • Instruction ID: 5dea96f6b5031cb47ee78146c1bd03103a1f871e7fe32d816a6f8f78698723dd
                          • Opcode Fuzzy Hash: bcd7bb465abfbcbe3b913d6de0aad339cac9c6c634cb4f9215694488473e67b6
                          • Instruction Fuzzy Hash: 38219675A00204AFD710EFA4D884AAEBBF5EF88301F04C879E999A7251DE75AD00DB90
                          Function 0100AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0100AFE3
                          • SelectObject.GDI32(?,00000000), ref: 0100AFF2
                          • BeginPath.GDI32(?), ref: 0100B009
                          • SelectObject.GDI32(?,00000000), ref: 0100B033
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ObjectSelect$BeginCreatePath
                          • String ID:
                          • API String ID: 3225163088-0
                          • Opcode ID: 37ce45e2db30ec6ade7008aeaafa0ceb86df92de48e649eb55cf8e738c88105b
                          • Instruction ID: 8a4123e1c4aaa2ce03bfd32bfd5a5e027c48a1e14a16d761f0c0a38d38584ac4
                          • Opcode Fuzzy Hash: 37ce45e2db30ec6ade7008aeaafa0ceb86df92de48e649eb55cf8e738c88105b
                          • Instruction Fuzzy Hash: D621A1B9900305EFEB32DF98F8987E97BA8BB14355F14432AF5A4A20C4D37A4581CF90
                          Function 0101217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                          Download Yara Rule
                          APIs
                          • __calloc_crt.LIBCMT ref: 010121A9
                          • CreateThread.KERNEL32(?,?,010122DF,00000000,?,?), ref: 010121ED
                          • GetLastError.KERNEL32 ref: 010121F7
                          • _free.LIBCMT ref: 01012200
                          • __dosmaperr.LIBCMT ref: 0101220B
                            • Part of subcall function 01017C0E: __getptd_noexit.LIBCMT ref: 01017C0E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                          • String ID:
                          • API String ID: 2664167353-0
                          • Opcode ID: 20bad2d151393b1d4a867ed52c4ac4054fbd3ef16c3560b5253265be55eebb28
                          • Instruction ID: 72289d15e9936108cf5ff4128cddacb2785ddc313a034ca59f474045e00b3ae5
                          • Opcode Fuzzy Hash: 20bad2d151393b1d4a867ed52c4ac4054fbd3ef16c3560b5253265be55eebb28
                          • Instruction Fuzzy Hash: 1211083310030BAFAB21AFA9DC40DDF3BD8EF556707200029FA9496148DB7AC41187A0
                          Function 0102ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0102ABD7
                          • GetLastError.KERNEL32(?,0102A69F,?,?,?), ref: 0102ABE1
                          • GetProcessHeap.KERNEL32(00000008,?,?,0102A69F,?,?,?), ref: 0102ABF0
                          • HeapAlloc.KERNEL32(00000000,?,0102A69F,?,?,?), ref: 0102ABF7
                          • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0102AC0E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                          • String ID:
                          • API String ID: 842720411-0
                          • Opcode ID: c5f34c234d1c75bf228c9ac908113e916717ff6bcc682c8d765f93f69e3ccd96
                          • Instruction ID: 755bde8c4c2d882252ef7cfd67c7e6d5d2d92e4f92256478990e99c7e7188fb2
                          • Opcode Fuzzy Hash: c5f34c234d1c75bf228c9ac908113e916717ff6bcc682c8d765f93f69e3ccd96
                          • Instruction Fuzzy Hash: 53016D70700218BFDB214FA9DC48D6B3BACEF892547200469F589D3241DA72D840CF60
                          Function 01037A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                          Download Yara Rule
                          APIs
                          • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 01037A74
                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01037A82
                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 01037A8A
                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01037A94
                          • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 01037AD0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: PerformanceQuery$CounterSleep$Frequency
                          • String ID:
                          • API String ID: 2833360925-0
                          • Opcode ID: 9901ba15776d728a944665dcc6dbcacf8d468b28b9ea7d61fe0c5738e00250cb
                          • Instruction ID: f365d803cd69b218425ffeb68c7d2d3d37196a0b6f8d5540326a988ed347230e
                          • Opcode Fuzzy Hash: 9901ba15776d728a944665dcc6dbcacf8d468b28b9ea7d61fe0c5738e00250cb
                          • Instruction Fuzzy Hash: A5014CB1C01A1DEBDF20AFE4E848AEDBB7CFF88711F044495D582B2244DB359651C7A1
                          Function 01029ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                          Download Yara Rule
                          APIs
                          • CLSIDFromProgID.OLE32 ref: 01029ADC
                          • ProgIDFromCLSID.OLE32(?,00000000), ref: 01029AF7
                          • lstrcmpiW.KERNEL32(?,00000000), ref: 01029B05
                          • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 01029B15
                          • CLSIDFromString.OLE32(?,?), ref: 01029B21
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: From$Prog$FreeStringTasklstrcmpi
                          • String ID:
                          • API String ID: 3897988419-0
                          • Opcode ID: 87a369205cf3a564cc989aec50ee1cc2d7b43a8e6bda57bb5f4d68ccd3a2738e
                          • Instruction ID: b3668e8feb71a2b8f523e84138dc5db9831f778d824c98ba28f21d1147a2a9b4
                          • Opcode Fuzzy Hash: 87a369205cf3a564cc989aec50ee1cc2d7b43a8e6bda57bb5f4d68ccd3a2738e
                          • Instruction Fuzzy Hash: 92018F76A00228BFDB614F98DD44B9A7EEDEF48355F148028FE89E2200D776D9019BA0
                          Function 0102AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0102AA79
                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0102AA83
                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0102AA92
                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0102AA99
                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0102AAAF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: HeapInformationToken$AllocErrorLastProcess
                          • String ID:
                          • API String ID: 44706859-0
                          • Opcode ID: c7e25febba4a58cc1a7cf4448c079ccd9a2c2e287955e154936cdc06f33545a8
                          • Instruction ID: 26374be7b2e035791c6b9f9fdddb256b35af386218cdd98736c7767007facd72
                          • Opcode Fuzzy Hash: c7e25febba4a58cc1a7cf4448c079ccd9a2c2e287955e154936cdc06f33545a8
                          • Instruction Fuzzy Hash: 1DF04F71600214BFEB215EE8AC89F673BACFF49658B104469FA81E7180DB66D8428B70
                          Function 0102AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0102AADA
                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0102AAE4
                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0102AAF3
                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0102AAFA
                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0102AB10
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: HeapInformationToken$AllocErrorLastProcess
                          • String ID:
                          • API String ID: 44706859-0
                          • Opcode ID: e54e617d07312680413708b18887868ff285b290154307532949a1888ad12a4c
                          • Instruction ID: e0a06555a6396e02bbdda776dc91ac03f1e9f7a01c0a2713ddcfc1e99b02da7d
                          • Opcode Fuzzy Hash: e54e617d07312680413708b18887868ff285b290154307532949a1888ad12a4c
                          • Instruction Fuzzy Hash: E6F04F71700318BFEB220EA8EC98F673BADFF46654F100469FA85E7181CA66D801CB60
                          Function 0102EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetDlgItem.USER32(?,000003E9), ref: 0102EC94
                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 0102ECAB
                          • MessageBeep.USER32(00000000), ref: 0102ECC3
                          • KillTimer.USER32(?,0000040A), ref: 0102ECDF
                          • EndDialog.USER32(?,00000001), ref: 0102ECF9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                          • String ID:
                          • API String ID: 3741023627-0
                          • Opcode ID: c5b691466f0d8bc3f64d3bf2bc4257ed17ec9d204091d3774417e53fed41acd2
                          • Instruction ID: fa8f11045ad585c1ce3891d2c41a5581d7ef29e5a04c1810a450973d8fa89036
                          • Opcode Fuzzy Hash: c5b691466f0d8bc3f64d3bf2bc4257ed17ec9d204091d3774417e53fed41acd2
                          • Instruction Fuzzy Hash: 14018130940718ABEB355B94DE5EB967BB8FF00B05F00055AF6C6B24D1DBF9A645CB40
                          Function 0100B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                          Download Yara Rule
                          APIs
                          • EndPath.GDI32(?), ref: 0100B0BA
                          • StrokeAndFillPath.GDI32(?,?,0106E680,00000000,?,?,?), ref: 0100B0D6
                          • SelectObject.GDI32(?,00000000), ref: 0100B0E9
                          • DeleteObject.GDI32 ref: 0100B0FC
                          • StrokePath.GDI32(?), ref: 0100B117
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Path$ObjectStroke$DeleteFillSelect
                          • String ID:
                          • API String ID: 2625713937-0
                          • Opcode ID: bda2eb011291bc7f61a9b24c028622f2599c447f43970217e5858a85f88947d7
                          • Instruction ID: 51167db93c3ca0bf7873919acf40e847d9800d14dc864fc2536e01d8802a0552
                          • Opcode Fuzzy Hash: bda2eb011291bc7f61a9b24c028622f2599c447f43970217e5858a85f88947d7
                          • Instruction Fuzzy Hash: B8F0F639500244AFEB329FA9F8487D43FA5AB04362F088354F5E9540E8C73A8595CF50
                          Function 0103F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                          Download Yara Rule
                          APIs
                          • CoInitialize.OLE32(00000000), ref: 0103F2DA
                          • CoCreateInstance.OLE32(0107DA7C,00000000,00000001,0107D8EC,?), ref: 0103F2F2
                          • CoUninitialize.OLE32 ref: 0103F555
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CreateInitializeInstanceUninitialize
                          • String ID: .lnk
                          • API String ID: 948891078-24824748
                          • Opcode ID: e4e140dc1e9fd03856f22de72ddd88b60c6fdf662692f53230fb1254c132e85e
                          • Instruction ID: 725468b2bb9a748198749b518d5af19866c4ddf0e1b5dd21f39e69773cd5eaf6
                          • Opcode Fuzzy Hash: e4e140dc1e9fd03856f22de72ddd88b60c6fdf662692f53230fb1254c132e85e
                          • Instruction Fuzzy Hash: 60A15C71504205AFD301EFA4CC85EABB7ECEF98714F00491DF695971A1EB74EA09CBA2
                          Function 0103E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00FF660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00FF53B1,?,?,00FF61FF,?,00000000,00000001,00000000), ref: 00FF662F
                          • CoInitialize.OLE32(00000000), ref: 0103E85D
                          • CoCreateInstance.OLE32(0107DA7C,00000000,00000001,0107D8EC,?), ref: 0103E876
                          • CoUninitialize.OLE32 ref: 0103E893
                            • Part of subcall function 00FF936C: __swprintf.LIBCMT ref: 00FF93AB
                            • Part of subcall function 00FF936C: __itow.LIBCMT ref: 00FF93DF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                          • String ID: .lnk
                          • API String ID: 2126378814-24824748
                          • Opcode ID: 10a6037f2b6f8758f21957bfc58a16b0bd4c7683378f034af3d5cde12fa41974
                          • Instruction ID: c62f2e2f88e77c091c1466fbdd5c86c677e1f86d8bf4e8b093bd70f753dcf7e9
                          • Opcode Fuzzy Hash: 10a6037f2b6f8758f21957bfc58a16b0bd4c7683378f034af3d5cde12fa41974
                          • Instruction Fuzzy Hash: EFA147356043059FCB10DF14C884D6ABBE9FF88710F048A99FA9A9B3A1CB35EC45CB91
                          Function 0101325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                          Download Yara Rule
                          APIs
                          • __startOneArgErrorHandling.LIBCMT ref: 010132ED
                            • Part of subcall function 0101E0D0: __87except.LIBCMT ref: 0101E10B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ErrorHandling__87except__start
                          • String ID: pow
                          • API String ID: 2905807303-2276729525
                          • Opcode ID: 5b7e1e3787182b053f4b4611387d1324f22f371e1232dc574d8eebaf3ef83a4c
                          • Instruction ID: 4a6b95314e940f126415f65e3d84d5b29961c80b9bce9697f5273b62a7aa0b4d
                          • Opcode Fuzzy Hash: 5b7e1e3787182b053f4b4611387d1324f22f371e1232dc574d8eebaf3ef83a4c
                          • Instruction Fuzzy Hash: 3C51E571A0920296DB67B618C9503FE6BD4BB40770F248DA8F8D58A29DDF3D8494C74A
                          Function 01034606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                          Download Yara Rule
                          APIs
                          • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0108DC50,?,0000000F,0000000C,00000016,0108DC50,?), ref: 01034645
                            • Part of subcall function 00FF936C: __swprintf.LIBCMT ref: 00FF93AB
                            • Part of subcall function 00FF936C: __itow.LIBCMT ref: 00FF93DF
                          • CharUpperBuffW.USER32(?,?,00000000,?), ref: 010346C5
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: BuffCharUpper$__itow__swprintf
                          • String ID: REMOVE$THIS
                          • API String ID: 3797816924-776492005
                          • Opcode ID: 65d648382eb1baa20b41c6e64b26b2a94726edfeccd1844b8fe0e737ef3d2c32
                          • Instruction ID: b0a5b96f1dec6d6760514eca621c90bc748ffeb7ca2df5cb44a1ab6e29dd2087
                          • Opcode Fuzzy Hash: 65d648382eb1baa20b41c6e64b26b2a94726edfeccd1844b8fe0e737ef3d2c32
                          • Instruction Fuzzy Hash: 4C416034A002199FCF05EF94C881AADB7B9FF89204F048499EA96EF2A1DB35D945CB50
                          Function 0102C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0103430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0102BC08,?,?,00000034,00000800,?,00000034), ref: 01034335
                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0102C1D3
                            • Part of subcall function 010342D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0102BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 01034300
                            • Part of subcall function 0103422F: GetWindowThreadProcessId.USER32(?,?), ref: 0103425A
                            • Part of subcall function 0103422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0102BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0103426A
                            • Part of subcall function 0103422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0102BBCC,00000034,?,?,00001004,00000000,00000000), ref: 01034280
                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0102C240
                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0102C28D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                          • String ID: @
                          • API String ID: 4150878124-2766056989
                          • Opcode ID: 239cf22c1dd6875f824121e796cf6fb2ee7ea8c3d086c7a90f8d9f4324576d2f
                          • Instruction ID: 4909b9532e4d9a9f96db0ecc683746e8a6df428e3a2bc25b807c0721a44a3a03
                          • Opcode Fuzzy Hash: 239cf22c1dd6875f824121e796cf6fb2ee7ea8c3d086c7a90f8d9f4324576d2f
                          • Instruction Fuzzy Hash: C8415E7290021DBFDB11EFA4CD81AEEB7B8FF59300F144095EA95BB180DA716E49CB61
                          Function 0105A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                          Download Yara Rule
                          APIs
                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0108DC00,00000000,?,?,?,?), ref: 0105A6D8
                          • GetWindowLongW.USER32 ref: 0105A6F5
                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0105A705
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Window$Long
                          • String ID: SysTreeView32
                          • API String ID: 847901565-1698111956
                          • Opcode ID: 87329160bb9526c91fbb33145a5d7bee3dced12cfd6c1b5bbfb84b11cc278d1c
                          • Instruction ID: 00e097e29c95937f8fecf80a0918ecb1ed9aa98065781fb4da1d45e72296292b
                          • Opcode Fuzzy Hash: 87329160bb9526c91fbb33145a5d7bee3dced12cfd6c1b5bbfb84b11cc278d1c
                          • Instruction Fuzzy Hash: 0631B03160060AAFDBA18E78DC44BEB7BA9FF49324F244715F9B5A31D0C775E8508B60
                          Function 0105A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0105A15E
                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0105A172
                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 0105A196
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend$Window
                          • String ID: SysMonthCal32
                          • API String ID: 2326795674-1439706946
                          • Opcode ID: 28c42e0941c8cac3ca383ad8b04ebad2bae91fbfdf7e2748426361431dfe9b16
                          • Instruction ID: 8cea5e58cf3391c71dd8cd0fe63a56d160e7fbe0caea7f3c7f8500eb1db6b312
                          • Opcode Fuzzy Hash: 28c42e0941c8cac3ca383ad8b04ebad2bae91fbfdf7e2748426361431dfe9b16
                          • Instruction Fuzzy Hash: BC21B132610218ABEF128E94CC41FEB3BB9EF48754F010214FE95AB1D0D6B5A850CBA4
                          Function 0105A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0105A941
                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0105A94F
                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0105A956
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend$DestroyWindow
                          • String ID: msctls_updown32
                          • API String ID: 4014797782-2298589950
                          • Opcode ID: eb6ce804f2669351818a776a26b7e3815bf88281400267f99f937de7554d409e
                          • Instruction ID: 3f19212d1451e392ccbc882c141a0cc35f30149880d0ada5aeee16ae1488acf3
                          • Opcode Fuzzy Hash: eb6ce804f2669351818a776a26b7e3815bf88281400267f99f937de7554d409e
                          • Instruction Fuzzy Hash: EE21B0B5A00209AFEB12DF58DCD1DB737ADEF4E2A4B040149FA849B251CB31EC118B60
                          Function 010599A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01059A30
                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01059A40
                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01059A65
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend$MoveWindow
                          • String ID: Listbox
                          • API String ID: 3315199576-2633736733
                          • Opcode ID: cfa280ad2f7b6ec0af11bedda2d2e5568fb71d5deb48cf0dff18f779ae684bf4
                          • Instruction ID: 02d0913acae8cfdcf9503fa814ea33263f2edec1ea7c7e26459e5d234e5004e7
                          • Opcode Fuzzy Hash: cfa280ad2f7b6ec0af11bedda2d2e5568fb71d5deb48cf0dff18f779ae684bf4
                          • Instruction Fuzzy Hash: 7F21C232610119BFEF628F98DC85EFB3BBAEF89764F018124F9949B190C6719C1187A0
                          Function 0105A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0105A46D
                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0105A482
                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0105A48F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: msctls_trackbar32
                          • API String ID: 3850602802-1010561917
                          • Opcode ID: 1021f9ea8e05e1fdc23f6317ae9a0845fd28b25ef5c54ad792c4f0d94a7316ee
                          • Instruction ID: bd6af7a91b2428a0da124e11551297a403eeeab199d6d83b7283bdaec4820fe5
                          • Opcode Fuzzy Hash: 1021f9ea8e05e1fdc23f6317ae9a0845fd28b25ef5c54ad792c4f0d94a7316ee
                          • Instruction Fuzzy Hash: A011E371240208BEEF615EA9CC49FEB3BA9EFC8764F014218FB85A7091D776A411CB24
                          Function 01012287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,01012350,?), ref: 010122A1
                          • GetProcAddress.KERNEL32(00000000), ref: 010122A8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: RoInitialize$combase.dll
                          • API String ID: 2574300362-340411864
                          • Opcode ID: 05caab2a17db57d4f3f570276bb0c621dac5baf71b642c4738513d299a699584
                          • Instruction ID: 463c31d94f37a36767af31683c980e5055a8e6079f329385b483cb03193c09ce
                          • Opcode Fuzzy Hash: 05caab2a17db57d4f3f570276bb0c621dac5baf71b642c4738513d299a699584
                          • Instruction Fuzzy Hash: AAE09A70A94301BBDB756FB5EC8AB9A36A5BB00756F504464F1C2E608CDBBE9045CF18
                          Function 0101235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,01012276), ref: 01012376
                          • GetProcAddress.KERNEL32(00000000), ref: 0101237D
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: RoUninitialize$combase.dll
                          • API String ID: 2574300362-2819208100
                          • Opcode ID: 96af935a85192f301302b961d63c3303d4313333d90d69805eeb9a510c82310d
                          • Instruction ID: 748ec6a4551f94f58820f07a5437f696a67672eb1da6ac2b4e6e3b8abe08759c
                          • Opcode Fuzzy Hash: 96af935a85192f301302b961d63c3303d4313333d90d69805eeb9a510c82310d
                          • Instruction Fuzzy Hash: 14E09270A84300EBDA756BA1E95DB5A3AB8BB00702F104864F1C9E629CCBBE9040CF14
                          Function 0106AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: LocalTime__swprintf
                          • String ID: %.3d$WIN_XPe
                          • API String ID: 2070861257-2409531811
                          • Opcode ID: dc603e9fdf453b74aa675c4f9d3c1561f05eb126c5c9410a8fbd8203ece6b25d
                          • Instruction ID: 495ae42ab4fb3161b711e0bcf2ca670221b1766da399a07fdccec2a8430ca657
                          • Opcode Fuzzy Hash: dc603e9fdf453b74aa675c4f9d3c1561f05eb126c5c9410a8fbd8203ece6b25d
                          • Instruction Fuzzy Hash: 0BE0127190461CDBCB11BBD0CD45DFD73BCAB04661F440092B9C6F3108D6399B858B21
                          Function 00FF42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,00000000,00FF42EC,?,00FF42AA,?), ref: 00FF4304
                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00FF4316
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                          • API String ID: 2574300362-1355242751
                          • Opcode ID: 6116d16b0c36e1c8b41c110f9ac941c59b20a711838d38d76270f2759c2eb9af
                          • Instruction ID: f73c3671931890b171ca3ab78ef43488db0272c885861d48ef8048a6d874b39e
                          • Opcode Fuzzy Hash: 6116d16b0c36e1c8b41c110f9ac941c59b20a711838d38d76270f2759c2eb9af
                          • Instruction Fuzzy Hash: 17D09E70D44716AED7205BA5A41865276D8AF54721B10442DAAD5E6124E674D8809B50
                          Function 01052205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,010521FB,?,010523EF), ref: 01052213
                          • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 01052225
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: GetProcessId$kernel32.dll
                          • API String ID: 2574300362-399901964
                          • Opcode ID: e0b9664def71cfa475cda0192ecfb1021f1c6e48c484a12a223fca67fe4e3943
                          • Instruction ID: 6e1832d2104fb89f9aad22665087a7e3494add9ba9a9e828b044cbd9fad5de3d
                          • Opcode Fuzzy Hash: e0b9664def71cfa475cda0192ecfb1021f1c6e48c484a12a223fca67fe4e3943
                          • Instruction Fuzzy Hash: 76D05E3C800712EED7615BB9B40864276D8AF04210B10446DACC1F2100D6B5D4808750
                          Function 00FF434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,00FF41BB,00FF4341,?,00FF422F,?,00FF41BB,?,?,?,?,00FF39FE,?,00000001), ref: 00FF4359
                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00FF436B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                          • API String ID: 2574300362-3689287502
                          • Opcode ID: 914b93eba260359471a18cd157ede9783d824e5be792f241e5c911dee4166c1f
                          • Instruction ID: 1b95983a313ecb284ed826093d2faaa44c0359685c94a872ff3612b858072d36
                          • Opcode Fuzzy Hash: 914b93eba260359471a18cd157ede9783d824e5be792f241e5c911dee4166c1f
                          • Instruction Fuzzy Hash: 4FD0A730C04712AFC7304FB1F40865277D8AF10725B01442DE9D1E2110D774E8C0D710
                          Function 01030539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(oleaut32.dll,?,0103051D,?,010305FE), ref: 01030547
                          • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 01030559
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: RegisterTypeLibForUser$oleaut32.dll
                          • API String ID: 2574300362-1071820185
                          • Opcode ID: 4570644207e9f6c43767a48eec3c93ecf06a4bd080c1c956b4669c56cdbe1b5c
                          • Instruction ID: e06bc87120f0606713fd6beb8035eb6eccbc02e255f43ee347767f6d6571eea0
                          • Opcode Fuzzy Hash: 4570644207e9f6c43767a48eec3c93ecf06a4bd080c1c956b4669c56cdbe1b5c
                          • Instruction Fuzzy Hash: 37D0A730800712AFD7308FA5F40860277DCAF00311B90C47DF4C6E2148D679C480C710
                          Function 01030564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0103052F,?,010306D7), ref: 01030572
                          • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 01030584
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                          • API String ID: 2574300362-1587604923
                          • Opcode ID: ae3d1ce18310a4af2df8836a236fb2d345f539172fe2f419cd373a5f1ad866ab
                          • Instruction ID: f1240de33f122ee76351ab7c58884137620dbd569d1878d4dd97da103a671250
                          • Opcode Fuzzy Hash: ae3d1ce18310a4af2df8836a236fb2d345f539172fe2f419cd373a5f1ad866ab
                          • Instruction Fuzzy Hash: 00D05E31900312AED7205FA5E408A027BDCAF04210B50C47DE8C1A2148D674D0808720
                          Function 0104ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,?,0104ECBE,?,0104EBBB), ref: 0104ECD6
                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0104ECE8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                          • API String ID: 2574300362-1816364905
                          • Opcode ID: 115a94fba6b2f8a46835272110897ecadf98dd08160f984e721e7a245e127b2e
                          • Instruction ID: 781ecf262c9dbc2a320d1dc5e19a5bd03f1c3b76f55e9d3fe54b439a7b973683
                          • Opcode Fuzzy Hash: 115a94fba6b2f8a46835272110897ecadf98dd08160f984e721e7a245e127b2e
                          • Instruction Fuzzy Hash: CBD05E70800723AFDB205BA5E4886427AE8AF00210B00846DA8C5E2141DAB8D4809710
                          Function 01053BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(advapi32.dll,?,01053BD1,?,01053E06), ref: 01053BE9
                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 01053BFB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: RegDeleteKeyExW$advapi32.dll
                          • API String ID: 2574300362-4033151799
                          • Opcode ID: 1adcf6954ddb46a8a06e823360ba262f801a2d5ec22ed84f8ce890f31f19102e
                          • Instruction ID: 6ad38b111d4c18a9cdc8786b14613a19d13caf6a3399ea8a57af20b4c758fe7e
                          • Opcode Fuzzy Hash: 1adcf6954ddb46a8a06e823360ba262f801a2d5ec22ed84f8ce890f31f19102e
                          • Instruction Fuzzy Hash: FED05E74800756EAD7605FE6A408607BEF4AF04264B1444ADE8C5E6100D6B4D0808B10
                          Function 0104BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                          Download Yara Rule
                          APIs
                          • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0104BAD3,00000001,0104B6EE,?,0108DC00), ref: 0104BAEB
                          • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0104BAFD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: AddressLibraryLoadProc
                          • String ID: GetModuleHandleExW$kernel32.dll
                          • API String ID: 2574300362-199464113
                          • Opcode ID: a4f7dd8ea3c137049b54c18f1c192fc20656b8d5cac822a735240b93261d118e
                          • Instruction ID: 3cef11119b8c8f892c03e18f0199b98f320ccd7f03d982f15fb50241543c8ef1
                          • Opcode Fuzzy Hash: a4f7dd8ea3c137049b54c18f1c192fc20656b8d5cac822a735240b93261d118e
                          • Instruction Fuzzy Hash: D9D09E74D40712AFD7716FA5B498A5276D8AF04651B14846DA9D7F2104D7B4D480C750
                          Function 01029B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4840d8dd7521ea2fdb647e80e1411e53f4670530ae7030f8265d732896138a3f
                          • Instruction ID: 63112a43d7a19453602313b843430822778a682ebdb5da50a0bda8a9182530e1
                          • Opcode Fuzzy Hash: 4840d8dd7521ea2fdb647e80e1411e53f4670530ae7030f8265d732896138a3f
                          • Instruction Fuzzy Hash: E8C16E75A0022AEFDF14DF94C884EAEBBB5FF48718F104598E945AB251D730DE41DBA0
                          Function 0104AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                          Download Yara Rule
                          APIs
                          • CoInitialize.OLE32(00000000), ref: 0104AAB4
                          • CoUninitialize.OLE32 ref: 0104AABF
                            • Part of subcall function 01030213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0103027B
                          • VariantInit.OLEAUT32(?), ref: 0104AACA
                          • VariantClear.OLEAUT32(?), ref: 0104AD9D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                          • String ID:
                          • API String ID: 780911581-0
                          • Opcode ID: 11509065b7b473874e0137d630c84071a87de906ff6a369db6767b5412d2573f
                          • Instruction ID: e26a68223057f08cb50725f4d5c950cfe86a68441ee6901a96aa3ec02a8d0738
                          • Opcode Fuzzy Hash: 11509065b7b473874e0137d630c84071a87de906ff6a369db6767b5412d2573f
                          • Instruction Fuzzy Hash: EFA147B5344705DFDB11EF18C880B6AB7E9BF98710F044859FA9A9B3A1CB74E904CB85
                          Function 010291CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Variant$AllocClearCopyInitString
                          • String ID:
                          • API String ID: 2808897238-0
                          • Opcode ID: 455490d8c49bada48196c7cfa7eb76c0f9e5bbc6ebc9728071d7fd58a27aa422
                          • Instruction ID: f2a3bfd9dabdafab6f4bf51938930c5fb698a0ab55b8ec65a582c2843e2ecc4a
                          • Opcode Fuzzy Hash: 455490d8c49bada48196c7cfa7eb76c0f9e5bbc6ebc9728071d7fd58a27aa422
                          • Instruction Fuzzy Hash: 2B51B330A003369BDB34AFA9D894A6EB7E9EF59318F10E81FD6C6DB6D1DB3494408705
                          Function 0101365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                          • String ID:
                          • API String ID: 3877424927-0
                          • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                          • Instruction ID: d96d286877cb85d1bff1bdfc2f7c17f6cd826fb4dadd19156dc5dc26703599ef
                          • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                          • Instruction Fuzzy Hash: 7B51C770A00306DBDB258F6DC8846AE7BE1BF44330F24876DF9A59A2D8D77999548B40
                          Function 0105C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowRect.USER32(011C6730,?), ref: 0105C544
                          • ScreenToClient.USER32(?,00000002), ref: 0105C574
                          • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0105C5DA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Window$ClientMoveRectScreen
                          • String ID:
                          • API String ID: 3880355969-0
                          • Opcode ID: 9c32153dc81160153593ecb5fd4244f66c3a2ab1bfc294039d18af1aa6041cbc
                          • Instruction ID: 2ba54aa5a20d64f18a7107fedd6fdeac721b6dc50143371ba5ab13a26440ba53
                          • Opcode Fuzzy Hash: 9c32153dc81160153593ecb5fd4244f66c3a2ab1bfc294039d18af1aa6041cbc
                          • Instruction Fuzzy Hash: 0C518E74900204EFDF61DFA8D9C09AE7BF9EF48724F208699F99597281D730E981CB90
                          Function 0102C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0102C462
                          • __itow.LIBCMT ref: 0102C49C
                            • Part of subcall function 0102C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0102C753
                          • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0102C505
                          • __itow.LIBCMT ref: 0102C55A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend$__itow
                          • String ID:
                          • API String ID: 3379773720-0
                          • Opcode ID: 06dfd2d6fa197a293c7515ee7fe48595923dcda23e6b0a2b81f1ee8ad8d5fab8
                          • Instruction ID: be0b18fe3c181e4d517597ad913110f415fbe000194b2f55205b5e81ea7b54cc
                          • Opcode Fuzzy Hash: 06dfd2d6fa197a293c7515ee7fe48595923dcda23e6b0a2b81f1ee8ad8d5fab8
                          • Instruction Fuzzy Hash: 6741E331A0062DABEF21EF58CD41BFE7BB9AF48700F000059FB45A7291DB749A458BA1
                          Function 0103390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 01033966
                          • SetKeyboardState.USER32(00000080,?,00000001), ref: 01033982
                          • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 010339EF
                          • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 01033A4D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: KeyboardState$InputMessagePostSend
                          • String ID:
                          • API String ID: 432972143-0
                          • Opcode ID: 6809d8856f01cd900f49439342a4c89eda326bf941a1b111c756ccbb4ebc5ef3
                          • Instruction ID: 37b77f7fee70d9eaf8d3d42246ee43532c4ed3361e7e4d9f11eef893db17d562
                          • Opcode Fuzzy Hash: 6809d8856f01cd900f49439342a4c89eda326bf941a1b111c756ccbb4ebc5ef3
                          • Instruction Fuzzy Hash: 2241D370E04248AAEF618B698889BFDBBFDBBC5311F04019BE5C1AA2C1C7758985C765
                          Function 0103E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0103E742
                          • GetLastError.KERNEL32(?,00000000), ref: 0103E768
                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0103E78D
                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0103E7B9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CreateHardLink$DeleteErrorFileLast
                          • String ID:
                          • API String ID: 3321077145-0
                          • Opcode ID: 12576fdc3b58f30db7b78f7c8ccd2aa72e9e20afa1f21a4c64fbe720fc863b7f
                          • Instruction ID: 31b83b01ca27a4167369f9fcf372129ae2d3272a495f64de1da059589af6db95
                          • Opcode Fuzzy Hash: 12576fdc3b58f30db7b78f7c8ccd2aa72e9e20afa1f21a4c64fbe720fc863b7f
                          • Instruction Fuzzy Hash: 9F416D35600615DFDF11EF55C444A5DBBE9BF99710F088089EA86AB3A2CB74FC01DB81
                          Function 0105B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                          Download Yara Rule
                          APIs
                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0105B5D1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: InvalidateRect
                          • String ID:
                          • API String ID: 634782764-0
                          • Opcode ID: 6ef34b54cfabdbbe32f890945f0ed1666f78b1bdb0ced3f84434abdab64a7812
                          • Instruction ID: 39aef1f84fd91ec3f15eaceb17e244cd6e5978e5675f764dafd98472a5fdb6bf
                          • Opcode Fuzzy Hash: 6ef34b54cfabdbbe32f890945f0ed1666f78b1bdb0ced3f84434abdab64a7812
                          • Instruction Fuzzy Hash: FB31CF74600208AFEFB59E5CC889FEE7BA6EB09318F544141FED1E61E1CA39B5408B61
                          Function 0105D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                          Download Yara Rule
                          APIs
                          • ClientToScreen.USER32(?,?), ref: 0105D807
                          • GetWindowRect.USER32(?,?), ref: 0105D87D
                          • PtInRect.USER32(?,?,0105ED5A), ref: 0105D88D
                          • MessageBeep.USER32(00000000), ref: 0105D8FE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Rect$BeepClientMessageScreenWindow
                          • String ID:
                          • API String ID: 1352109105-0
                          • Opcode ID: be03685721ec7b975ac412dd825984b57e496309e1f29c2c4c3735e15e43f712
                          • Instruction ID: f64c453f94b55f2fa4d1974405cbafe7feef8c3aaa918930190633ece505e808
                          • Opcode Fuzzy Hash: be03685721ec7b975ac412dd825984b57e496309e1f29c2c4c3735e15e43f712
                          • Instruction Fuzzy Hash: 6741BC74A00209DFDBA2DF98D484BAA7BF5FF48310F1881AAE9989F255D331E941CB50
                          Function 01033A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 01033AB8
                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 01033AD4
                          • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 01033B34
                          • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 01033B92
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: KeyboardState$InputMessagePostSend
                          • String ID:
                          • API String ID: 432972143-0
                          • Opcode ID: 85eb15d2d09df0d20176017037d3e0dbc4323a3fe2dfc13b839148f7f8ad9e7f
                          • Instruction ID: e105ae174f3716640563bafd31d6d197fb8447cf5a892d06ec7602bdac6f0f19
                          • Opcode Fuzzy Hash: 85eb15d2d09df0d20176017037d3e0dbc4323a3fe2dfc13b839148f7f8ad9e7f
                          • Instruction Fuzzy Hash: C7310630A00258AEFF399B6888997FE7FEDABC5321F04019AE6C1AB1C1C7758945C761
                          Function 01024004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 01024038
                          • __isleadbyte_l.LIBCMT ref: 01024066
                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 01024094
                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 010240CA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                          • String ID:
                          • API String ID: 3058430110-0
                          • Opcode ID: 02a7ae10337e588423b0e2afee2e5a2d246c75c77410063fbe382d3c07f4b2ec
                          • Instruction ID: 268a1f97df307924839f7c84cc4fea7efc6bdb0e3a34c448a6d50e3989e52509
                          • Opcode Fuzzy Hash: 02a7ae10337e588423b0e2afee2e5a2d246c75c77410063fbe382d3c07f4b2ec
                          • Instruction Fuzzy Hash: 4C319031600226EBEB229E78C884AAA7FE5BF40210F154459FA95CB190D739D8D0CB90
                          Function 01057CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                          Download Yara Rule
                          APIs
                          • GetForegroundWindow.USER32 ref: 01057CB9
                            • Part of subcall function 01035F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 01035F6F
                            • Part of subcall function 01035F55: GetCurrentThreadId.KERNEL32 ref: 01035F76
                            • Part of subcall function 01035F55: AttachThreadInput.USER32(00000000,?,0103781F), ref: 01035F7D
                          • GetCaretPos.USER32(?), ref: 01057CCA
                          • ClientToScreen.USER32(00000000,?), ref: 01057D03
                          • GetForegroundWindow.USER32 ref: 01057D09
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                          • String ID:
                          • API String ID: 2759813231-0
                          • Opcode ID: 30984fee900861316fc4cb4fc143e01e1df5dbf25bf3aacaac05d846e109a091
                          • Instruction ID: 3d79a74f169e3c0baa3f88f466aa9f27896f43f3102b7feb94e21f518046cd39
                          • Opcode Fuzzy Hash: 30984fee900861316fc4cb4fc143e01e1df5dbf25bf3aacaac05d846e109a091
                          • Instruction Fuzzy Hash: E0312F72D00109AFDB11EFA9C8849EFFBFDEF95214F10846AE855E3250DA359E05CBA0
                          Function 0105F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0100B34E: GetWindowLongW.USER32(?,000000EB), ref: 0100B35F
                          • GetCursorPos.USER32(?), ref: 0105F211
                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0106E4C0,?,?,?,?,?), ref: 0105F226
                          • GetCursorPos.USER32(?), ref: 0105F270
                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0106E4C0,?,?,?), ref: 0105F2A6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                          • String ID:
                          • API String ID: 2864067406-0
                          • Opcode ID: e7bf29591193fc7bde6b9716593726ff977bb0579fda2bd9da3211ac07368fe3
                          • Instruction ID: cac9ef3fbf024d070c55b5f47419f5fabee4fc4dfe38d8e8875ae2d2dd626413
                          • Opcode Fuzzy Hash: e7bf29591193fc7bde6b9716593726ff977bb0579fda2bd9da3211ac07368fe3
                          • Instruction Fuzzy Hash: 3B21F078500018AFDB658F98D898EEF7FB5EF09350F048099FE8557295D3799990CB90
                          Function 0104431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 01044358
                            • Part of subcall function 010443E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 01044401
                            • Part of subcall function 010443E2: InternetCloseHandle.WININET(00000000), ref: 0104449E
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Internet$CloseConnectHandleOpen
                          • String ID:
                          • API String ID: 1463438336-0
                          • Opcode ID: e7cb633b6c3a61c8e1160c8b1753f30b1d729cd08b88ec125981cf4f82d9928f
                          • Instruction ID: e797717a1592c71d6ff05c338a70e7ad01384e1ae1a5a26eae37fa4e6ab69d8d
                          • Opcode Fuzzy Hash: e7cb633b6c3a61c8e1160c8b1753f30b1d729cd08b88ec125981cf4f82d9928f
                          • Instruction Fuzzy Hash: 1721A4B6600605BBEB219F649C80FBBBBE9FF44B11F00802ABA95D6540E77194219B90
                          Function 01058A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                          Download Yara Rule
                          APIs
                          • GetWindowLongW.USER32(?,000000EC), ref: 01058AA6
                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 01058AC0
                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 01058ACE
                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01058ADC
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Window$Long$AttributesLayered
                          • String ID:
                          • API String ID: 2169480361-0
                          • Opcode ID: 6719cbba32b5796645975efe314df3582a16f0ef07701490e9fc78030681a75a
                          • Instruction ID: 5d53bf4039249e49c922d6be001c2d61eca0385889130af5fa7e626d96dc0a33
                          • Opcode Fuzzy Hash: 6719cbba32b5796645975efe314df3582a16f0ef07701490e9fc78030681a75a
                          • Instruction Fuzzy Hash: 5811D031205115AFE754AB59CC05FBB779DBF85320F18811AFD96D72E1CB69AC008B94
                          Function 01048A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                          Download Yara Rule
                          APIs
                          • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 01048AE0
                          • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 01048AF2
                          • accept.WSOCK32(00000000,00000000,00000000), ref: 01048AFF
                          • WSAGetLastError.WSOCK32(00000000), ref: 01048B16
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ErrorLastacceptselect
                          • String ID:
                          • API String ID: 385091864-0
                          • Opcode ID: fef036045603ee29ca5b1c25b5ba2f57a1a17812b0f9ec011d27eab5b40bf9ae
                          • Instruction ID: 196ef2c8bef400d82a614539473f476b99085c06d07538b3f1cdb557c09433d3
                          • Opcode Fuzzy Hash: fef036045603ee29ca5b1c25b5ba2f57a1a17812b0f9ec011d27eab5b40bf9ae
                          • Instruction Fuzzy Hash: 00216671A001249FD7219FA9C894EDEBBECEF59350F0085AAF889E7290DB749945CF90
                          Function 01030AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 01031E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,01030ABB,?,?,?,0103187A,00000000,000000EF,00000119,?,?), ref: 01031E77
                            • Part of subcall function 01031E68: lstrcpyW.KERNEL32(00000000,?,?,01030ABB,?,?,?,0103187A,00000000,000000EF,00000119,?,?,00000000), ref: 01031E9D
                            • Part of subcall function 01031E68: lstrcmpiW.KERNEL32(00000000,?,01030ABB,?,?,?,0103187A,00000000,000000EF,00000119,?,?), ref: 01031ECE
                          • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0103187A,00000000,000000EF,00000119,?,?,00000000), ref: 01030AD4
                          • lstrcpyW.KERNEL32(00000000,?,?,0103187A,00000000,000000EF,00000119,?,?,00000000), ref: 01030AFA
                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,0103187A,00000000,000000EF,00000119,?,?,00000000), ref: 01030B2E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: lstrcmpilstrcpylstrlen
                          • String ID: cdecl
                          • API String ID: 4031866154-3896280584
                          • Opcode ID: a1fc33eeee821317297051e652cb742af7350708558c0f98a6397e89df89d928
                          • Instruction ID: 109c78090dff2241cc25e87d7d8c9af88259ca0f0c3db73cc26be956fa484f99
                          • Opcode Fuzzy Hash: a1fc33eeee821317297051e652cb742af7350708558c0f98a6397e89df89d928
                          • Instruction Fuzzy Hash: 8E119636101305AFDB259F78DC45D7A77ACFF85354B80406AF985CB254EB719550C7A0
                          Function 01022F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • _free.LIBCMT ref: 01022FB5
                            • Part of subcall function 0101395C: __FF_MSGBANNER.LIBCMT ref: 01013973
                            • Part of subcall function 0101395C: __NMSG_WRITE.LIBCMT ref: 0101397A
                            • Part of subcall function 0101395C: RtlAllocateHeap.NTDLL(011A0000,00000000,00000001,00000001,00000000,?,?,0100F507,?,0000000E), ref: 0101399F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: AllocateHeap_free
                          • String ID:
                          • API String ID: 614378929-0
                          • Opcode ID: f3833957d3007f162e8c328c76f861e79f5e46dc6d8b6843ba7c82cc7d38e761
                          • Instruction ID: 789a043f48a8399441bfb85cf4f238c99eeb1703a6eda091b9370d320365b256
                          • Opcode Fuzzy Hash: f3833957d3007f162e8c328c76f861e79f5e46dc6d8b6843ba7c82cc7d38e761
                          • Instruction Fuzzy Hash: B411E03190523B9BDB763FB4A85479E3BD4BF58260F104569F9C99E148DF3DC4408BA0
                          Function 0100EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 0100EBB2
                            • Part of subcall function 00FF51AF: _memset.LIBCMT ref: 00FF522F
                            • Part of subcall function 00FF51AF: _wcscpy.LIBCMT ref: 00FF5283
                            • Part of subcall function 00FF51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00FF5293
                          • KillTimer.USER32(?,00000001,?,?), ref: 0100EC07
                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0100EC16
                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 01063C88
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                          • String ID:
                          • API String ID: 1378193009-0
                          • Opcode ID: 3172f9872614bd7f8efdcaa3c1225839c706e183b07ea5e00caf0d1681283380
                          • Instruction ID: 043c5bf1235bb9eda299930a498e0228b78d1bb1b0f6763ed40d8828d9830a58
                          • Opcode Fuzzy Hash: 3172f9872614bd7f8efdcaa3c1225839c706e183b07ea5e00caf0d1681283380
                          • Instruction Fuzzy Hash: A521B3709047889FF7739B28D855FEABFECAB45318F04048DE6CE6A186C37925858B91
                          Function 0103058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 010305AC
                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 010305C7
                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 010305DD
                          • FreeLibrary.KERNEL32(?), ref: 01030632
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                          • String ID:
                          • API String ID: 3137044355-0
                          • Opcode ID: f35e25af13663e1a920b5614e9f9ddb73efd630aa5a148091a69f13e0841dedd
                          • Instruction ID: a2610ed8ac7978d80d0c34412016fcd48ab18a6531c13de405e4ad46046013ab
                          • Opcode Fuzzy Hash: f35e25af13663e1a920b5614e9f9ddb73efd630aa5a148091a69f13e0841dedd
                          • Instruction Fuzzy Hash: 87218471901209EFDB208F95DC88ADBBBBCEFC4700F1084A9F696A2148D775E645DF50
                          Function 0102B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0102AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0102AA79
                            • Part of subcall function 0102AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0102AA83
                            • Part of subcall function 0102AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0102AA92
                            • Part of subcall function 0102AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0102AA99
                            • Part of subcall function 0102AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0102AAAF
                          • GetLengthSid.ADVAPI32(?,00000000,0102ADE4,?,?), ref: 0102B21B
                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0102B227
                          • HeapAlloc.KERNEL32(00000000), ref: 0102B22E
                          • CopySid.ADVAPI32(?,00000000,?), ref: 0102B247
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                          • String ID:
                          • API String ID: 4217664535-0
                          • Opcode ID: 697fb7323cd0dac0577755a865f6a55c5572fc4902e855c4f49da0b4f5320474
                          • Instruction ID: 8cb7b048865b0ac94a7807426773e2bd352f77fa96efe887fce7e27ea2251952
                          • Opcode Fuzzy Hash: 697fb7323cd0dac0577755a865f6a55c5572fc4902e855c4f49da0b4f5320474
                          • Instruction Fuzzy Hash: 47119471A00215FFDB249F98DD44AAEBBE9EF85214B14846DE9C2A7200D7359E48CB50
                          Function 0102B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0102B498
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0102B4AA
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0102B4C0
                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0102B4DB
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID:
                          • API String ID: 3850602802-0
                          • Opcode ID: 0726b7fc39c9016b63fbd989373198e7c504c61277a8e91e59c5cf5c613f68fb
                          • Instruction ID: 3b640b896bc229b65784d977742e037cddb4ba41ae2a519b1a0a07e7bf5d9f04
                          • Opcode Fuzzy Hash: 0726b7fc39c9016b63fbd989373198e7c504c61277a8e91e59c5cf5c613f68fb
                          • Instruction Fuzzy Hash: 63112A7A900228FFEB11DFA9C985E9DBBB4FF08710F204091E604B7294DA71AE11DB94
                          Function 0100B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0100B34E: GetWindowLongW.USER32(?,000000EB), ref: 0100B35F
                          • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0100B5A5
                          • GetClientRect.USER32(?,?), ref: 0106E69A
                          • GetCursorPos.USER32(?), ref: 0106E6A4
                          • ScreenToClient.USER32(?,?), ref: 0106E6AF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Client$CursorLongProcRectScreenWindow
                          • String ID:
                          • API String ID: 4127811313-0
                          • Opcode ID: 3c5b02ca7fe495b39411faa2bdb70033f685c34c9774008617dadaa3ed73d16a
                          • Instruction ID: 3e4ed480f161fd00397519aebdf2668a0f44eecf800ae288dc2f52fbd6c2a978
                          • Opcode Fuzzy Hash: 3c5b02ca7fe495b39411faa2bdb70033f685c34c9774008617dadaa3ed73d16a
                          • Instruction Fuzzy Hash: 4211483990012AFFEB11DF98D8859EE7BB8EF08305F100491F982A7180D335AA91CBA1
                          Function 0103732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThreadId.KERNEL32 ref: 01037352
                          • MessageBoxW.USER32(?,?,?,?), ref: 01037385
                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0103739B
                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 010373A2
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                          • String ID:
                          • API String ID: 2880819207-0
                          • Opcode ID: 1543b836423d9c41e89b762beefd426d245092d0dcdf2bfd15cb1ba86d07e8f8
                          • Instruction ID: 9c46607c70de6cf2cc6dee94aa8fa5a8777266ef49d38265b923f9e3258dbdef
                          • Opcode Fuzzy Hash: 1543b836423d9c41e89b762beefd426d245092d0dcdf2bfd15cb1ba86d07e8f8
                          • Instruction Fuzzy Hash: 381104B2A00204BFD7129BACDC4AADE7FEDAF88220F148355F9A5E3245D675890087A0
                          Function 0100D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0100D1BA
                          • GetStockObject.GDI32(00000011), ref: 0100D1CE
                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 0100D1D8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CreateMessageObjectSendStockWindow
                          • String ID:
                          • API String ID: 3970641297-0
                          • Opcode ID: 33ed964be5ac126fb370b7f99b126cfd1068ef037e92ea15835562eac477c7d8
                          • Instruction ID: 9e422559bf1b59dd27040855d822fa87473431625d448f5faf33efd6b12592fc
                          • Opcode Fuzzy Hash: 33ed964be5ac126fb370b7f99b126cfd1068ef037e92ea15835562eac477c7d8
                          • Instruction Fuzzy Hash: 0211AD72501549BFFB124FD4DC50EEABB69FF08364F040111FA9462080DB369C60DBA0
                          Function 01024DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                          • String ID:
                          • API String ID: 3016257755-0
                          • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                          • Instruction ID: 30274c7487f44b31d0fc7162f7d41f8e4c82ea21bc9997841e728e1b9ae25bc5
                          • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                          • Instruction Fuzzy Hash: 7401493204415EBBEF525F88DC118EE3F67BB18354B488495FEA899034D376C6B2AB85
                          Function 01017452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                            • Part of subcall function 01017A0D: __getptd_noexit.LIBCMT ref: 01017A0E
                          • __lock.LIBCMT ref: 0101748F
                          • InterlockedDecrement.KERNEL32(?), ref: 010174AC
                          • _free.LIBCMT ref: 010174BF
                          • InterlockedIncrement.KERNEL32(011B2880), ref: 010174D7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                          • String ID:
                          • API String ID: 2704283638-0
                          • Opcode ID: 1551191b96a9ef91b726440ea759f07024a52d6d5184619508eea462f952e262
                          • Instruction ID: a4516abd21df20164292c75ca51db77c69531c58b8091eaa10c9ef1d5f37d650
                          • Opcode Fuzzy Hash: 1551191b96a9ef91b726440ea759f07024a52d6d5184619508eea462f952e262
                          • Instruction Fuzzy Hash: 6201C432E42A16D7D762AFA8940479EBBA0BF04710F148049E4D46768CCF7D5540CFC1
                          Function 01017A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __lock.LIBCMT ref: 01017AD8
                            • Part of subcall function 01017CF4: __mtinitlocknum.LIBCMT ref: 01017D06
                            • Part of subcall function 01017CF4: EnterCriticalSection.KERNEL32(00000000,?,01017ADD,0000000D), ref: 01017D1F
                          • InterlockedIncrement.KERNEL32(?), ref: 01017AE5
                          • __lock.LIBCMT ref: 01017AF9
                          • ___addlocaleref.LIBCMT ref: 01017B17
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                          • String ID:
                          • API String ID: 1687444384-0
                          • Opcode ID: ddb387803d279422d62ff589ee4388b82218b08a2cd28bfc1e15330816362ecc
                          • Instruction ID: a3a966a0b4a9aa65403c60d3750e9eaa1f42b33bdf17eabbea86c611142d999d
                          • Opcode Fuzzy Hash: ddb387803d279422d62ff589ee4388b82218b08a2cd28bfc1e15330816362ecc
                          • Instruction Fuzzy Hash: 76015B71500B01DED721AFA9D94478AB7F0BF54325F20894ED5DA97294CBB8A680CB40
                          Function 0105E32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 0105E33D
                          • _memset.LIBCMT ref: 0105E34C
                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,010B3D00,010B3D44), ref: 0105E37B
                          • CloseHandle.KERNEL32 ref: 0105E38D
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: _memset$CloseCreateHandleProcess
                          • String ID:
                          • API String ID: 3277943733-0
                          • Opcode ID: c647b5409e79a6f4989997f2a6d5a71da336dc68b9f37230ef7992351d68c456
                          • Instruction ID: b5c4e4f5bca9928984f0a325c6adeb963de3dc3bb5c7b7801d5f8c016b1586ea
                          • Opcode Fuzzy Hash: c647b5409e79a6f4989997f2a6d5a71da336dc68b9f37230ef7992351d68c456
                          • Instruction Fuzzy Hash: 35F05EF1540304BAE3203A64FC95FFB7E6CEB04A54F104821BEC8EA196D37A9C0087A8
                          Function 0105EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0100AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0100AFE3
                            • Part of subcall function 0100AF83: SelectObject.GDI32(?,00000000), ref: 0100AFF2
                            • Part of subcall function 0100AF83: BeginPath.GDI32(?), ref: 0100B009
                            • Part of subcall function 0100AF83: SelectObject.GDI32(?,00000000), ref: 0100B033
                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0105EA8E
                          • LineTo.GDI32(00000000,?,?), ref: 0105EA9B
                          • EndPath.GDI32(00000000), ref: 0105EAAB
                          • StrokePath.GDI32(00000000), ref: 0105EAB9
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                          • String ID:
                          • API String ID: 1539411459-0
                          • Opcode ID: 596149580cb5a45cb4ef0b0c6e2ed14b2ab7c6efb2f9577111a04191f2f7072f
                          • Instruction ID: 0efd1cfae7ce0e6a97194c4c7af57ebce66512e6a8dbca5bf65b01048c10216b
                          • Opcode Fuzzy Hash: 596149580cb5a45cb4ef0b0c6e2ed14b2ab7c6efb2f9577111a04191f2f7072f
                          • Instruction Fuzzy Hash: 6AF0BE32401259BBEB23AFE4AC09FCA3F59AF0A310F044101FE81610D0877A5211CBD5
                          Function 0102C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0102C84A
                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 0102C85D
                          • GetCurrentThreadId.KERNEL32 ref: 0102C864
                          • AttachThreadInput.USER32(00000000), ref: 0102C86B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                          • String ID:
                          • API String ID: 2710830443-0
                          • Opcode ID: 2b9faebe9a235040132ca620126797200a70b1c726c81c3960590f896018e86c
                          • Instruction ID: 43af1cc31f28eed5600c09b1dbf420e6d98f79ffa83595186b82ae75b0ed2aba
                          • Opcode Fuzzy Hash: 2b9faebe9a235040132ca620126797200a70b1c726c81c3960590f896018e86c
                          • Instruction Fuzzy Hash: 49E06D71941268BAEB201AA2EC0DEDF7F5CEF0A7B1F408021F68DA4440C6B6C580CBE0
                          Function 0102B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentThread.KERNEL32 ref: 0102B0D6
                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,0102AC9D), ref: 0102B0DD
                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0102AC9D), ref: 0102B0EA
                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,0102AC9D), ref: 0102B0F1
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CurrentOpenProcessThreadToken
                          • String ID:
                          • API String ID: 3974789173-0
                          • Opcode ID: 67db72d99ad94b08e5a656f7f00617f3775b3d57e1c5aaa7fea199a5b996fb20
                          • Instruction ID: 2806f714148e6709083117fea8f023366a8d5329ee7f9ff606d4b433d6d9ab6f
                          • Opcode Fuzzy Hash: 67db72d99ad94b08e5a656f7f00617f3775b3d57e1c5aaa7fea199a5b996fb20
                          • Instruction Fuzzy Hash: C6E0E672E01221ABD7715FF55D0DB563BE8EF457D5F118858F6C1E6044DA7D8041C760
                          Function 0100B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                          • GetSysColor.USER32(00000008), ref: 0100B496
                          • SetTextColor.GDI32(?,000000FF), ref: 0100B4A0
                          • SetBkMode.GDI32(?,00000001), ref: 0100B4B5
                          • GetStockObject.GDI32(00000005), ref: 0100B4BD
                          • GetWindowDC.USER32(?,00000000), ref: 0106DE2B
                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0106DE38
                          • GetPixel.GDI32(00000000,?,00000000), ref: 0106DE51
                          • GetPixel.GDI32(00000000,00000000,?), ref: 0106DE6A
                          • GetPixel.GDI32(00000000,?,?), ref: 0106DE8A
                          • ReleaseDC.USER32(?,00000000), ref: 0106DE95
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                          • String ID:
                          • API String ID: 1946975507-0
                          • Opcode ID: d7c3707ce003721ce43f52317548be0af83f95ce293de1e343dd76e4056cf3ba
                          • Instruction ID: 3a0f7cdbda9cefd7ff8a048997b9bb3ae1e0f43cbd6dc0ea28d900f6778fd49b
                          • Opcode Fuzzy Hash: d7c3707ce003721ce43f52317548be0af83f95ce293de1e343dd76e4056cf3ba
                          • Instruction Fuzzy Hash: E0E06D31600240BBEB322BB8B809BD83F51AF41335F04C266FBF9680D6C7768580CB11
                          Function 0106B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CapsDesktopDeviceReleaseWindow
                          • String ID:
                          • API String ID: 2889604237-0
                          • Opcode ID: c82e24fb347e041ac9c382f3365865c63fa3e6deccd3360a242a12def55c9940
                          • Instruction ID: 221b2d73741a997480c1bc3718d2994f7095c0d9ad4ff3819e58489f9b7cb636
                          • Opcode Fuzzy Hash: c82e24fb347e041ac9c382f3365865c63fa3e6deccd3360a242a12def55c9940
                          • Instruction Fuzzy Hash: 49E09AB1900204EFEB115FF09448A6D7BA9EF4C351F118819F99AA7244DA7A98418B50
                          Function 0102B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                          Download Yara Rule
                          APIs
                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0102B2DF
                          • UnloadUserProfile.USERENV(?,?), ref: 0102B2EB
                          • CloseHandle.KERNEL32(?), ref: 0102B2F4
                          • CloseHandle.KERNEL32(?), ref: 0102B2FC
                            • Part of subcall function 0102AB24: GetProcessHeap.KERNEL32(00000000,?,0102A848), ref: 0102AB2B
                            • Part of subcall function 0102AB24: HeapFree.KERNEL32(00000000), ref: 0102AB32
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                          • String ID:
                          • API String ID: 146765662-0
                          • Opcode ID: 6e4eecb954be8da50c98cbfc924d5eb669f221e894757c54f547f7341a2ce487
                          • Instruction ID: 692e103166d5fc9cd7769f4e0aeee658548845ee1bb6d3640a63718139c19078
                          • Opcode Fuzzy Hash: 6e4eecb954be8da50c98cbfc924d5eb669f221e894757c54f547f7341a2ce487
                          • Instruction Fuzzy Hash: 28E0BF36504005BBCB112BD5DC08859FB66FF983213108621F65591575CB379871EB50
                          Function 0106B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CapsDesktopDeviceReleaseWindow
                          • String ID:
                          • API String ID: 2889604237-0
                          • Opcode ID: 42176a1cb12b0c3b6cd929d449e6419557ad809d04a9b6e8f49c35cb1d49ff63
                          • Instruction ID: ba23a6753c7145099ba24470e1bf963062495c70d750e78a956bb74365d5d752
                          • Opcode Fuzzy Hash: 42176a1cb12b0c3b6cd929d449e6419557ad809d04a9b6e8f49c35cb1d49ff63
                          • Instruction Fuzzy Hash: 5BE0BFB1900204EFDB115FF0D44CA6D7BA5FF4C351F118419F99AA7244DB7A99418B50
                          Function 0102DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                          Download Yara Rule
                          APIs
                          • OleSetContainedObject.OLE32(?,00000001), ref: 0102DEAA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ContainedObject
                          • String ID: AutoIt3GUI$Container
                          • API String ID: 3565006973-3941886329
                          • Opcode ID: 523380c64bf1624583c5af1a2abb817203466dcf2e85c121d6c23b09e36caa72
                          • Instruction ID: 1088c931c68c4ffa44becb9b4662c47add442b47cf8ad0b714f503c25086e1c8
                          • Opcode Fuzzy Hash: 523380c64bf1624583c5af1a2abb817203466dcf2e85c121d6c23b09e36caa72
                          • Instruction Fuzzy Hash: 34913970600712AFDB64DFA8C884F6ABBF5BF49710F10856DE98ACB691DB71E841CB50
                          Function 0100BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                          Download Yara Rule
                          APIs
                          • Sleep.KERNEL32(00000000), ref: 0100BCDA
                          • GlobalMemoryStatusEx.KERNEL32 ref: 0100BCF3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: GlobalMemorySleepStatus
                          • String ID: @
                          • API String ID: 2783356886-2766056989
                          • Opcode ID: 211a35defd11366b9535c15229aa642e5971fa032bba3f6b09ee0142432f75a3
                          • Instruction ID: a31eef586d743862812da35ca2ba252b7b949c607e2fe6cacac88d7e8a499ca6
                          • Opcode Fuzzy Hash: 211a35defd11366b9535c15229aa642e5971fa032bba3f6b09ee0142432f75a3
                          • Instruction Fuzzy Hash: DB514571408B499BE321AF54D889BAFBBECFFA8354F41485EF1C8410A5EB7185ACC752
                          Function 0103C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00FF44ED: __fread_nolock.LIBCMT ref: 00FF450B
                          • _wcscmp.LIBCMT ref: 0103C65D
                          • _wcscmp.LIBCMT ref: 0103C670
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: _wcscmp$__fread_nolock
                          • String ID: FILE
                          • API String ID: 4029003684-3121273764
                          • Opcode ID: f8158064ad3488267706e3f939a4f168f19e023f55f4a0433aa7c5c9505ca715
                          • Instruction ID: b514d0c2ae17bd25ea1470215a4a8d35ab7ca6f900e761b5f153d8e63526c771
                          • Opcode Fuzzy Hash: f8158064ad3488267706e3f939a4f168f19e023f55f4a0433aa7c5c9505ca715
                          • Instruction Fuzzy Hash: 1641D872A0020ABADF209BA4DC41FEF77BDAF89714F00006AFA45FB191D675AA04DB51
                          Function 0105A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 0105A85A
                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0105A86F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: '
                          • API String ID: 3850602802-1997036262
                          • Opcode ID: ebb4bf663a3e82d4c026ae2741f3a2042968ff3343d23919f0e840fc9078bda8
                          • Instruction ID: 0081476c1eb7683f43a83825ba3575c36b5850280fb5b6f94572a9ab6d678ad6
                          • Opcode Fuzzy Hash: ebb4bf663a3e82d4c026ae2741f3a2042968ff3343d23919f0e840fc9078bda8
                          • Instruction Fuzzy Hash: 0741E774A01209DFDB94CF68D881BEA7BB9FF08704F14016AEE45AB341D775A945CF90
                          Function 01045180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 01045190
                          • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 010451C6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: CrackInternet_memset
                          • String ID: |
                          • API String ID: 1413715105-2343686810
                          • Opcode ID: 6eb06052362ed89811914d9f8b58bff5735284df5704f9daf0565b9fe2f3e70b
                          • Instruction ID: 0b86becb887509467c7a37600dc9fd2fc6d43880eca9c1296ef6b3f93b314b15
                          • Opcode Fuzzy Hash: 6eb06052362ed89811914d9f8b58bff5735284df5704f9daf0565b9fe2f3e70b
                          • Instruction Fuzzy Hash: 35312A71C0011DABCF01EFA4CD85AEEBFB9FF18710F000165F915A6166EB35AA46DBA0
                          Function 0105975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                          Download Yara Rule
                          APIs
                          • DestroyWindow.USER32(?,?,?,?), ref: 0105980E
                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0105984A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Window$DestroyMove
                          • String ID: static
                          • API String ID: 2139405536-2160076837
                          • Opcode ID: cc7d3f540f52981e9f02de584babf7eb7843dad2f698a0ac53318c2e675fc15b
                          • Instruction ID: f4d68b6d808e79eb05d10a4bfe979e78a2f0766166e34082e4913795e4a6d4dc
                          • Opcode Fuzzy Hash: cc7d3f540f52981e9f02de584babf7eb7843dad2f698a0ac53318c2e675fc15b
                          • Instruction Fuzzy Hash: 5E317C71500608EEEB519F78CC80BFB77A9FF58764F008619F9E9D7190CA35A881DB60
                          Function 01035157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 010351C6
                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01035201
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: InfoItemMenu_memset
                          • String ID: 0
                          • API String ID: 2223754486-4108050209
                          • Opcode ID: 811f2e2fc3b751ed4b9b959155dee7d8a58ad9f599d8bc63ac712d91fbe96b0e
                          • Instruction ID: d224d1ba0b1f473813a0d35a9bd2f6dbe8bdd552145c309da2785a1b4dc6c554
                          • Opcode Fuzzy Hash: 811f2e2fc3b751ed4b9b959155dee7d8a58ad9f599d8bc63ac712d91fbe96b0e
                          • Instruction Fuzzy Hash: 1731BB31A00205ABEB65CE9DDC84BAEBFFCBF86350F144459FAC1A61B0E7B49644CB50
                          Function 0104658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: __snwprintf
                          • String ID: , $$AUTOITCALLVARIABLE%d
                          • API String ID: 2391506597-2584243854
                          • Opcode ID: b0ea6fbb6061c6bcab8bf687f68b6a82dc9d059b90f36561d00794118fd7ac46
                          • Instruction ID: 45190a3ad7493db10816e560aa2dfdb899ac155aa367ff6bb150a05355345897
                          • Opcode Fuzzy Hash: b0ea6fbb6061c6bcab8bf687f68b6a82dc9d059b90f36561d00794118fd7ac46
                          • Instruction Fuzzy Hash: FB21BB71600219ABCF10EFA4CC82EEE77B4BF49740F000469F245AF151EB34E905CBA5
                          Function 010593CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0105945C
                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01059467
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: Combobox
                          • API String ID: 3850602802-2096851135
                          • Opcode ID: 2c99128c995943681bd830a31b4b048fe0a054eded838bc6e4e06767a41581cb
                          • Instruction ID: 81568fe5ac4f860eadf29964728d434c3248050335a22d858c4e7d8bb849898f
                          • Opcode Fuzzy Hash: 2c99128c995943681bd830a31b4b048fe0a054eded838bc6e4e06767a41581cb
                          • Instruction Fuzzy Hash: 8A11B971700109AFEF529E58DC80EFB3BAEEB483A8F104125FD9497291D6759C518B60
                          Function 010598FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0100D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0100D1BA
                            • Part of subcall function 0100D17C: GetStockObject.GDI32(00000011), ref: 0100D1CE
                            • Part of subcall function 0100D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0100D1D8
                          • GetWindowRect.USER32(00000000,?), ref: 01059968
                          • GetSysColor.USER32(00000012), ref: 01059982
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                          • String ID: static
                          • API String ID: 1983116058-2160076837
                          • Opcode ID: dadda5565a7a3c12e910b16ee58692ebf46cb161ef8ea783bb957358ef93b478
                          • Instruction ID: eb049c4618e12b09e410a4596f910e9062aa75002f1a468b221ba5a0b26bb96e
                          • Opcode Fuzzy Hash: dadda5565a7a3c12e910b16ee58692ebf46cb161ef8ea783bb957358ef93b478
                          • Instruction Fuzzy Hash: 2611267252020AAFDB15DFB8C845AEA7BB8FF08358F014628FD95E2240E735E850DB60
                          Function 01059617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                          Download Yara Rule
                          APIs
                          • GetWindowTextLengthW.USER32(00000000), ref: 01059699
                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010596A8
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: LengthMessageSendTextWindow
                          • String ID: edit
                          • API String ID: 2978978980-2167791130
                          • Opcode ID: 1bdab5f3b52e1b7a1291b6b904095155d93c3ff45e7d3753ed4465f34d4dbc4f
                          • Instruction ID: e7218378d1722872aab9a2c009d053df84ea1f7571249907a29e7fb7b4a65c3f
                          • Opcode Fuzzy Hash: 1bdab5f3b52e1b7a1291b6b904095155d93c3ff45e7d3753ed4465f34d4dbc4f
                          • Instruction Fuzzy Hash: 86115B71500105EAEBA15EA8DC80AEB3BAAEB09368F504714FDA5971D0C7359C54D760
                          Function 01035262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                          Download Yara Rule
                          APIs
                          • _memset.LIBCMT ref: 010352D5
                          • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 010352F4
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: InfoItemMenu_memset
                          • String ID: 0
                          • API String ID: 2223754486-4108050209
                          • Opcode ID: 56d69131fd6afa4af7577ac252df8a6f179f804fccccd26fe19cc995f36c498b
                          • Instruction ID: 3760b9a67984f2630f3c31bafd7eeec2a5a732cf1273719e5cdbfcd41c47cf90
                          • Opcode Fuzzy Hash: 56d69131fd6afa4af7577ac252df8a6f179f804fccccd26fe19cc995f36c498b
                          • Instruction Fuzzy Hash: 1111B272901214ABEB60DA9CDD44BDD7BFCAB86610F054095EAC2E72E4D3B1E904C791
                          Function 01044D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                          Download Yara Rule
                          APIs
                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 01044DF5
                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 01044E1E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Internet$OpenOption
                          • String ID: <local>
                          • API String ID: 942729171-4266983199
                          • Opcode ID: 2a56b159e6839e4f59ef5bad40dbeb4b9735e13e18796ac70533133581af7e5d
                          • Instruction ID: d12a47ef7b2290c52127efa662cb7d4ef0835276982f1474533c6a4f9c9a6e49
                          • Opcode Fuzzy Hash: 2a56b159e6839e4f59ef5bad40dbeb4b9735e13e18796ac70533133581af7e5d
                          • Instruction Fuzzy Hash: 4E11A0B0501221FBDB259E96C8C9FFBFEA8FF06655F00827AF5C696140E3B06844C6E0
                          Function 0104A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                          Download Yara Rule
                          APIs
                          • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0104A84E
                          • htons.WSOCK32(00000000,?,00000000), ref: 0104A88B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: htonsinet_addr
                          • String ID: 255.255.255.255
                          • API String ID: 3832099526-2422070025
                          • Opcode ID: ee4cd793f501f8495c953a2d4f23e3e829293b37eb2b70b32ed4f67a6fe0872f
                          • Instruction ID: 6fd3d9dcdcc58a7e77e63dc6ad9ac6e94dfda24c875799149cdaa970c556cecd
                          • Opcode Fuzzy Hash: ee4cd793f501f8495c953a2d4f23e3e829293b37eb2b70b32ed4f67a6fe0872f
                          • Instruction Fuzzy Hash: 1D01D6B9740305EBDB219FA8C885FAEB368FF54310F10846AE556AB2D1D775E801C751
                          Function 0102B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0102B7EF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: ComboBox$ListBox
                          • API String ID: 3850602802-1403004172
                          • Opcode ID: 3e4cbb3121b58fe541368da0214d9577f614e07767eabc140aec6abbe4de342e
                          • Instruction ID: 74a58cecc8df49acb64d7307b29e0a9b84b265eff5813b70bd70e71f75334030
                          • Opcode Fuzzy Hash: 3e4cbb3121b58fe541368da0214d9577f614e07767eabc140aec6abbe4de342e
                          • Instruction Fuzzy Hash: A101D47564013CAFCB04FBA4CC529FE33A9BF55354B04061DF6A2A72D1EBB45908D790
                          Function 0102B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 0102B6EB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: ComboBox$ListBox
                          • API String ID: 3850602802-1403004172
                          • Opcode ID: 92d716638db7648975daeb025a95de3e24d6e13587ff98a30cea2c738d5dcca2
                          • Instruction ID: 679fbb52e92ca12c9dd6c49a0eaaa9af854105901233abc655ae61feceaf35e8
                          • Opcode Fuzzy Hash: 92d716638db7648975daeb025a95de3e24d6e13587ff98a30cea2c738d5dcca2
                          • Instruction Fuzzy Hash: 9001F27564002CABCB14EBA4CE12EFE33A89F19308F00002DF682B3191DA985E0897F5
                          Function 0102B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                          Download Yara Rule
                          APIs
                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 0102B76C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: MessageSend
                          • String ID: ComboBox$ListBox
                          • API String ID: 3850602802-1403004172
                          • Opcode ID: 1cf5aae214598cf043d2d623144bf77e993fe8e3ec10dde1049a469e60ee3394
                          • Instruction ID: 25cb4d19bd8fa0be01a4bbb58d4e7590e7b178f7757d875bb05c0bc267ccd5a8
                          • Opcode Fuzzy Hash: 1cf5aae214598cf043d2d623144bf77e993fe8e3ec10dde1049a469e60ee3394
                          • Instruction Fuzzy Hash: 0501D67564012CABDB00E7E4CE12EFE73ACAF15344F440029F681B3191DA645E0997B5
                          Function 01037744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: ClassName_wcscmp
                          • String ID: #32770
                          • API String ID: 2292705959-463685578
                          • Opcode ID: 3b7571ee7c72edb437a523998b093a577349361c63ee6ab696b3064a79629561
                          • Instruction ID: d5f26d7ed3aeffc147dbeee21414308901c7b09d43df805dc8413dacbe0e42f5
                          • Opcode Fuzzy Hash: 3b7571ee7c72edb437a523998b093a577349361c63ee6ab696b3064a79629561
                          • Instruction Fuzzy Hash: D0E09277A0422567D720AAE99C49EC7FBACBB55B60F00405AA985E7141D674E60187D0
                          Function 0102A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                          Download Yara Rule
                          APIs
                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0102A63F
                            • Part of subcall function 010113F1: _doexit.LIBCMT ref: 010113FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: Message_doexit
                          • String ID: AutoIt$Error allocating memory.
                          • API String ID: 1993061046-4017498283
                          • Opcode ID: 5cca08e2a0e0969ad1914b94cda7b7e9e3a59aaa96b4ea69377bf72b26d92d6d
                          • Instruction ID: 7970f499b209778b9df6598540b5636eeed21536b0accd6c3dc5068892f6a590
                          • Opcode Fuzzy Hash: 5cca08e2a0e0969ad1914b94cda7b7e9e3a59aaa96b4ea69377bf72b26d92d6d
                          • Instruction Fuzzy Hash: 12D0C23138432933D22436E92C1AFC436888F19F91F000019BB88A94C18DEA864002D9
                          Function 0106AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                          Download Yara Rule
                          APIs
                          • GetSystemDirectoryW.KERNEL32(?), ref: 0106ACC0
                          • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0106AEBD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: DirectoryFreeLibrarySystem
                          • String ID: WIN_XPe
                          • API String ID: 510247158-3257408948
                          • Opcode ID: 6716f5cfd79fcf72971469d5f7cfa2f00278d723b47c4a5d5eb2aab554de9e3e
                          • Instruction ID: 0a5f7af2ed5c321f72190c6e3d9bd24931403d455400f38c9bcf9d82f84d689b
                          • Opcode Fuzzy Hash: 6716f5cfd79fcf72971469d5f7cfa2f00278d723b47c4a5d5eb2aab554de9e3e
                          • Instruction Fuzzy Hash: 39E039B0D00609EFDB21EBA8D9849ECBBBCAF58320F048091E186B2558CB355A84CF21
                          Function 01058698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                          Download Yara Rule
                          APIs
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 010586A2
                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 010586B5
                            • Part of subcall function 01037A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 01037AD0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: FindMessagePostSleepWindow
                          • String ID: Shell_TrayWnd
                          • API String ID: 529655941-2988720461
                          • Opcode ID: 4e78e6a991e024685c3d9e3d4ee6146dda9f6ad905afc94b95724e29b0e72890
                          • Instruction ID: b1061e9c015e0a2f47f5120d5806cb0d078a765f77ac2810e36871013ec758d1
                          • Opcode Fuzzy Hash: 4e78e6a991e024685c3d9e3d4ee6146dda9f6ad905afc94b95724e29b0e72890
                          • Instruction Fuzzy Hash: 91D01271794318B7E27466F09C0BFC67A18AF55B21F100819B7C9BE1C4C9E5E940C764
                          Function 010586CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                          Download Yara Rule
                          APIs
                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 010586E2
                          • PostMessageW.USER32(00000000), ref: 010586E9
                            • Part of subcall function 01037A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 01037AD0
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2020762495.0000000000FF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                          • Associated: 00000000.00000002.2020747553.0000000000FF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000107D000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020822453.000000000109E000.00000002.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020855930.00000000010AA000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2020869196.00000000010B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_ff0000_shipping doc -GY298035826.jbxd
                          Similarity
                          • API ID: FindMessagePostSleepWindow
                          • String ID: Shell_TrayWnd
                          • API String ID: 529655941-2988720461
                          • Opcode ID: 4882e62ce7c16e616ceb0984952ca101922b1336f55bea56def702a9a1d906f8
                          • Instruction ID: 2dc6d22d9be869deac494834a13161e0b9d8360fbd26027cb7121e81df151f61
                          • Opcode Fuzzy Hash: 4882e62ce7c16e616ceb0984952ca101922b1336f55bea56def702a9a1d906f8
                          • Instruction Fuzzy Hash: DBD0C9717813186BE27466B09C0AFC67A18AB59B21F500819B6C9AA1C4C9A5A9408764